Audit Links Contract about burner-wallet HOT 22 OPEN

Ahh got it! Thought there would be an explanation. Thanks a lot for clearing that up 😀

from burner-wallet.

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

This issue now has a funding of 75.0 DAI (75.0 USD @ $1.0/DAI) attached to it.

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
• Want to chip in? Add your own contribution here.
• Questions? Checkout Gitcoin Help or the Gitcoin Slack
• $56,344.84 more funded OSS Work available on the Gitcoin Issue Explorer

from burner-wallet.

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

Work for 75.0 DAI (75.0 USD @ $1.0/DAI) has been submitted by:

1. @catageek
2. @catageek
3. @catageek
4. @mohoff
5. @riusricardo

@austintgriffith please take a look at the submitted work:

• PR by @riusricardo
• PR by @mohoff
• PR by @catageek
• PR by @catageek
• PR by @catageek

• Learn more on the Gitcoin Issue Details page
• Want to chip in? Add your own contribution here.
• Questions? Checkout Gitcoin Help or the Gitcoin Slack
• $43,934.81 more funded OSS Work available on the Gitcoin Issue Explorer

from burner-wallet.

hey @austintgriffith, looks like there's some submissions to take a look at :)

from burner-wallet.

I'm going to extend this bounty and double the reward. We need to continue to hash out issues. I've seen a little activity here which is awesome. Is there someone in particular heading this up? Do we have a list of potential issues and severity? Hit me up directly if I can help on telegram: @austingriffith

from burner-wallet.

@austintgriffith there are 4 issues that I have seen so far and confirmed on tests. The replay attack, discovered by @catageek and 3 more that I'll directly disclose to you before making them public.

from burner-wallet.

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

Work has been started.

These users each claimed they can complete the work by 3 months ago.
Please review their action plans below:

1) mohoff has started work.

Found another point of discussion

Learn more on the Gitcoin Issue Details page.

from burner-wallet.

Okay, sounds like we created new issues for each of these. Let's go ahead and pay out this bounty and move on to tackling the bugs with the contracts. I think it's okay to publicly disclose contract issues here too. The Burner Wallet is really used in production yet and we need to tackle the issues. I'll add a little more funding to this issue to make the payout a little better too.

from burner-wallet.

⚡️ A tip worth 75.00000 DAI (75.0 USD @ $1.0/DAI) has been granted to @riusricardo for this issue from @austintgriffith. ⚡️

Nice work @riusricardo! Your tip has automatically been deposited in the ETH address we have on file.

• $34844.67 in Funded OSS Work Available at: https://gitcoin.co/explorer
• Incentivize contributions to your repo: Send a Tip or Fund a PR
• No Email? Get help on the Gitcoin Slack

from burner-wallet.

⚡️ A tip worth 50.00000 DAI (50.0 USD @ $1.0/DAI) has been granted to @mohoff for this issue from @austintgriffith. ⚡️

Nice work @mohoff! Your tip has automatically been deposited in the ETH address we have on file.

• $34848.26 in Funded OSS Work Available at: https://gitcoin.co/explorer
• Incentivize contributions to your repo: Send a Tip or Fund a PR
• No Email? Get help on the Gitcoin Slack

from burner-wallet.

⚡️ A tip worth 25.00000 DAI (25.0 USD @ $1.0/DAI) has been granted to @catageek for this issue from @austintgriffith. ⚡️

Nice work @catageek! Your tip has automatically been deposited in the ETH address we have on file.

• $34910.07 in Funded OSS Work Available at: https://gitcoin.co/explorer
• Incentivize contributions to your repo: Send a Tip or Fund a PR
• No Email? Get help on the Gitcoin Slack

from burner-wallet.

⚡️ A tip worth 37.50000 DAI (37.5 USD @ $1.0/DAI) has been granted to @riusricardo for this issue from @austintgriffith. ⚡️

Nice work @riusricardo! Your tip has automatically been deposited in the ETH address we have on file.

• $34927.20 in Funded OSS Work Available at: https://gitcoin.co/explorer
• Incentivize contributions to your repo: Send a Tip or Fund a PR
• No Email? Get help on the Gitcoin Slack

from burner-wallet.

⚡️ A tip worth 18.75000 DAI (18.75 USD @ $1.0/DAI) has been granted to @mohoff for this issue from @austintgriffith. ⚡️

Nice work @mohoff! Your tip has automatically been deposited in the ETH address we have on file.

• $34927.20 in Funded OSS Work Available at: https://gitcoin.co/explorer
• Incentivize contributions to your repo: Send a Tip or Fund a PR
• No Email? Get help on the Gitcoin Slack

from burner-wallet.

⚡️ A tip worth 18.75000 DAI (18.75 USD @ $1.0/DAI) has been granted to @catageek for this issue from @austintgriffith. ⚡️

Nice work @catageek! Your tip has automatically been deposited in the ETH address we have on file.

• $34927.20 in Funded OSS Work Available at: https://gitcoin.co/explorer
• Incentivize contributions to your repo: Send a Tip or Fund a PR
• No Email? Get help on the Gitcoin Slack

from burner-wallet.

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

This Bounty has been completed.

Additional Tips for this Bounty:

• austintgriffith tipped 18.7500 DAI worth 18.75 USD to catageek.
• austintgriffith tipped 18.7500 DAI worth 18.75 USD to mohoff.
• austintgriffith tipped 37.5000 DAI worth 37.5 USD to riusricardo.
• austintgriffith tipped 25.0000 DAI worth 25.0 USD to catageek.
• austintgriffith tipped 50.0000 DAI worth 50.0 USD to mohoff.
• austintgriffith tipped 75.0000 DAI worth 75.0 USD to riusricardo.

• Learn more on the Gitcoin Issue Details page
• Questions? Checkout Gitcoin Help or the Gitcoin Slack
• $34,852.20 more funded OSS Work available on the Gitcoin Issue Explorer

from burner-wallet.

⚡️ A *Eth Hacker* Kudos has been sent to @catageek for this issue from @austintgriffith. ⚡️ Nice work @catageek! Your Kudos has automatically been sent in the ETH address we have on file.

from burner-wallet.

⚡️ A *Eth Hacker* Kudos has been sent to @mohoff for this issue from @austintgriffith. ⚡️ Nice work @mohoff! Your Kudos has automatically been sent in the ETH address we have on file.

from burner-wallet.

⚡️ A *Eth Hacker* Kudos has been sent to @riusricardo for this issue from @austintgriffith. ⚡️ Nice work @riusricardo! Your Kudos has automatically been sent in the ETH address we have on file.

from burner-wallet.

I was looking at the contracts and had a question I was hoping someone could answer. In Links.sol, send function, the recoverSigner function is used to recover the address for the funds[_id].signer. Is there a reason that a _signature is used instead of just the wallet address directly?

from burner-wallet.

@johngrantuk There are some considerations for the SC.
Think of it as a EOA account. It has a similar functionality in terms of storing value, but anyone can use it.
For this reason it is important to validate that you are the "owner/creator" of a fund. The same way as if you use your private key to transfer from an EOA.
The idea behind the burner wallet is to use signed transactions and simulate the transfer from an EOA.
In order to create the send by link functionality or any offline transaction, the sender needs to give a signed message to the recipient. In this case it is a signed hash. The hash has an incremental nonce to emulate the EOA send transaction to prevent replay attacks. It also includes more parameters to create every signed hash/fund as a unique identifier.

I hope this answer helps!

from burner-wallet.

Thanks for the reply @riusricardo. Specifically I was wondering about line47 in the send function:

address signer = recoverSigner(_id,_signature);

As I understand recoverSigner returns the public address of the signature. This public address is linked to where the value is stored at. The parameter, _signature, that is passed in to send is only used in this line and doesn't have any other purpose.

I was really just wondering if instead of passing in _signature and using recoverSigner (which I imagine uses a fair bit of gas) would it not be more gas efficient to just pass in the public address directly so there is no need to call recoverSigner?

This could be of no consequence at all but was just something that jumped out at me so thanks for your time!

from burner-wallet.

@johngrantuk , your assumption is correct if we think that there is no other way to interact with the smart contract than from the wallet app. However this will introduce a security flaw because anyone can create a fund and assign another signer. Creating a strange behavior if someone else can "sign" in your name.

EDIT: By "sign" I'm only thinking on, that someone else is depositing in your name. Not that someone else can create a signature. More than a security flaw it is a strange behavior for the actual scope. This could also become a new functionality. It could be equivalent to a deposit from someone else into your account and only you can sign to send the value.

from burner-wallet.