[PATCH damus 1/2] Fix fake note zaps with forged p-tags

This fixes a zap issue where someone could send a fake zap with a zapper
that doesn't match the user's nostrPubkey zapper. This is possible
because damus looks up the zapper via the ptag on note zaps.

Fix this by first looking up the cached event's ptag instead. This
prevents zappers from trying to trick Damus into picking the wrong
zapper.

Fixes: #1357
Changelog-Fixed: Fix issue where malicious zappers can send fake zaps to another user's posts
Reported-by: benthecarman <benthecarman@live.com>
Cc: Tony Giorgio <tonygiorgio@protonmail.com>
Cc: benthecarman <benthecarman@live.com>
Cc: Vitor Pamplona <vitor@vitorpamplona.com>
Cc: Kieran <kieran@harkin.me>
Cc: Jonathan Staab <shtaab@gmail.com>
Cc: Mike Dilger <mike@mikedilger.com>
Signed-off-by: William Casarin <jb55@jb55.com>
---
 damus/Models/HomeModel.swift | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/damus/Models/HomeModel.swift b/damus/Models/HomeModel.swift
index 556ca4ea..e727c9c1 100644
--- a/damus/Models/HomeModel.swift
+++ b/damus/Models/HomeModel.swift
@@ -1239,7 +1239,12 @@ enum ProcessZapResult {
 // securely get the zap target's pubkey. this can be faked so we need to be
 // careful
 func get_zap_target_pubkey(ev: NostrEvent, events: EventCache) -> String? {
-    return event_tag(ev, name: "p")
+    if let etag = event_tag(ev, name: "e") {
+        // we can't trust the p tag on note zaps because they can be faked
+        return damus_state.events.lookup(etag)?.pubkey
+    } else {
+        return event_tag(ev, name: "p")
+    }
 }
 
 func process_zap_event(damus_state: DamusState, ev: NostrEvent, completion: @escaping (ProcessZapResult) -> Void) {
-- 
2.39.2 (Apple Git-143)

Received on Sunday, 9 July 2023 06:13:49 UTC