From 791875ddc53ebdf8ddf73147a92d54cdd7f60904 Mon Sep 17 00:00:00 2001
From: Roman Storm <rstormsf@gmail.com>
Date: Thu, 1 Aug 2019 00:33:12 -0700
Subject: [PATCH 1/3] fix overflow

---
 package-lock.json  |  4 ++--
 package.json       |  4 ++--
 test/Mixer.test.js | 39 +++++++++++++++++++++++++++++++++++++--
 3 files changed, 41 insertions(+), 6 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index c36dc44..3572957 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -6403,8 +6403,8 @@
       }
     },
     "snarkjs": {
-      "version": "git+https://github.com/iden3/snarkjs.git#5fe2bd4642ec567c75ad5ac3f73687999c412e73",
-      "from": "git+https://github.com/iden3/snarkjs.git#5fe2bd4642ec567c75ad5ac3f73687999c412e73",
+      "version": "git+https://github.com/iden3/snarkjs.git#c428706ef69930e378c31199ff8d66ee13fada85",
+      "from": "git+https://github.com/iden3/snarkjs.git#c428706ef69930e378c31199ff8d66ee13fada85",
       "requires": {
         "big-integer": "^1.6.43",
         "chai": "^4.2.0",
diff --git a/package.json b/package.json
index d35d025..80e9ce0 100644
--- a/package.json
+++ b/package.json
@@ -27,10 +27,10 @@
     "circom": "0.0.30",
     "circomlib": "^0.0.10",
     "dotenv": "^8.0.0",
-    "express": "^4.17.1",
     "eslint": "^6.0.1",
+    "express": "^4.17.1",
     "ganache-cli": "^6.4.5",
-    "snarkjs": "git+https://github.com/iden3/snarkjs.git#5fe2bd4642ec567c75ad5ac3f73687999c412e73",
+    "snarkjs": "git+https://github.com/iden3/snarkjs.git#c428706ef69930e378c31199ff8d66ee13fada85",
     "truffle": "^5.0.27",
     "truffle-artifactor": "^4.0.23",
     "truffle-contract": "^4.0.24",
diff --git a/test/Mixer.test.js b/test/Mixer.test.js
index 1ae0cf4..687f859 100644
--- a/test/Mixer.test.js
+++ b/test/Mixer.test.js
@@ -220,10 +220,16 @@ contract('Mixer', accounts => {
     })
 
     it('should prevent double spend', async () => {
+
       const deposit = generateDeposit()
       await tree.insert(deposit.commitment)
       await mixer.deposit(toBN(deposit.commitment.toString()), { value, from: sender })
 
+      const deposit2 = generateDeposit()
+      await tree.insert(deposit2.commitment)
+      await mixer.deposit(toBN(deposit2.commitment.toString()), { value, from: sender })
+
+
       const { root, path_elements, path_index } = await tree.path(0)
 
       const input = stringifyBigInts({
@@ -236,14 +242,44 @@ contract('Mixer', accounts => {
         pathElements: path_elements,
         pathIndex: path_index,
       })
-
       const proof = await websnarkUtils.genWitnessAndProve(groth16, input, circuit, proving_key)
       const { pi_a, pi_b, pi_c, publicSignals } = websnarkUtils.toSolidityInput(proof)
+      // publicSignals[1] ='0x' + toBN(publicSignals[1]).add(toBN('21888242871839275222246405745257275088548364400416034343698204186575808495617')).toString('hex')
       await mixer.withdraw(pi_a, pi_b, pi_c, publicSignals, { from: relayer }).should.be.fulfilled
       const error = await mixer.withdraw(pi_a, pi_b, pi_c, publicSignals, { from: relayer }).should.be.rejected
       error.reason.should.be.equal('The note has been already spent')
     })
 
+    it('should prevent double spend with overflow', async () => {
+
+      const deposit = generateDeposit()
+      await tree.insert(deposit.commitment)
+      await mixer.deposit(toBN(deposit.commitment.toString()), { value, from: sender })
+
+      const deposit2 = generateDeposit()
+      await tree.insert(deposit2.commitment)
+      await mixer.deposit(toBN(deposit2.commitment.toString()), { value, from: sender })
+
+
+      const { root, path_elements, path_index } = await tree.path(0)
+
+      const input = stringifyBigInts({
+        root,
+        nullifierHash: pedersenHash(deposit.nullifier.leInt2Buff(32)),
+        nullifier: deposit.nullifier,
+        receiver,
+        fee,
+        secret: deposit.secret,
+        pathElements: path_elements,
+        pathIndex: path_index,
+      })
+      const proof = await websnarkUtils.genWitnessAndProve(groth16, input, circuit, proving_key)
+      const { pi_a, pi_b, pi_c, publicSignals } = websnarkUtils.toSolidityInput(proof)
+      publicSignals[1] ='0x' + toBN(publicSignals[1]).add(toBN('21888242871839275222246405745257275088548364400416034343698204186575808495617')).toString('hex')
+      const error = await mixer.withdraw(pi_a, pi_b, pi_c, publicSignals, { from: relayer }).should.be.rejected
+      error.reason.should.be.equal('verifier-gte-snark-scalar-field')
+    })
+
     it('fee should be less or equal transfer value', async () => {
       const deposit = generateDeposit()
       await tree.insert(deposit.commitment)
@@ -312,7 +348,6 @@ contract('Mixer', accounts => {
         pathElements: path_elements,
         pathIndex: path_index,
       })
-
       const proof = await websnarkUtils.genWitnessAndProve(groth16, input, circuit, proving_key)
       let { pi_a, pi_b, pi_c, publicSignals } = websnarkUtils.toSolidityInput(proof)
       const originalPublicSignals = publicSignals.slice()

From 242a87569baaab6be6918d9d32c368bcc0c412ee Mon Sep 17 00:00:00 2001
From: Roman Storm <rstormsf@gmail.com>
Date: Thu, 1 Aug 2019 00:34:22 -0700
Subject: [PATCH 2/3] clean up tests

---
 test/Mixer.test.js | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/test/Mixer.test.js b/test/Mixer.test.js
index 687f859..16a0b39 100644
--- a/test/Mixer.test.js
+++ b/test/Mixer.test.js
@@ -220,16 +220,10 @@ contract('Mixer', accounts => {
     })
 
     it('should prevent double spend', async () => {
-
       const deposit = generateDeposit()
       await tree.insert(deposit.commitment)
       await mixer.deposit(toBN(deposit.commitment.toString()), { value, from: sender })
 
-      const deposit2 = generateDeposit()
-      await tree.insert(deposit2.commitment)
-      await mixer.deposit(toBN(deposit2.commitment.toString()), { value, from: sender })
-
-
       const { root, path_elements, path_index } = await tree.path(0)
 
       const input = stringifyBigInts({
@@ -251,16 +245,10 @@ contract('Mixer', accounts => {
     })
 
     it('should prevent double spend with overflow', async () => {
-
       const deposit = generateDeposit()
       await tree.insert(deposit.commitment)
       await mixer.deposit(toBN(deposit.commitment.toString()), { value, from: sender })
 
-      const deposit2 = generateDeposit()
-      await tree.insert(deposit2.commitment)
-      await mixer.deposit(toBN(deposit2.commitment.toString()), { value, from: sender })
-
-
       const { root, path_elements, path_index } = await tree.path(0)
 
       const input = stringifyBigInts({

From 9b14a22b0d731aa65f6e43f585bad86d8fc332fc Mon Sep 17 00:00:00 2001
From: Roman Storm <rstormsf@gmail.com>
Date: Thu, 1 Aug 2019 00:34:59 -0700
Subject: [PATCH 3/3] remove comment

---
 test/Mixer.test.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/test/Mixer.test.js b/test/Mixer.test.js
index 16a0b39..4a12fdb 100644
--- a/test/Mixer.test.js
+++ b/test/Mixer.test.js
@@ -238,7 +238,6 @@ contract('Mixer', accounts => {
       })
       const proof = await websnarkUtils.genWitnessAndProve(groth16, input, circuit, proving_key)
       const { pi_a, pi_b, pi_c, publicSignals } = websnarkUtils.toSolidityInput(proof)
-      // publicSignals[1] ='0x' + toBN(publicSignals[1]).add(toBN('21888242871839275222246405745257275088548364400416034343698204186575808495617')).toString('hex')
       await mixer.withdraw(pi_a, pi_b, pi_c, publicSignals, { from: relayer }).should.be.fulfilled
       const error = await mixer.withdraw(pi_a, pi_b, pi_c, publicSignals, { from: relayer }).should.be.rejected
       error.reason.should.be.equal('The note has been already spent')