Vulnerability: variable secret size in cross-chain atomic swaps

[markblundeberg]

I believe I have found a serious vulnerability in the way that hash locked cross-chain atomic swap smart contracts are being written right now (!). The vulnerability allows the initiating party (holding hash secret) to scam the counterparty and steal funds, in certain pairs of cryptocurrencies (e.g., BTC-ETH) but not in others (e.g., BTC-LTC).

https://gist.github.com/markblundeberg/7a932c98179de2190049f5823907c016

Luckily, it has an easy fix.

Please criticize!

[1714738833]

1714738833

[1714738833]

1714738833

[1714738833]

1714738833

[1714738833]

1714738833

[1714738833]

1714738833

[ArsenyP]

The initial idea of atomic transfers (https://bitcointalk.org/index.php?topic=193281.0) was proposed for the altcoins built upon BC with a 520 bytes element size.
No one is going to use it unmodified for an ETH-BC transfer.
For every altcoin there has to be a confirmation from an independent security expert that a particular form of contract is suitable for it.
Imagine a coin that has a built in timer and self-burns if unused for longer than a day (there actually are some tokens that behave this way). There has to be an extra check for both ATime and Btime to be less then a day in this case.
But your exploit is to be taken into consideration when actually constructing swaps between altcoins with mismatching element sizes. I think it will work.

[DooMAD]

The impression I get is that cross-chain transactions won't apply by default to every altcoin out there straight out of the box.  Each individual altcoin will have to undergo rigorous compatibility checks to ensure it all works smoothly when someone tries to hop from one chain to another.  Some may be easier to meld than others.

[Cryptagio]

I believe I have found a serious vulnerability in the way that hash locked cross-chain atomic swap smart contracts are being written right now (!). The vulnerability allows the initiating party (holding hash secret) to scam the counterparty and steal funds, in certain pairs of cryptocurrencies (e.g., BTC-ETH) but not in others (e.g., BTC-LTC).

https://gist.github.com/markblundeberg/7a932c98179de2190049f5823907c016

Luckily, it has an easy fix.

Please criticize!

Well, not each cryptocurrency can be swapped. It has to have certain prerequisites that are as follows:
- branched transaction scripts (i.e. existence of scripting language)
- the same hash algorithm in both chains’ transaction scripts
- signature checks in transaction scripts
- CheckLockTimeVerify or CheckSequenceVerify (“CLTV” and “CSV” for short) in transaction scripts