Fix how closing_sig is handled after latest changes

[loredanacirstea]

Possible reply attack problem:

From #134 (comment)
"
Biggest issue: verifyBalanceProof

The balanceProof only consist of: _receiver_address, _open_block_number, _balance. There is no information included on what you are signing, only data. The balanceProof is in this contract already used for 2 things. The sender verifies the new balance and the receiver use this to sign it wants to cooperatively close the channel. This is bad and opens a door for potential replay attacks:

• If any other contract just uses this 3 values for something else (unlikely)
• If there are two channels between address1 and address2 in both directions opened on the same block, they can be used vise versa potential with wrong meaning, if this would be implemented where receiver on the cooperative close is the sender.
• !!At the moment, the close request for cooperative close is just a balanceProof signed by the receiver and the receiving address is the receiver, this message is so not tied to any channel (sender, receiver) because it does not include a sender and can be used to close any channel with the given receiver!!
  fix: Include some kind of message id that encodes the meaning, either cooperativeCloseChannel or balanceProof
• there is another contract deployed which has a channel of the same participants at the same block maybe for example for a different token, the signed messages can be used there.
  fix: include the contract address in the signed message
  "

[loredanacirstea]

I do see the (receiver, block, balance) combination reproducible in different (very possible) circumstances:

• another sender (might be the same person, with a differet account)
• another contract
  • as you said, same receiver/service provider uses another contract with a different token
  • another contract version, receiver wants senders to use new version while slowly deprecating the older one (waiting for senders to close channels)
• another network (receiver also deploys on a testnet for testing)

Documenting changes:

The initial logic was closing_sig being balance_msg_sig (sender-signed balance proof) signed by the receiver. This was changed on purpose at some point.

1. Initial logic:

microraiden/contracts/contracts/RaidenMicroTransferChannels.sol

Line 82 in 8d6aac4

function balanceMessageHash(

# balanceMessageHash
return sha3(_receiver, _open_block_number, _balance, address(this));

# closingAgreementMessageHash
return sha3(_balance_msg_sig);

# separate handling for _balance_msg_sig and closing_sig

2. issue that triggered the change: Change closing signature format #52 , where we actually discussed the issue.
   commit that changed the logic (changing from eth_sign to personal_sign): 9c37593#diff-f70d66082794ad8ac4eb9c1e46e17371

3. Logic at the moment:
   https://github.com/raiden-network/microraiden/tree/cf65f648a7747be95d9c8529fb8f8fd069e625fd/contracts#generating-and-validating-a-closing-agreement

balance_message_hex = encode_hex(balance_message)

# balance_message_hex is signed by the Sender with MetaMask / Parity
balance_msg_sig

# balance_message_hex is signed by the Receiver with MetaMask / Parity
closing_sig

[loredanacirstea]

What we want:

• protect from the above scenarios
  • include uRaiden contract address
  • include some info about the sender in _closing_sig
• use something that would not be very different for closing channels through delegates

-> the eth_signedTypedData version of the initial logic works

function cooperativeClose(
        address _receiver_address,
        uint32 _open_block_number,
        uint192 _balance,
        bytes _balance_msg_sig,
        bytes _closing_sig)
        external
    {
        address receiver = ECVerify.ecverify(sha3(_balance_msg_sig) , _closing_sig);
        require(receiver == _receiver_address);

        address sender = verifyBalanceProof(_receiver_address, _open_block_number, _balance, address(this), _balance_msg_sig);
        require(msg.sender == sender);
        settleChannel(sender, receiver, _open_block_number, _balance);
    }