Change Details

Currently, if a user creates two identical AgoraPartial offers (i.e. same makerPk, same price, same token ID, etc.), an attacker could spend those offers in one single transaction, burning the tokens of one of them. The solution to fix this is to (ab)use the nLocktime field sort-of as a unique identifier, allowing two identical offers to still differ by enforcing a different locktime. This is done by 9th field (nLocktime) in the BIP143 sighash and byte-compare it to the locktime specified in the Script. This adds exactly 8 bytes to each script. Using OP_CHECKLOCKTIMEVERIFY doesn't make sense here, as it can only be used for a relation (>) between locktimes, not equality. This gives each offer around 1.2B (past) locktimes to choose from, which can either be picked randomly, or better by incrementing a counter. Another option would be to enforce the Agora input to always be the first input of the transaction, however, this would clash with potential ad inputs (required by SLP), which are currently already required to be at first position. We could require the Agora input to be last, which would work. The downside however is that each transaction would grow by around 100B to enforce this, as the ANYONECANPAY trick doesn't work anymore. We can just fix this issue in the open, as nobody is using AgoraPartial offers yet. We also don't need an update strategy, because nobody (to our knowledge) made any such transactions on mainnet yet.

Currently, if a user creates two identical AgoraPartial offers (i.e. same makerPk, same price, same token ID, etc.), an attacker could spend those offers in one single transaction, burning the tokens of one of them. The solution to fix this is to (ab)use the nLocktime field sort-of as a unique identifier, allowing two identical offers to still differ by enforcing a different locktime. This is done by using 9th field (nLocktime) in the BIP143 sighash and byte-comparing it to the locktime specified in the Script. This adds exactly 8 bytes to each script. Using OP_CHECKLOCKTIMEVERIFY doesn't make sense here, as it can only be used for a relation (>) between locktimes, not equality. This gives each offer around 1.2B (past) locktimes to choose from, which can either be picked randomly, or better by incrementing a counter. Another option would be to enforce the Agora input to always be the first input of the transaction, however, this would clash with potential ad inputs (required by SLP), which are currently already required to be at first position. We could require the Agora input to be last, which would work. The downside however is that each transaction would grow by around 100B to enforce this, as the ANYONECANPAY trick doesn't work anymore. We can just fix this issue in the open, as nobody is using AgoraPartial offers yet. We also don't need an update strategy, because nobody (to our knowledge) made any such transactions on mainnet yet.

Currently, if a user creates two identical AgoraPartial offers (i.e. same makerPk, same price, same token ID, etc.), an attacker could spend those offers in one single transaction, burning the tokens of one of them. The solution to fix this is to (ab)use the nLocktime field sort-of as a unique identifier, allowing two identical offers to still differ by enforcing a different locktime. This is done by using 9th field (nLocktime) in the BIP143 sighash and byte-compareing it to the locktime specified in the Script. This adds exactly 8 bytes to each script. Using OP_CHECKLOCKTIMEVERIFY doesn't make sense here, as it can only be used for a relation (>) between locktimes, not equality. This gives each offer around 1.2B (past) locktimes to choose from, which can either be picked randomly, or better by incrementing a counter. Another option would be to enforce the Agora input to always be the first input of the transaction, however, this would clash with potential ad inputs (required by SLP), which are currently already required to be at first position. We could require the Agora input to be last, which would work. The downside however is that each transaction would grow by around 100B to enforce this, as the ANYONECANPAY trick doesn't work anymore. We can just fix this issue in the open, as nobody is using AgoraPartial offers yet. We also don't need an update strategy, because nobody (to our knowledge) made any such transactions on mainnet yet.