fix: tx hash replay protection for charge intent#89
Merged
Conversation
Add optional store parameter to ChargeIntent for transaction hash deduplication. Before verifying a hash on-chain, checks if it has already been used. After successful verification, records the hash. This prevents replay attacks where a client pays once and reuses the same tx hash across multiple challenges to get free service. Adds Store protocol and MemoryStore implementation in mpp.store. The store is opt-in to maintain backward compatibility. Amp-Thread-ID: https://ampcode.com/threads/T-019d02b5-0e49-75a9-a69f-92b70d81ba0f Co-authored-by: Amp <amp@ampcode.com>
Slokh
force-pushed
the
fix/charge-tx-hash-replay-protection
branch
from
c223f96 to
5747ed5
Compare
Add optional store parameter to ChargeIntent for transaction hash deduplication. Before verifying a hash on-chain, checks if it has already been used. After successful verification, records the hash. This prevents replay attacks where a client pays once and reuses the same tx hash across multiple challenges to get free service. Adds Store protocol and MemoryStore implementation in mpp.store. The store is opt-in to maintain backward compatibility. Co-authored-by: Amp <amp@ampcode.com> Amp-Thread-ID: https://ampcode.com/threads/T-019d02b5-0e49-75a9-a69f-92b70d81ba0f
Slokh
force-pushed
the
fix/charge-tx-hash-replay-protection
branch
from
5747ed5 to
c8e41aa
Compare
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes transaction hash replay vulnerability in
ChargeIntent. A malicious client could pay once and reuse the same tx hash across multiple challenges to get free service.Changes
mpp.storemodule withStoreprotocol andMemoryStorestoreparameter toChargeIntent.__init___verify_hash: checks store for previously-seen hash before RPC verification; records hash after successStoreandMemoryStorefrommppUsage
Store is opt-in — existing usage without a store is unaffected.