From 13f98659a4fda5d11d15a58b436c58f25b893f6f Mon Sep 17 00:00:00 2001 From: William Casarin Date: Sat, 8 Jul 2023 21:52:20 -0700 Subject: [PATCH] Prevent forged profile zap attacks The fake note zap attack made me realize that there is a way to do fake profile zaps using a similar technique. Since damus only checks the first ptag if it is a profile zap, this means you could include multiple ptags, the first one being the fake profile with the fake zapper, and the second p tag as the real target. This would allow a fake zapper to create a fake a zap, while the zap notification would still appear for the second ptag because damus listens for zap events via #p, and that would match the second ptag. To fix this, ensure that zaps only have at most 1 ptag and 0 or 1 etag. my CLN zapper checks this but if we don't check this here as well then we run into fake zap issues. Changelog-Fixed: Fix potential fake profile zap attacks Cc: Tony Giorgio Cc: benthecarman Cc: Vitor Pamplona --- damus/Models/HomeModel.swift | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/damus/Models/HomeModel.swift b/damus/Models/HomeModel.swift index aa5fcabb..88c824c5 100644 --- a/damus/Models/HomeModel.swift +++ b/damus/Models/HomeModel.swift @@ -1242,10 +1242,20 @@ func get_zap_target_pubkey(ev: NostrEvent, events: EventCache) -> String? { let etags = ev.referenced_ids if let etag = etags.first { + // ensure that there is only 1 etag to stop fake note zap attacks + guard etags.count == 1 else { + return nil + } // we can't trust the p tag on note zaps because they can be faked return events.lookup(etag.id)?.pubkey } else { let ptags = ev.referenced_pubkeys + + // ensure that there is only 1 ptag to stop fake profile zap attacks + guard ptags.count == 1 else { + return nil + } + return ptags.first?.id } }