Description

To prevent generation of more than one note with the same nullifier, functions in contracts other than DarkpoolAssetManager check that the output-note footers have not been used yet and mark them as used. However, functions in DarkpoolAssetManager only check that the note has not been posted so far. It is thus possible to generate multiple notes with the same footer and hence, absent hash collisions, also the same nullifier, as long as the asset or amount differs.

Impact

Via the actions offered by the DarkpoolAssetManager, multiple notes with the same nullifier can be generated as outputs — also across actions, making all but one of the resulting notes unspendable. Precise impact depends on the front-end used. Singularity informed us that the intention for note-footer--reuse checks is to prevent user error, in particular copy-pasting the same footer twice and thereby accidentally making funds unusable. How likely such a user error is to happen with regards to footer reuse across multiple actions when generating proofs for DarkpoolAssetManager function depends on the front-end used and workflows that users follow.

Recommendations

If ensuring on chain that unspendable notes with the the same nullifier cannot be generated by the system is important, consider calculating and exposing the output-note footers in the circuits, and then verifying that they have not been marked used yet, and then marking them used. Note that this will make the output-note footers public where they were not before, so it should be considered whether there are usages in which this impacts privacy.

Remediation

This issue has been acknowledged by Singularity, and fixes were implemented in the following commits:

• 1bdfe703↗
• a8a9968d↗