Skip to content

fix(lib): ensure issued challenges don't get double-spent#1003

Merged
Xe merged 2 commits into
mainfrom
Xe/1002-challenge-spent-field
Aug 20, 2025
Merged

fix(lib): ensure issued challenges don't get double-spent#1003
Xe merged 2 commits into
mainfrom
Xe/1002-challenge-spent-field

Conversation

@Xe

@Xe Xe commented Aug 20, 2025

Copy link
Copy Markdown
Contributor

Closes #1002

Anubis operates by issuing a challenge and having the client present a solution for that challenge. Challenges are identified by a unique UUID, which is tored in the database.

The problem is that a challenge could potentially be used twice by a dedicated attacker making a targeted attack against Anubis. Challenge records did not have a "spent" or "used" field. In total, a dedicated attacker could solve a challenge once and reuse that solution across multiple sessons in order to mint additional tokens.

This was fixed by adding a "spent" field to challenges in the data store. When a challenge is solved, that "spent" field gets set to true. If a future attempt to solve this challenge is observed, it gets rejected.

With the advent of store based challenge issuance in #749, this means that these challenge IDs are only good for 30 minutes. Websites using the most recent version of Anubis have limited exposure to this problem.

Websites using older versions of Anubis have a much more increased exposure to this problem and are encouraged to keep this software updated as often and as frequently as possible.

Thanks to @taviso for reporting this issue.

Checklist:

  • Added a description of the changes to the [Unreleased] section of docs/docs/CHANGELOG.md
  • Added test cases to the relevant parts of the codebase
  • Ran integration tests npm run test:integration (unsupported on Windows, please use WSL)

@Xe
fix(lib): ensure issued challenges don't get double-spent
7b63d09 
Closes #1002

TL;DR: challenge IDs were not validated at time of token issuance. A
dedicated attacker could solve a challenge once and reuse it across
multiple sessons in order to mint additional tokens.

With the advent of store based challenge issuance in #749, this means
that these challenge IDs are only good for 30 minutes. Websites using
the most recent version of Anubis have limited exposure to this problem.

Websites using older versions of Anubis have a much more increased
exposure to this problem and are encouraged to keep this software
updated as often and as frequently as possible.
@Xe Xe self-assigned this Aug 20, 2025
github-advanced-security[bot]
github-advanced-security AI found potential problems Aug 20, 2025
View reviewed changes
Comment thread docs/docs/CHANGELOG.md Fixed
Comment thread docs/docs/CHANGELOG.md Fixed
Comment thread docs/docs/CHANGELOG.md Fixed
Comment thread docs/docs/CHANGELOG.md Fixed
@Xe Xe force-pushed the Xe/1002-challenge-spent-field branch from 42694a1 to c51dfbd Compare August 20, 2025 16:20
@Xe
docs: update CHANGELOG
272a2a3 
Signed-off-by: Xe Iaso <me@xeiaso.net>
@Xe Xe force-pushed the Xe/1002-challenge-spent-field branch from c51dfbd to 272a2a3 Compare August 20, 2025 16:23
@Xe Xe merged commit 6e4e471 into main Aug 20, 2025
12 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Sep 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Xe Xe

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security: Potential Double-Spend Vulnerability

2 participants

@Xe @github-advanced-security