Description
Location
AssetHolderWithdrawalAuth in bindings/assetholder/AssetHolder.go generated through WithdrawalAuth in perun-eth-contracts.
Problem
AssetHolderWithdrawalAuth does not contain a nonce. This makes withdrawals requesting an amount smaller than half of the total funds vulnerable for a replay attacks. It is especially problematic because the receiver can be an external party.
Consider this scenario: Alice and Bob concluded a channel. Bob is left with 1 ETH.
Bob owes Eve 0.1 ETH. He wants to pay Eve directly and withdraws 0.1 ETH with Eve as the receiver.
Eve captures Bobs call to the contract containing the signed AssetHolderWithdrawalAuth. Now Eve calls withdraw herself with the captured AssetHolderWithdrawalAuth to steal an additional 0.1 ETH from the channel. Eve does this multiple times to withdraw all funds of Bob.
Proposal
There are two possible ways I think we can deal with this issue:
- Remove the possibility to set a specific amount and limit the user to only withdraw the complete balance.
- Add a nonce to
AssetHolderWithdrawalAuth. The contract must store the nonces and only accept withdrawals if the given nonce is new.