damus

nostr ios client
git clone git://jb55.com/damus
Log | Files | Refs | README | LICENSE
commit 6031fe0847fb8ab956465d810a1124a8eb921dc1
parent 1be2a9e1b16acf53a363351426f38e2be35a48b1
Author: William Casarin <jb55@jb55.com>
Date:   Sat,  8 Jul 2023 21:15:11 -0700

Fix fake note zaps with forged p-tags

This fixes a zap issue where someone could send a fake zap with a zapper
that doesn't match the user's nostrPubkey zapper. This is possible
because damus looks up the zapper via the ptag on note zaps.

Fix this by first looking up the cached event's ptag instead. This
prevents zappers from trying to trick Damus into picking the wrong
zapper.

Fixes: #1357
Changelog-Fixed: Fix issue where malicious zappers can send fake zaps to another user's posts
Reported-by: benthecarman <benthecarman@live.com>
Cc: Tony Giorgio <tonygiorgio@protonmail.com>

Diffstat:

Mdamus/Models/HomeModel.swift | 14++++++++++++--


1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/damus/Models/HomeModel.swift b/damus/Models/HomeModel.swift
@@ -1238,11 +1238,21 @@ enum ProcessZapResult {
 
 func process_zap_event(damus_state: DamusState, ev: NostrEvent, completion: @escaping (ProcessZapResult) -> Void) {
     // These are zap notifications
-    guard let ptag = event_tag(ev, name: "p") else {
+    let etag = event_tag(ev, name: "e")
+
+    var ptag: String? = nil
+    if let etag {
+        // we can't trust the p tag on note zaps because they can be faked
+        ptag = damus_state.events.lookup(etag)?.pubkey
+    } else {
+        ptag = event_tag(ev, name: "p")
+    }
+
+    guard let ptag else {
         completion(.failed)
         return
     }
-    
+
     // just return the zap if we already have it
     if let zap = damus_state.zaps.zaps[ev.id], case .zap(let z) = zap {
         completion(.already_processed(z))