**Description:**
In this challenge we are provided with some sort of a multisig protocol which can do three types of actions: $addMember, delMember, transfer$. To perform any of these actions protocol participants have to submit exactly 6 (this is a hard-coded constant) signatures. From the scheme provided on the website we can describe signature generation process for participant $i$ as follows:
$d_i$ -- private key
$a_i = d_i*G$
$func = \{ add, del, transfer \}$
$M = Hash(func|arg_1|...|arg_n)$
$r_i = Hash(d_i|M)$
$R_i = r_iG$
Then, participants sum up their values:
$R_M = \sum{R_i}$
$A_T = \sum{a_i}$
Next, they start to generate signatures:
$C_M = Hash(R_M|A_T|M)$
$s_i = $
Finally, all these signatures are submitted to the contract together with corresponding nonces ($r_i$) and public keys ($a_i$).
**Batch signature verification process:**
$R = \sum{r_i}$
$A = \sum{a_i}$
$S = \sum{s_i}$
NOTE: for $R$ and $A$ we use elliptic curve addition, as $r_i$ and $a_i$ are elliptic curve points.
$nonceHash = Hash(R_x|R_y)$
In the contract it is also asserted that this nonce hash is not re-used.
Finally, we validate our signatures in batch by checking the following equation:
$S*G = A*C_M + R$
NOTE: $C_M$ can be calculated in the contract as we have all the data we need.
If this equation holds, then batch verification is successful, otherwise contract reverts the transaction.
**Solution:**
To get the flag we need be a part of the multisig participants. So, there are two ways how we can achieve this:
1. Submit $addMember$ action to the contract to become a part of the protocol. But, we need to get 6 approval signatures for this, which is not that easy.
2. Try to impersonate one of the members and pass the website authorization. To make this, we need to obtain a private key of one of the participants to sign the authorization request.
$A*c + R = s*G$
$\sum pub_i*c + \sum nonce_i = \sum s_i*G$
for 2 transaction of individual user with same nonces
$sk*c_1*G + nonce = s_1*G$
$sk*c_2*G + nonce = s_2*G$
$sk*c_1 - sk*c_2 = s_1 - s_2$
$sk= (s_1 - s_2) * (c_1-c_2)^-1$
$pubkey = sk*G$
$address = byte20(keccak(pubkey.x,pubkey.x))$
Sign in with Wallet
Connect another wallet