Merge pull request #4 from peppersec/fix_overflow

fix overflow

package-lock.json

@@ -6403,8 +6403,8 @@
       }
     },
     "snarkjs": {
-      "version": "git+https://github.com/iden3/snarkjs.git#5fe2bd4642ec567c75ad5ac3f73687999c412e73",
+      "version": "git+https://github.com/iden3/snarkjs.git#c428706ef69930e378c31199ff8d66ee13fada85",
-      "from": "git+https://github.com/iden3/snarkjs.git#5fe2bd4642ec567c75ad5ac3f73687999c412e73",
+      "from": "git+https://github.com/iden3/snarkjs.git#c428706ef69930e378c31199ff8d66ee13fada85",
       "requires": {
         "big-integer": "^1.6.43",
         "chai": "^4.2.0",

package.json

@@ -27,10 +27,10 @@
     "circom": "0.0.30",
     "circomlib": "^0.0.10",
     "dotenv": "^8.0.0",
-    "express": "^4.17.1",
     "eslint": "^6.0.1",
+    "express": "^4.17.1",
     "ganache-cli": "^6.4.5",
-    "snarkjs": "git+https://github.com/iden3/snarkjs.git#5fe2bd4642ec567c75ad5ac3f73687999c412e73",
+    "snarkjs": "git+https://github.com/iden3/snarkjs.git#c428706ef69930e378c31199ff8d66ee13fada85",
     "truffle": "^5.0.27",
     "truffle-artifactor": "^4.0.23",
     "truffle-contract": "^4.0.24",

test/Mixer.test.js

@@ -236,7 +236,6 @@ contract('Mixer', accounts => {
         pathElements: path_elements,
         pathIndex: path_index,
       })
-
       const proof = await websnarkUtils.genWitnessAndProve(groth16, input, circuit, proving_key)
       const { pi_a, pi_b, pi_c, publicSignals } = websnarkUtils.toSolidityInput(proof)
       await mixer.withdraw(pi_a, pi_b, pi_c, publicSignals, { from: relayer }).should.be.fulfilled
@@ -244,6 +243,30 @@ contract('Mixer', accounts => {
       error.reason.should.be.equal('The note has been already spent')
     })
 
+    it('should prevent double spend with overflow', async () => {
+      const deposit = generateDeposit()
+      await tree.insert(deposit.commitment)
+      await mixer.deposit(toBN(deposit.commitment.toString()), { value, from: sender })
+
+      const { root, path_elements, path_index } = await tree.path(0)
+
+      const input = stringifyBigInts({
+        root,
+        nullifierHash: pedersenHash(deposit.nullifier.leInt2Buff(32)),
+        nullifier: deposit.nullifier,
+        receiver,
+        fee,
+        secret: deposit.secret,
+        pathElements: path_elements,
+        pathIndex: path_index,
+      })
+      const proof = await websnarkUtils.genWitnessAndProve(groth16, input, circuit, proving_key)
+      const { pi_a, pi_b, pi_c, publicSignals } = websnarkUtils.toSolidityInput(proof)
+      publicSignals[1] ='0x' + toBN(publicSignals[1]).add(toBN('21888242871839275222246405745257275088548364400416034343698204186575808495617')).toString('hex')
+      const error = await mixer.withdraw(pi_a, pi_b, pi_c, publicSignals, { from: relayer }).should.be.rejected
+      error.reason.should.be.equal('verifier-gte-snark-scalar-field')
+    })
+
     it('fee should be less or equal transfer value', async () => {
       const deposit = generateDeposit()
       await tree.insert(deposit.commitment)
@@ -312,7 +335,6 @@ contract('Mixer', accounts => {
         pathElements: path_elements,
         pathIndex: path_index,
       })
-
       const proof = await websnarkUtils.genWitnessAndProve(groth16, input, circuit, proving_key)
       let { pi_a, pi_b, pi_c, publicSignals } = websnarkUtils.toSolidityInput(proof)
       const originalPublicSignals = publicSignals.slice()