The client pulls market prices from a pricenode over Tor (PriceProvider -> getAllMarketPrices) and just uses whatever JSON comes back. There's no signature on the data, so the only thing a client is really trusting is "this onion gave me numbers." Whichever pricenode you end up using (and a signed Filter can swap priceRelayNodes out from under you) fully controls the rates you see.
For offers priced as a margin off market, a skewed feed quietly shifts the effective price. There are some backstops (you confirm the absolute XMR/fiat amounts before taking, and the pricenode itself does outlier-trimmed averaging across exchanges), but a client has no way to tell a poisoned feed from a good one.
Two improvements that would help, roughly in order of effort:
- Sign the price payload with a per-network key and verify it client-side, same trust model you already use for filters/alerts.
- Have the client query a couple of pricenodes and reject outliers, so a single bad/redirected node can't move the price on its own.
Not urgent, but it's a soft spot in the trade-value path that's currently 100% "trust the node."
The client pulls market prices from a pricenode over Tor (
PriceProvider->getAllMarketPrices) and just uses whatever JSON comes back. There's no signature on the data, so the only thing a client is really trusting is "this onion gave me numbers." Whichever pricenode you end up using (and a signedFiltercan swappriceRelayNodesout from under you) fully controls the rates you see.For offers priced as a margin off market, a skewed feed quietly shifts the effective price. There are some backstops (you confirm the absolute XMR/fiat amounts before taking, and the pricenode itself does outlier-trimmed averaging across exchanges), but a client has no way to tell a poisoned feed from a good one.
Two improvements that would help, roughly in order of effort:
Not urgent, but it's a soft spot in the trade-value path that's currently 100% "trust the node."