def bob_deposit( zeth_client: MixerClient, mk_tree: MerkleTree, bob_eth_address: str, keystore: mock.KeyStore, tx_value: Optional[EtherValue] = None) -> contracts.MixResult: print( f"=== Bob deposits {BOB_DEPOSIT_ETH} ETH for himself and splits into " + f"note1: {BOB_SPLIT_1_ETH}ETH, note2: {BOB_SPLIT_2_ETH}ETH ===") bob_js_keypair = keystore["Bob"] bob_addr = keystore["Bob"].addr_pk outputs = [ (bob_addr, EtherValue(BOB_SPLIT_1_ETH)), (bob_addr, EtherValue(BOB_SPLIT_2_ETH)), ] tx_hash = zeth_client.deposit( mk_tree, bob_js_keypair, bob_eth_address, None, EtherValue(BOB_DEPOSIT_ETH), outputs, tx_value) return wait_for_tx_update_mk_tree(zeth_client, mk_tree, tx_hash)
def bob_to_charlie( zeth_client: MixerClient, mk_tree: MerkleTree, input1: Tuple[int, ZethNote], bob_eth_address: str, keystore: mock.KeyStore) -> contracts.MixResult: print( f"=== Bob transfers {BOB_TO_CHARLIE_ETH}ETH to Charlie from his funds " + "on the mixer ===") bob_ask = keystore["Bob"].addr_sk.a_sk charlie_addr = keystore["Charlie"].addr_pk bob_addr = keystore["Bob"].addr_pk # Coin for Bob (change) output0 = (bob_addr, EtherValue(BOB_TO_CHARLIE_ETH)) # Coin for Charlie output1 = (charlie_addr, EtherValue(BOB_TO_CHARLIE_CHANGE_ETH)) # Send the tx tx_hash = zeth_client.joinsplit( mk_tree, OwnershipKeyPair(bob_ask, bob_addr.a_pk), bob_eth_address, None, [input1], [output0, output1], EtherValue(0), EtherValue(0), EtherValue(1, 'wei')) return wait_for_tx_update_mk_tree(zeth_client, mk_tree, tx_hash)
def deploy( ctx: Context, eth_addr: Optional[str], eth_private_key: Optional[str], instance_out: str, token_address: str, deploy_gas: Optional[int]) -> None: """ Deploy the zeth contracts and record the instantiation details. """ eth_address = load_eth_address(eth_addr) eth_private_key_data = load_eth_private_key(eth_private_key) client_ctx = ctx.obj web3 = open_web3_from_ctx(client_ctx) print(f"deploy: eth_address={eth_address}") print(f"deploy: instance_out={instance_out}") print(f"deploy: token_address={token_address}") token_instance_desc = get_erc20_instance_description(token_address) \ if token_address else None prover_client = create_prover_client(client_ctx) _zeth_client, mixer_instance_desc = MixerClient.deploy( web3, prover_client, eth_address, eth_private_key_data, token_address, deploy_gas) mixer_desc = MixerDescription(mixer_instance_desc, token_instance_desc) write_mixer_description(instance_out, mixer_desc)
def charlie_withdraw( zeth_client: MixerClient, mk_tree: MerkleTree, input1: Tuple[int, ZethNote], charlie_eth_address: str, keystore: mock.KeyStore) -> contracts.MixResult: print( f" === Charlie withdraws {CHARLIE_WITHDRAW_ETH}ETH from his funds " + "on the Mixer ===") charlie_pk = keystore["Charlie"].addr_pk charlie_apk = charlie_pk.a_pk charlie_ask = keystore["Charlie"].addr_sk.a_sk charlie_ownership_key = \ OwnershipKeyPair(charlie_ask, charlie_apk) tx_hash = zeth_client.joinsplit( mk_tree, charlie_ownership_key, charlie_eth_address, None, [input1], [(charlie_pk, EtherValue(CHARLIE_WITHDRAW_CHANGE_ETH))], EtherValue(0), EtherValue(CHARLIE_WITHDRAW_ETH), EtherValue(1, 'wei')) return wait_for_tx_update_mk_tree(zeth_client, mk_tree, tx_hash)
def get_mix_parameters_components( zeth_client: MixerClient, prover_client: ProverClient, mk_tree: MerkleTree, sender_ownership_keypair: OwnershipKeyPair, inputs: List[Tuple[int, ZethNote]], outputs: List[Tuple[ZethAddressPub, EtherValue]], v_in: EtherValue, v_out: EtherValue, compute_h_sig_cb: Optional[ComputeHSigCB] = None ) -> Tuple[ZethNote, ZethNote, ExtendedProof, List[int], JoinsplitSigKeyPair]: """ Manually create the components required for MixParameters. The tests below manipulate these to create custom MixParameters as part of attacks. """ mix_call_desc = MixCallDescription( mk_tree, sender_ownership_keypair, inputs, outputs, v_in, v_out, compute_h_sig_cb) prover_inputs, signing_keypair = zeth_client.create_prover_inputs( mix_call_desc) ext_proof, public_data = prover_client.get_proof(prover_inputs) return ( prover_inputs.js_outputs[0], prover_inputs.js_outputs[1], ext_proof, public_data, signing_keypair)
def create_mixer_client(ctx: ClientConfig) -> MixerClient: """ Create a MixerClient for an existing deployment. """ web3 = open_web3_from_ctx(ctx) mixer_desc = load_mixer_description_from_ctx(ctx) mixer_instance = mixer_desc.mixer.instantiate(web3) return MixerClient.open(web3, ctx.prover_server_endpoint, mixer_instance)
def create_zeth_client_and_mixer_desc( ctx: ClientConfig) -> Tuple[MixerClient, MixerDescription]: """ Create a MixerClient and MixerDescription object, for an existing deployment. """ web3 = open_web3_from_ctx(ctx) mixer_desc = load_mixer_description_from_ctx(ctx) mixer_instance = mixer_desc.mixer.instantiate(web3) zeth_client = MixerClient.open( web3, ctx.prover_server_endpoint, mixer_instance) return (zeth_client, mixer_desc)
def create_mixer_client_and_mixer_desc( ctx: ClientConfig, prover_client: Optional[ProverClient] = None ) -> Tuple[MixerClient, MixerDescription]: """ Create a MixerClient and MixerDescription object, for an existing deployment. """ web3 = open_web3_from_ctx(ctx) mixer_desc = load_mixer_description_from_ctx(ctx) mixer_instance = mixer_desc.mixer.instantiate(web3) if prover_client is None: prover_client = create_prover_client(ctx) prover_config = prover_client.get_configuration() mixer_client = MixerClient(web3, prover_config, mixer_instance) return (mixer_client, mixer_desc)
def deploy(ctx: Context, eth_addr: Optional[str], eth_private_key: Optional[str], instance_out: str, token_address: Optional[str], permitted_dispatcher: Optional[str], vk_hash: Optional[str], deploy_gas: Optional[int]) -> None: """ Deploy the zeth contracts and record the instantiation details. """ eth_address = load_eth_address(eth_addr) eth_private_key_data = load_eth_private_key(eth_private_key) client_ctx = ctx.obj web3 = open_web3_from_ctx(client_ctx) if bool(permitted_dispatcher) != bool(vk_hash): raise ClickException( "Must supply BOTH --permitted-dispatch AND --vk-hash, or NEITHER") print(f"deploy: eth_address={eth_address}") print(f"deploy: instance_out={instance_out}") print(f"deploy: token_address={token_address}") if permitted_dispatcher: permitted_dispatcher = load_contract_address(permitted_dispatcher) print(f"deploy: permitted_dispatcher={permitted_dispatcher}") print(f"deploy: vk_hash={vk_hash}") token_instance_desc = get_erc20_instance_description(token_address) \ if token_address else None prover_client = create_prover_client(client_ctx) _zeth_client, mixer_instance_desc = MixerClient.deploy( web3, prover_client, eth_address, eth_private_key_data, token_address, permitted_dispatcher=permitted_dispatcher, vk_hash=vk_hash, deploy_gas=deploy_gas) mixer_desc = MixerDescription(mixer=mixer_instance_desc, token=token_instance_desc, permitted_dispatcher=permitted_dispatcher, vk_hash=vk_hash) write_mixer_description(instance_out, mixer_desc)
def main() -> None: print("-------------------- Evaluating BaseMixer.sol --------------------") web3, eth = mock.open_test_web3() # Ethereum addresses deployer_eth_address = eth.accounts[0] zeth_client, _ = MixerClient.deploy(web3, mock.TEST_PROVER_SERVER_ENDPOINT, deployer_eth_address, None) mixer_instance = zeth_client.mixer_instance # We can now call the instance and test its functions. print("[INFO] 4. Running tests") result = 0 result += test_assemble_nullifiers(mixer_instance) result += test_assemble_vpub(mixer_instance) result += test_assemble_hsig(mixer_instance) # We do not re-assemble of h_is in the contract if result == 0: print("base_mixer tests PASS\n")
def charlie_corrupt_bob_deposit( zeth_client: MixerClient, mk_tree: MerkleTree, bob_eth_address: str, charlie_eth_address: str, keystore: mock.KeyStore) -> contracts.MixResult: """ Charlie tries to break transaction malleability and corrupt the coins bob is sending in a transaction She does so by intercepting bob's transaction and either: - case 1: replacing the ciphertexts (or sender_eph_pk) by garbage/arbitrary data - case 2: replacing the ciphertexts by garbage/arbitrary data and using a new OT-signature - case 3: Charlie replays the mix call of Bob, to try to receive the vout Both attacks should fail, - case 1: the signature check should fail, else Charlie broke UF-CMA of the OT signature - case 2: the h_sig/vk verification should fail, as h_sig is not a function of vk any longer - case 3: the signature check should fail, because `msg.sender` will no match the value used in the mix parameters (Bob's Ethereum Address). NB. If the adversary were to corrupt the ciphertexts (or the encryption key), replace the OT-signature by a new one and modify the h_sig accordingly so that the check on the signature verification (key h_sig/vk) passes, the proof would not verify, which is why we do not test this case. """ print( f"=== Bob deposits {BOB_DEPOSIT_ETH} ETH for himself and split into " + f"note1: {BOB_SPLIT_1_ETH}ETH, note2: {BOB_SPLIT_2_ETH}ETH " + "but Charlie attempts to corrupt the transaction ===") bob_apk = keystore["Bob"].addr_pk.a_pk bob_ask = keystore["Bob"].addr_sk.a_sk tree_depth = mk_tree.depth mk_root = mk_tree.get_root() # mk_tree_depth = zeth_client.mk_tree_depth # mk_root = zeth_client.merkle_root # Create the JoinSplit dummy inputs for the deposit input1 = get_dummy_input_and_address(bob_apk) input2 = get_dummy_input_and_address(bob_apk) dummy_mk_path = mock.get_dummy_merkle_path(tree_depth) note1_value = to_zeth_units(EtherValue(BOB_SPLIT_1_ETH)) note2_value = to_zeth_units(EtherValue(BOB_SPLIT_2_ETH)) v_in = to_zeth_units(EtherValue(BOB_DEPOSIT_ETH)) (output_note1, output_note2, proof_json, joinsplit_keypair) = \ zeth_client.get_proof_joinsplit_2_by_2( mk_root, input1, dummy_mk_path, input2, dummy_mk_path, bob_ask, # sender (bob_apk, note1_value), # recipient1 (bob_apk, note2_value), # recipient2 v_in, # v_in to_zeth_units(EtherValue(0)) # v_out ) # Encrypt the coins to bob pk_bob = keystore["Bob"].addr_pk.k_pk ciphertexts = encrypt_notes([ (output_note1, pk_bob), (output_note2, pk_bob)]) # ### ATTACK BLOCK # Charlie intercepts Bob's deposit, corrupts it and # sends her transaction before Bob's transaction is accepted # Case 1: replacing the ciphertexts by garbage/arbitrary data # Corrupt the ciphertexts # (another way would have been to overwrite sender_eph_pk) fake_ciphertext0 = urandom(32) fake_ciphertext1 = urandom(32) result_corrupt1 = None try: joinsplit_sig_charlie = joinsplit_sign( joinsplit_keypair, charlie_eth_address, ciphertexts, proof_json) mix_params = contracts.MixParameters( proof_json, joinsplit_keypair.vk, joinsplit_sig_charlie, [fake_ciphertext0, fake_ciphertext1]) tx_hash = zeth_client.mix( mix_params, charlie_eth_address, None, EtherValue(BOB_DEPOSIT_ETH)) result_corrupt1 = \ wait_for_tx_update_mk_tree(zeth_client, mk_tree, tx_hash) except Exception as e: print( "Charlie's first corruption attempt" + f" successfully rejected! (msg: {e})" ) assert(result_corrupt1 is None), \ "Charlie managed to corrupt Bob's deposit the first time!" print("") # Case 2: replacing the ciphertexts by garbage/arbitrary data and # using a new OT-signature # Corrupt the ciphertexts fake_ciphertext0 = urandom(32) fake_ciphertext1 = urandom(32) new_joinsplit_keypair = signing.gen_signing_keypair() # Sign the primary inputs, sender_eph_pk and the ciphertexts result_corrupt2 = None try: joinsplit_sig_charlie = joinsplit_sign( new_joinsplit_keypair, charlie_eth_address, [fake_ciphertext0, fake_ciphertext1], proof_json) mix_params = contracts.MixParameters( proof_json, new_joinsplit_keypair.vk, joinsplit_sig_charlie, [fake_ciphertext0, fake_ciphertext1]) tx_hash = zeth_client.mix( mix_params, charlie_eth_address, None, EtherValue(BOB_DEPOSIT_ETH)) result_corrupt2 = \ wait_for_tx_update_mk_tree(zeth_client, mk_tree, tx_hash) except Exception as e: print( "Charlie's second corruption attempt" + f" successfully rejected! (msg: {e})" ) assert(result_corrupt2 is None), \ "Charlie managed to corrupt Bob's deposit the second time!" # Case3: Charlie uses the correct mix data, but attempts to send the mix # call from his own address (thereby receiving the output). result_corrupt3 = None try: joinsplit_sig_bob = joinsplit_sign( joinsplit_keypair, bob_eth_address, ciphertexts, proof_json) mix_params = contracts.MixParameters( proof_json, joinsplit_keypair.vk, joinsplit_sig_bob, ciphertexts) tx_hash = zeth_client.mix( mix_params, charlie_eth_address, None, EtherValue(BOB_DEPOSIT_ETH), 4000000) result_corrupt3 = \ wait_for_tx_update_mk_tree(zeth_client, mk_tree, tx_hash) except Exception as e: print( "Charlie's third corruption attempt" + f" successfully rejected! (msg: {e})" ) assert(result_corrupt3 is None), \ "Charlie managed to corrupt Bob's deposit the third time!" # ### ATTACK BLOCK # Bob transaction is finally mined joinsplit_sig_bob = joinsplit_sign( joinsplit_keypair, bob_eth_address, ciphertexts, proof_json) mix_params = contracts.MixParameters( proof_json, joinsplit_keypair.vk, joinsplit_sig_bob, ciphertexts) tx_hash = zeth_client.mix( mix_params, bob_eth_address, None, EtherValue(BOB_DEPOSIT_ETH)) return wait_for_tx_update_mk_tree(zeth_client, mk_tree, tx_hash)
def charlie_double_withdraw( zeth_client: MixerClient, mk_tree: MerkleTree, input1: Tuple[int, ZethNote], charlie_eth_address: str, keystore: mock.KeyStore) -> contracts.MixResult: """ Charlie tries to carry out a double spending by modifying the value of the nullifier of the previous payment """ print( f" === Charlie attempts to withdraw {CHARLIE_WITHDRAW_ETH}ETH once " + "more (double spend) one of his note on the Mixer ===") charlie_apk = keystore["Charlie"].addr_pk.a_pk charlie_ask = keystore["Charlie"].addr_sk.a_sk tree_depth = mk_tree.depth mk_path1 = compute_merkle_path(input1[0], mk_tree) mk_root = mk_tree.get_root() # Create the an additional dummy input for the MixerClient input2 = get_dummy_input_and_address(charlie_apk) dummy_mk_path = mock.get_dummy_merkle_path(tree_depth) note1_value = to_zeth_units(EtherValue(CHARLIE_WITHDRAW_CHANGE_ETH)) v_out = EtherValue(CHARLIE_WITHDRAW_ETH) # ### ATTACK BLOCK # Add malicious nullifiers: we reuse old nullifiers to double spend by # adding $r$ to them so that they have the same value as before in Z_r, # and so the zksnark verification passes, but have different values in # {0;1}^256 so that they appear different to the contract. # See: https://github.com/clearmatics/zeth/issues/38 attack_primary_input3: int = 0 attack_primary_input4: int = 0 def compute_h_sig_attack_nf( nf0: bytes, nf1: bytes, sign_vk: JoinsplitSigVerificationKey) -> bytes: # We disassemble the nfs to get the formatting of the primary inputs input_nullifier0 = nf0.hex() input_nullifier1 = nf1.hex() nf0_rev = "{0:0256b}".format(int(input_nullifier0, 16)) primary_input3_bits = nf0_rev[:FIELD_CAPACITY] primary_input3_res_bits = nf0_rev[FIELD_CAPACITY:] nf1_rev = "{0:0256b}".format(int(input_nullifier1, 16)) primary_input4_bits = nf1_rev[:FIELD_CAPACITY] primary_input4_res_bits = nf1_rev[FIELD_CAPACITY:] # We perform the attack, recoding the modified public input values nonlocal attack_primary_input3 nonlocal attack_primary_input4 attack_primary_input3 = int(primary_input3_bits, 2) + ZETH_PRIME attack_primary_input4 = int(primary_input4_bits, 2) + ZETH_PRIME # We reassemble the nfs attack_primary_input3_bits = "{0:0256b}".format(attack_primary_input3) attack_nf0_bits = attack_primary_input3_bits[ len(attack_primary_input3_bits) - FIELD_CAPACITY:] +\ primary_input3_res_bits attack_nf0 = "{0:064x}".format(int(attack_nf0_bits, 2)) attack_primary_input4_bits = "{0:0256b}".format(attack_primary_input4) attack_nf1_bits = attack_primary_input4_bits[ len(attack_primary_input4_bits) - FIELD_CAPACITY:] +\ primary_input4_res_bits attack_nf1 = "{0:064x}".format(int(attack_nf1_bits, 2)) return compute_h_sig( bytes.fromhex(attack_nf0), bytes.fromhex(attack_nf1), sign_vk) (output_note1, output_note2, proof_json, signing_keypair) = \ zeth_client.get_proof_joinsplit_2_by_2( mk_root, input1, mk_path1, input2, dummy_mk_path, charlie_ask, # sender (charlie_apk, note1_value), # recipient1 (charlie_apk, 0), # recipient2 to_zeth_units(EtherValue(0)), # v_in to_zeth_units(v_out), # v_out compute_h_sig_attack_nf) # Update the primary inputs to the modified nullifiers, since libsnark # overwrites them with values in Z_p assert attack_primary_input3 != 0 assert attack_primary_input4 != 0 print("proof_json => ", proof_json) print("proof_json[inputs][3] => ", proof_json["inputs"][3]) print("proof_json[inputs][4] => ", proof_json["inputs"][4]) proof_json["inputs"][3] = hex(attack_primary_input3) proof_json["inputs"][4] = hex(attack_primary_input4) # ### ATTACK BLOCK # construct pk object from bytes pk_charlie = keystore["Charlie"].addr_pk.k_pk # encrypt the coins ciphertexts = encrypt_notes([ (output_note1, pk_charlie), (output_note2, pk_charlie)]) # Compute the joinSplit signature joinsplit_sig_charlie = joinsplit_sign( signing_keypair, charlie_eth_address, ciphertexts, proof_json) mix_params = contracts.MixParameters( proof_json, signing_keypair.vk, joinsplit_sig_charlie, ciphertexts) tx_hash = zeth_client.mix( mix_params, charlie_eth_address, # Pay an arbitrary amount (1 wei here) that will be refunded since the # `mix` function is payable None, EtherValue(1, 'wei')) return wait_for_tx_update_mk_tree(zeth_client, mk_tree, tx_hash)
def main() -> None: zksnark_name = zeth.core.utils.parse_zksnark_arg() zksnark = zeth.core.zksnark.get_zksnark_provider(zksnark_name) web3, eth = mock.open_test_web3() # Zeth addresses keystore = mock.init_test_keystore() # Ethereum addresses deployer_eth_address = eth.accounts[0] bob_eth_address = eth.accounts[1] alice_eth_address = eth.accounts[2] charlie_eth_address = eth.accounts[3] # ProverClient prover_client = ProverClient(mock.TEST_PROVER_SERVER_ENDPOINT) prover_config = prover_client.get_configuration() pp = prover_config.pairing_parameters assert prover_client.get_configuration().zksnark_name == zksnark_name # Deploy Zeth contracts tree_depth = zeth.core.constants.ZETH_MERKLE_TREE_DEPTH zeth_client, _contract_desc = MixerClient.deploy( web3, prover_client, deployer_eth_address, None, None, None) # Set up Merkle tree and Wallets. Note that each wallet holds an internal # Merkle Tree, unused in this test. Instead, we keep an in-memory version # shared by all virtual users. This avoids having to pass all mix results # to all wallets, and allows some of the methods in the scenario module, # which must update the tree directly. tree_hash = get_tree_hash_for_pairing(pp.name) mk_tree = zeth.core.merkle_tree.MerkleTree.empty_with_depth( tree_depth, tree_hash) mixer_instance = zeth_client.mixer_instance # Keys and wallets def _mk_wallet(name: str, sk: ZethAddressPriv) -> Wallet: wallet_dir = join(mock.TEST_NOTE_DIR, name + "-eth") if exists(wallet_dir): # Note: symlink-attack resistance # https://docs.python.org/3/library/shutil.html#shutil.rmtree.avoids_symlink_attacks shutil.rmtree(wallet_dir) return Wallet(mixer_instance, name, wallet_dir, sk, tree_hash) sk_alice = keystore['Alice'].addr_sk sk_bob = keystore['Bob'].addr_sk sk_charlie = keystore['Charlie'].addr_sk alice_wallet = _mk_wallet('alice', sk_alice) bob_wallet = _mk_wallet('bob', sk_bob) charlie_wallet = _mk_wallet('charlie', sk_charlie) block_num = 1 # Universal update function def _receive_notes( out_ev: List[MixOutputEvents]) \ -> Dict[str, List[ZethNoteDescription]]: nonlocal block_num notes = { 'alice': alice_wallet.receive_notes(out_ev, pp), 'bob': bob_wallet.receive_notes(out_ev, pp), 'charlie': charlie_wallet.receive_notes(out_ev, pp), } alice_wallet.update_and_save_state(block_num) bob_wallet.update_and_save_state(block_num) charlie_wallet.update_and_save_state(block_num) block_num = block_num + 1 return notes print("[INFO] 4. Running tests (asset mixed: Ether)...") print("- Initial balances: ") print_balances( web3, bob_eth_address, alice_eth_address, charlie_eth_address, zeth_client.mixer_instance.address) # Bob deposits ETH, split in 2 notes on the mixer result_deposit_bob_to_bob = scenario.bob_deposit( zeth_client, prover_client, mk_tree, bob_eth_address, keystore) print("- Balances after Bob's deposit: ") print_balances( web3, bob_eth_address, alice_eth_address, charlie_eth_address, zeth_client.mixer_instance.address ) # Alice sees a deposit and tries to decrypt the ciphertexts to see if she # was the recipient but she wasn't the recipient (Bob was), so she fails to # decrypt recovered_notes = _receive_notes(result_deposit_bob_to_bob.output_events) assert(len(recovered_notes['alice']) == 0), \ "Alice decrypted a ciphertext that was not encrypted with her key!" # Bob does a transfer to Charlie on the mixer # Bob decrypts one of the note he previously received (useless here but # useful if the payment came from someone else) assert(len(recovered_notes['bob']) == 2), \ f"Bob recovered {len(recovered_notes['bob'])} notes, expected 2" # Execution of the transfer result_transfer_bob_to_charlie = scenario.bob_to_charlie( zeth_client, prover_client, mk_tree, recovered_notes['bob'][0].as_input(), bob_eth_address, keystore) # Bob tries to spend `input_note_bob_to_charlie` twice result_double_spending = None try: result_double_spending = scenario.bob_to_charlie( zeth_client, prover_client, mk_tree, recovered_notes['bob'][0].as_input(), bob_eth_address, keystore) except Exception as e: print(f"Bob's double spending successfully rejected! (msg: {e})") assert(result_double_spending is None), \ "Bob managed to spend the same note twice!" print("- Balances after Bob's transfer to Charlie: ") print_balances( web3, bob_eth_address, alice_eth_address, charlie_eth_address, zeth_client.mixer_instance.address ) # Charlie recovers his notes and attempts to withdraw them. recovered_notes = _receive_notes( result_transfer_bob_to_charlie.output_events) notes_charlie = recovered_notes['charlie'] assert(len(notes_charlie) == 1), \ f"Charlie decrypted {len(notes_charlie)}. Expected 1!" input_charlie_withdraw = notes_charlie[0] charlie_balance_before_withdrawal = eth.getBalance(charlie_eth_address) _ = scenario.charlie_withdraw( zeth_client, prover_client, mk_tree, input_charlie_withdraw.as_input(), charlie_eth_address, keystore) charlie_balance_after_withdrawal = eth.getBalance(charlie_eth_address) print("Balances after Charlie's withdrawal: ") print_balances( web3, bob_eth_address, alice_eth_address, charlie_eth_address, zeth_client.mixer_instance.address) if charlie_balance_after_withdrawal <= charlie_balance_before_withdrawal: raise Exception("Charlie's balance did not increase after withdrawal") # Charlie tries to double-spend by withdrawing twice the same note result_double_spending = None try: # New commitments are added in the tree at each withdraw so we # recompiute the path to have the updated nodes result_double_spending = scenario.charlie_double_withdraw( zeth_client, prover_client, zksnark, mk_tree, input_charlie_withdraw.as_input(), charlie_eth_address, keystore) except Exception as e: print(f"Charlie's double spending successfully rejected! (msg: {e})") print("Balances after Charlie's double withdrawal attempt: ") assert(result_double_spending is None), \ "Charlie managed to withdraw the same note twice!" print_balances( web3, bob_eth_address, alice_eth_address, charlie_eth_address, zeth_client.mixer_instance.address) # Bob deposits once again ETH, split in 2 notes on the mixer # But Charlie attempts to corrupt the transaction (malleability attack) result_deposit_bob_to_bob = scenario.charlie_corrupt_bob_deposit( zeth_client, prover_client, zksnark, mk_tree, bob_eth_address, charlie_eth_address, keystore) # Bob decrypts one of the note he previously received (should fail if # Charlie's attack succeeded) recovered_notes = _receive_notes( result_deposit_bob_to_bob.output_events) assert(len(recovered_notes['bob']) == 2), \ f"Bob recovered {len(recovered_notes['bob'])} notes, expected 2" print("- Balances after Bob's last deposit: ") print_balances( web3, bob_eth_address, alice_eth_address, charlie_eth_address, zeth_client.mixer_instance.address) print( "========================================\n" + " TESTS PASSED\n" + "========================================\n")
def charlie_double_withdraw( zeth_client: MixerClient, prover_client: ProverClient, zksnark: IZKSnarkProvider, mk_tree: MerkleTree, input1: Tuple[int, ZethNote], charlie_eth_address: str, keystore: mock.KeyStore) -> MixResult: """ Charlie tries to carry out a double spending by modifying the value of the nullifier of the previous payment """ pp = zeth_client.prover_config.pairing_parameters scalar_field_mod = pp.scalar_field_mod() scalar_field_capacity = pp.scalar_field_capacity print( f" === Charlie attempts to withdraw {CHARLIE_WITHDRAW_ETH}ETH once " + "more (double spend) one of his note on the Mixer ===") charlie_addr = keystore["Charlie"] charlie_apk = charlie_addr.addr_pk.a_pk # Create the an additional dummy input for the MixerClient input2 = get_dummy_input_and_address(charlie_apk) note1_value = EtherValue(CHARLIE_WITHDRAW_CHANGE_ETH) v_out = EtherValue(CHARLIE_WITHDRAW_ETH) # ### ATTACK BLOCK # Add malicious nullifiers: we reuse old nullifiers to double spend by # adding $r$ to them so that they have the same value as before in Z_r, # and so the zksnark verification passes, but have different values in # {0;1}^256 so that they appear different to the contract. # See: https://github.com/clearmatics/zeth/issues/38 attack_primary_input3: int = 0 attack_primary_input4: int = 0 def compute_h_sig_attack_nf( nfs: List[bytes], sign_vk: JoinsplitSigVerificationKey) -> bytes: # We disassemble the nfs to get the formatting of the primary inputs assert len(nfs) == 2 nf0 = nfs[0] nf1 = nfs[1] input_nullifier0 = nf0.hex() input_nullifier1 = nf1.hex() nf0_rev = "{0:0256b}".format(int(input_nullifier0, 16)) primary_input3_bits = nf0_rev[:scalar_field_capacity] primary_input3_res_bits = nf0_rev[scalar_field_capacity:] nf1_rev = "{0:0256b}".format(int(input_nullifier1, 16)) primary_input4_bits = nf1_rev[:scalar_field_capacity] primary_input4_res_bits = nf1_rev[scalar_field_capacity:] # We perform the attack, recoding the modified public input values nonlocal attack_primary_input3 nonlocal attack_primary_input4 attack_primary_input3 = int(primary_input3_bits, 2) + scalar_field_mod attack_primary_input4 = int(primary_input4_bits, 2) + scalar_field_mod # We reassemble the nfs attack_primary_input3_bits = "{0:0256b}".format(attack_primary_input3) attack_nf0_bits = attack_primary_input3_bits[ len(attack_primary_input3_bits) - scalar_field_capacity:] +\ primary_input3_res_bits attack_nf0 = "{0:064x}".format(int(attack_nf0_bits, 2)) attack_primary_input4_bits = "{0:0256b}".format(attack_primary_input4) attack_nf1_bits = attack_primary_input4_bits[ len(attack_primary_input4_bits) - scalar_field_capacity:] +\ primary_input4_res_bits attack_nf1 = "{0:064x}".format(int(attack_nf1_bits, 2)) return compute_h_sig( [bytes.fromhex(attack_nf0), bytes.fromhex(attack_nf1)], sign_vk) output_note1, output_note2, proof, public_data, signing_keypair = \ get_mix_parameters_components( zeth_client, prover_client, mk_tree, keystore["Charlie"].ownership_keypair(), # sender [input1, input2], [(charlie_addr.addr_pk, note1_value), (charlie_addr.addr_pk, EtherValue(0))], EtherValue(0), v_out, compute_h_sig_attack_nf) # Update the primary inputs to the modified nullifiers, since libsnark # overwrites them with values in Z_p assert attack_primary_input3 != 0 assert attack_primary_input4 != 0 print("proof = ", proof) print("public_data[3] = ", public_data[3]) print("public_data[4] = ", public_data[4]) public_data[3] = attack_primary_input3 public_data[4] = attack_primary_input4 # ### ATTACK BLOCK # construct pk object from bytes pk_charlie = keystore["Charlie"].addr_pk.k_pk # encrypt the coins ciphertexts = encrypt_notes([ (output_note1, pk_charlie), (output_note2, pk_charlie)]) # Compute the joinSplit signature joinsplit_sig_charlie = joinsplit_sign( zksnark, pp, signing_keypair, charlie_eth_address, ciphertexts, proof, public_data) mix_params = MixParameters( proof, public_data, signing_keypair.vk, joinsplit_sig_charlie, ciphertexts) tx_hash = zeth_client.mix( mix_params, charlie_eth_address, # Pay an arbitrary amount (1 wei here) that will be refunded since the # `mix` function is payable None, EtherValue(1, 'wei')) return wait_for_tx_update_mk_tree(zeth_client, mk_tree, tx_hash)
def main() -> None: zksnark_name = zeth.core.utils.parse_zksnark_arg() zksnark = zeth.core.zksnark.get_zksnark_provider(zksnark_name) web3, eth = mock.open_test_web3() # Ethereum addresses deployer_eth_address = eth.accounts[0] bob_eth_address = eth.accounts[1] alice_eth_address = eth.accounts[2] charlie_eth_address = eth.accounts[3] # Zeth addresses keystore = mock.init_test_keystore() # Deploy the token contract token_instance = deploy_token(web3, deployer_eth_address, None, 4000000) # ProverClient prover_client = ProverClient(mock.TEST_PROVER_SERVER_ENDPOINT) prover_config = prover_client.get_configuration() pp = prover_config.pairing_parameters assert prover_client.get_configuration().zksnark_name == zksnark_name # Deploy Zeth contracts tree_depth = constants.ZETH_MERKLE_TREE_DEPTH zeth_client, _contract_desc = MixerClient.deploy(web3, prover_client, deployer_eth_address, None, token_instance.address, None) tree_hash = get_tree_hash_for_pairing(pp.name) mk_tree = zeth.core.merkle_tree.MerkleTree.empty_with_depth( tree_depth, tree_hash) mixer_instance = zeth_client.mixer_instance # Keys and wallets def _mk_wallet(name: str, sk: ZethAddressPriv) -> Wallet: wallet_dir = join(mock.TEST_NOTE_DIR, name + "-erc") if exists(wallet_dir): # Note: symlink-attack resistance # https://docs.python.org/3/library/shutil.html#shutil.rmtree.avoids_symlink_attacks shutil.rmtree(wallet_dir) return Wallet(mixer_instance, name, wallet_dir, sk, tree_hash) sk_alice = keystore["Alice"].addr_sk sk_bob = keystore["Bob"].addr_sk sk_charlie = keystore["Charlie"].addr_sk alice_wallet = _mk_wallet('alice', sk_alice) bob_wallet = _mk_wallet('bob', sk_bob) charlie_wallet = _mk_wallet('charlie', sk_charlie) block_num = 1 # Universal update function def _receive_notes( out_ev: List[MixOutputEvents]) \ -> Dict[str, List[ZethNoteDescription]]: nonlocal block_num notes = { 'alice': alice_wallet.receive_notes(out_ev, pp), 'bob': bob_wallet.receive_notes(out_ev, pp), 'charlie': charlie_wallet.receive_notes(out_ev, pp), } alice_wallet.update_and_save_state(block_num) bob_wallet.update_and_save_state(block_num) charlie_wallet.update_and_save_state(block_num) block_num = block_num + 1 return notes print("[INFO] 4. Running tests (asset mixed: ERC20 token)...") # We assign ETHToken to Bob mint_token(web3, token_instance, bob_eth_address, deployer_eth_address, None, EtherValue(2 * scenario.BOB_DEPOSIT_ETH, 'ether')) print("- Initial balances: ") print_token_balances(token_instance, bob_eth_address, alice_eth_address, charlie_eth_address, zeth_client.mixer_instance.address) # Bob tries to deposit ETHToken, split in 2 notes on the mixer (without # approving) try: result_deposit_bob_to_bob = scenario.bob_deposit( zeth_client, prover_client, mk_tree, bob_eth_address, keystore, zeth.core.utils.EtherValue(0)) except Exception as e: allowance_mixer = allowance(token_instance, bob_eth_address, zeth_client.mixer_instance.address) print(f"[ERROR] Bob deposit failed! (msg: {e})") print("The allowance for Mixer from Bob is: ", allowance_mixer) # Bob approves the transfer print("- Bob approves the transfer of ETHToken to the Mixer") tx_hash = approve(token_instance, bob_eth_address, zeth_client.mixer_instance.address, scenario.BOB_DEPOSIT_ETH) eth.waitForTransactionReceipt(tx_hash) allowance_mixer = allowance(token_instance, bob_eth_address, zeth_client.mixer_instance.address) print("- The allowance for the Mixer from Bob is:", allowance_mixer) # Bob deposits ETHToken, split in 2 notes on the mixer result_deposit_bob_to_bob = scenario.bob_deposit(zeth_client, prover_client, mk_tree, bob_eth_address, keystore) print("- Balances after Bob's deposit: ") print_token_balances(token_instance, bob_eth_address, alice_eth_address, charlie_eth_address, zeth_client.mixer_instance.address) # Alice sees a deposit and tries to decrypt the ciphertexts to see if she # was the recipient, but Bob was the recipient so Alice fails to decrypt received_notes = _receive_notes(result_deposit_bob_to_bob.output_events) recovered_notes_alice = received_notes['alice'] assert(len(recovered_notes_alice) == 0), \ "Alice decrypted a ciphertext that was not encrypted with her key!" # Bob does a transfer of ETHToken to Charlie on the mixer # Bob decrypts one of the note he previously received (useless here but # useful if the payment came from someone else) recovered_notes_bob = received_notes['bob'] assert(len(recovered_notes_bob) == 2), \ f"Bob recovered {len(recovered_notes_bob)} notes from deposit, expected 2" input_bob_to_charlie = recovered_notes_bob[0].as_input() # Execution of the transfer result_transfer_bob_to_charlie = scenario.bob_to_charlie( zeth_client, prover_client, mk_tree, input_bob_to_charlie, bob_eth_address, keystore) # Bob tries to spend `input_note_bob_to_charlie` twice result_double_spending = None try: result_double_spending = scenario.bob_to_charlie( zeth_client, prover_client, mk_tree, input_bob_to_charlie, bob_eth_address, keystore) except Exception as e: print(f"Bob's double spending successfully rejected! (msg: {e})") assert (result_double_spending is None), "Bob spent the same note twice!" print("- Balances after Bob's transfer to Charlie: ") print_token_balances(token_instance, bob_eth_address, alice_eth_address, charlie_eth_address, zeth_client.mixer_instance.address) # Charlie tries to decrypt the notes from Bob's previous transaction. received_notes = _receive_notes( result_transfer_bob_to_charlie.output_events) note_descs_charlie = received_notes['charlie'] assert(len(note_descs_charlie) == 1), \ f"Charlie decrypted {len(note_descs_charlie)}. Expected 1!" _ = scenario.charlie_withdraw(zeth_client, prover_client, mk_tree, note_descs_charlie[0].as_input(), charlie_eth_address, keystore) print("- Balances after Charlie's withdrawal: ") print_token_balances(token_instance, bob_eth_address, alice_eth_address, charlie_eth_address, zeth_client.mixer_instance.address) # Charlie tries to carry out a double spend by withdrawing twice the same # note result_double_spending = None try: # New commitments are added in the tree at each withdraw so we # recompute the path to have the updated nodes result_double_spending = scenario.charlie_double_withdraw( zeth_client, prover_client, zksnark, mk_tree, note_descs_charlie[0].as_input(), charlie_eth_address, keystore) except Exception as e: print(f"Charlie's double spending successfully rejected! (msg: {e})") print("Balances after Charlie's double withdrawal attempt: ") assert(result_double_spending is None), \ "Charlie managed to withdraw the same note twice!" print_token_balances(token_instance, bob_eth_address, alice_eth_address, charlie_eth_address, zeth_client.mixer_instance.address) # Bob deposits once again ETH, split in 2 notes on the mixer # But Charlie attempts to corrupt the transaction (malleability attack) # Bob approves the transfer print("- Bob approves the transfer of ETHToken to the Mixer") tx_hash = approve(token_instance, bob_eth_address, zeth_client.mixer_instance.address, scenario.BOB_DEPOSIT_ETH) eth.waitForTransactionReceipt(tx_hash) allowance_mixer = allowance(token_instance, bob_eth_address, zeth_client.mixer_instance.address) print("- The allowance for the Mixer from Bob is:", allowance_mixer) result_deposit_bob_to_bob = scenario.charlie_corrupt_bob_deposit( zeth_client, prover_client, zksnark, mk_tree, bob_eth_address, charlie_eth_address, keystore) # Bob decrypts one of the note he previously received (should fail if # Charlie's attack succeeded) received_notes = _receive_notes(result_deposit_bob_to_bob.output_events) recovered_notes_bob = received_notes['bob'] assert(len(recovered_notes_bob) == 2), \ f"Bob recovered {len(recovered_notes_bob)} notes from deposit, expected 2" print("- Balances after Bob's last deposit: ") print_token_balances(token_instance, bob_eth_address, alice_eth_address, charlie_eth_address, zeth_client.mixer_instance.address) print("========================================\n" + " TESTS PASSED\n" + "========================================\n")