Comments (7)
yea - unfortunately we will need to do the quick-fix solution (ideas on the best quick fix still welcome) this year unfortunately. Let's do it proper next year ..-)
from pretix-eth-payment-plugin.
One approach to solve this issue I see is: we need a database table that stores orderId to (transactionHash,chainId) - this way we can prevent that one transaction is used to pay for multiple tickets and this data could also be useful later on (allow to perform actions with the sender key to trigger things at the event) Perhaps for this we should also cache from
so we do not need to query the chain for it anymore.
from pretix-eth-payment-plugin.
Just to throw this in here: in an ideal world we would not centralize around databases but have the receiver be a smart contract/DAO that yields e.g. one NFT / X-DAI. Perhaps next year - for this year this is too risky time-wise ..-(
from pretix-eth-payment-plugin.
Just to throw this in here: in an ideal world we would not centralize around databases but have the receiver be a smart contract/DAO that yields e.g. one NFT / X-DAI. Perhaps next year - for this year this is too risky time-wise ..-(
Hah, yeah, this seems like the obvious "best" answer, but agree that it seems unwise to try to pull that off in a short time.
from pretix-eth-payment-plugin.
@ligi this does appear to be an exploitable attack vector.
The suggested mitigation mechanism seems correct, maintaining a new table that includes tx_hash, order_id, chain_id
pairings which would be queried each time to ensure that no existing record is present for a given tx_hash/chain_id
pair. Care needs to be taken to ensure that payment.confirm()
and the creation of the new record for tx_hash/chain_id/order_id
is recorded in an atomic transaction block:
See: https://docs.djangoproject.com/en/2.2/topics/db/transactions/#controlling-transactions-explicitly
from pretix-eth-payment-plugin.
I agree, the best way to fix this in pretix is a table with the payment object IDs (not order IDs) and the transaction hashs.
from pretix-eth-payment-plugin.
After merging #37 , we're now safe against replay attacks, but we're not tracking chainIDs for transactions in our transaction table. I guess there's a risk someone could be prevented from using a transaction to purchase a ticket in the rare event that its hash matches one already in the database from another purchase. But, if I'm not mistaken, wouldn't this require that the same "from" address generated a transaction with the same nonce?
from pretix-eth-payment-plugin.
Related Issues (20)
- Admin settings to use nested forms as opposed to JSON
- Add styling
- Add ability to poll more than one RPC endpoint for confirm-payments, confirm-refunds HOT 2
- Make confirm-refunds EIP1559 friendly HOT 1
- Add Arbitrum DAI
- expose address for orders in backend
- update URLlib HOT 1
- Internal Server Error: pretix_eth.models.WalletAddressError: No wallet addresses remain that haven't been used
- Add Uniswap Chain parameter to L2 requests
- Investigate: at export show ETH prices supplied by admin
- Support maximum / minimum amounts
- Auto-Update ETH & DAI price HOT 1
- Fix CI timeout on pip install
- Add EIP-55 capitalization to the payment address HOT 1
- Plug-in settings need to ensure that Node URLs are input for networks
- Validate receiving wallet address in plugin settings
- Plugin needs to check for state PAYMENT_STATE_CANCELED
- Allow Smart-contract Wallets to sign txn / pay
- Change time when signature is checked
- Error processing ETH payment validation on optimism with smart wallet HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pretix-eth-payment-plugin.