I think this one probably deserves its own thread. It was one of the things I had noted down while reviewing the code, but wanted to dig in a bit deeper first.
It could be good to confirm the current behaviour. My understanding of transactions is:
- For user transactions, the user owns the private keys for their user wallet, but requires the elders of the section storing the wallet to validate the transaction.
- For section reward transactions, the elders own the private keys for the section wallet, store the section wallet and self-validate the transactions.
For 1, this means the elders can’t spend the user’s tokens, as they can’t fabricate the transaction history. This means the primary attack vector is likely to be double spends, where the attacker controls the user, along with the elders in the section where the wallet resides. I’ll ignore the complexity/feasibility of doing a double spend for now.
For 2, I’d like some confirmation on whether the assertions are true. If true, given elder nodes set the reward amount, colluding elders could potentially drain a section wallet.
Perhaps a layer of indirection for validation would resolve this, in a similar way to user wallets. Maybe elders should only be able to validate reward transactions from other sections. To put it another way, the section wallet is held in a different section. Given a section should only be creating reward transactions, the amounts could be checked during validation.
The section transaction flow would then be similar to a user transaction. To abuse rewards, an attacker would then need to control multiple sections, including both the reward requester and validator sections.
I’m piecing my way through this, so the above assertions and conclusions could be wrong. Perhaps @dirvine could chime in a little?