Security Analysis of Summa’s Proof of Solvency Protocol

# Security Analysis of Summa's Proof of Solvency Protocol [TOC] ## Definitions ### PoL$^{[1]}$ parts: - The exchange $\mathcal{P}$ which is the prover role. - The exchange customers $\mathcal{U} = \{u_1, u_2, \cdots, u_n\}$ in a verifier role. $\mathcal{P}$ publishes a **commitment** to a liabilities dataset $L$ on a public bulletin board such as a blockchain. on a $u_i$'s query, $\mathcal{P}$ provers that the user's balance with the exchange is indeed part of $L$. A PoL(Proof of Liability) scheme should ensure: - *Security*: $\mathcal{P}$ will not be able to "hide"/"understate" its liabilities (note that $\mathcal{P}$ has no incentive to increase the total liabilities). - *Privacy*: Any user $u_i$ should not learn from the proof any information besides that its account balance is indeed included in $L$ (e.g. total number of clients, other users’ balances etc.) ### MST$^{[2]}$ For a node, ` - `HL` stand for `Hash of Left child` - `BL` stand for `Balance of Left child` - `HR` stand for `Hash of Right child` - `BR` stand for `Balance of Right child` Merkle Sum Tree, The node's hash is equal to `H(HL, BL, HR, BR)`, the node's balance is equal to `BL + BR`. ![image](https://hackmd.io/_uploads/ByG5ktitp.png) Broken Merkle Sum Tree, The node’s hash is equal to `H(BL + BR, HR, BR)`, the node's balance is equal to `BL + BR`. ![image](https://hackmd.io/_uploads/HktFLKsFa.png) ## Threat Model Analysis Why the second one called Broken MST? ![image](https://hackmd.io/_uploads/Sy-yicsFT.png) Since verifier $u_i$ does not know the balance values of its neighboring nodes, $\mathcal{P}$ can construct `node.balance = max(BL,BR)` instead of `node.balance = BL + BR`. As shown in Figure 3 above, the exchange $\mathcal{P}$ can deceive Alice by constructing the balance of leaf2 `v2 = 5` and the balance of node6 `v6 = 0`. ## Summa's Implementation Initially, Summa used MST, then in [pr#188](https://github.com/summa-dev/summa-solvency/pull/188), reused Broken MST. ## Mitigation and Vulnerability Analysis ## References 1. Broken Proofs of Solvency in Blockchain Custodial Wallets and Exchanges, https://www.yji.me/publication/pol-attacks/pol-attacks.pdf 2. GitHub Issue: Merkle Sum Tree Efficiency Improvement, https://github.com/summa-dev/summa-solvency/issues/166