Skip to content

Instantly share code, notes, and snippets.

@DavidBurkett
Last active Nov 22, 2021
Embed
What would you like to do?

Assuming design: https://gist.github.com/DavidBurkett/ba41f314b12566987dc9ba3534c6c773

Setup

Alice creates 2 outputs for Bob:

OB1 = { v1, Kr1 = B + HASH32(T_RECEIVE||t1)*G}
OB2 = { v2, Kr2 = B + HASH32(T_RECEIVE||t2)*G}

where v2 > v1.

Bob spends OB1 to Alice, creating output OA1 in tx1, and spends OB2 to Charlie, creating output OC in tx2:

tx1: {in: OB1; kern: k1; out: OA}
tx2: {in: OB2; kern: k2; out: OC}

Both transactions are broadcast at the same time.

Attack

Alice, a miner, sees both transactions, and realizes she has an opportunity to receive v2 coins instead of v1.

She modifies tx1, creating tx1':

tx1': {in: OB2; kern: k1; out: OA'} where OA' consists a new commitment for v2 coins.

She knows the blinding factor of OB2, since she created it, so generating a new commitment and balancing the kernel excess is trivial.

She generates a new rangeproof for OA', committing to the same output data (i.e. {v'||n'||Ks||Kr||Ke||ρ}) as OA

Stealth Offset

Now everything validates except for the stealth excess equation (i.e. t'*G = (ΣKs - ΣKr) - ΣE')

Alice does not know Kr1 or Kr2, but she does know the difference between the 2:

kr2 - kr1 = HASH32(T_RECEIVE||t2) - HASH32(T_RECEIVE||t1)

To make the stealth offset equation balance, she can just increase the stealth offset for tx1' by kr2 - kr1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment