We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The block_observer.rs iterates over new Bitcoin blocks and fetches new deposit requests in sbtc/signer/src/block_observer.rs at 033e2cbd2def829a3e30df77bc274b325d68cdbe · stacks-network/sbtc from the Emily API.
block_observer.rs
These deposit requests contain information such as the Bitcoin txid. It then uses a bitcoin_client to fetch the expected tx from Bitcoin and validates it via validate_tx in sbtc/sbtc/src/deposits.rs at 033e2cbd2def829a3e30df77bc274b325d68cdbe · stacks-network/sbtc.
txid
bitcoin_client
validate_tx
Note that while the code parses the passed deposit_script and parses it in sbtc/sbtc/src/deposits.rs at 033e2cbd2def829a3e30df77bc274b325d68cdbe · stacks-network/sbtc it currently just returns
deposit_script
Ok(DepositScriptInputs { signers_public_key: XOnlyPublicKey::from_slice(public_key) .map_err(Error::InvalidXOnlyPublicKey)?, max_fee: u64::from_be_bytes(*max_fee_bytes), recipient: stacks_address, }
without actually verifying that the signers_public_key is matching the expected signers public key.
signers_public_key
Currently, it might be possible to create a deposit script and to specify your own pub key making the deposit non-spendable by the Signers.
The text was updated successfully, but these errors were encountered:
No branches or pull requests
(Medium) Bitcoin deposit script validation is missing signer pub key check
1. Description
The
block_observer.rs
iterates over new Bitcoin blocks and fetches new deposit requests in sbtc/signer/src/block_observer.rs at 033e2cbd2def829a3e30df77bc274b325d68cdbe · stacks-network/sbtc from the Emily API.These deposit requests contain information such as the Bitcoin
txid
. It then uses abitcoin_client
to fetch the expected tx from Bitcoin and validates it viavalidate_tx
in sbtc/sbtc/src/deposits.rs at 033e2cbd2def829a3e30df77bc274b325d68cdbe · stacks-network/sbtc.Note that while the code parses the passed
deposit_script
and parses it in sbtc/sbtc/src/deposits.rs at 033e2cbd2def829a3e30df77bc274b325d68cdbe · stacks-network/sbtc it currently just returnswithout actually verifying that the
signers_public_key
is matching the expected signers public key.Currently, it might be possible to create a deposit script and to specify your own pub key making the deposit non-spendable by the Signers.
The text was updated successfully, but these errors were encountered: