Fix fake note zaps with forged p-tags

This fixes a zap issue where someone could send a fake zap with a zapper that doesn't match the user's nostrPubkey zapper. This is possible because damus looks up the zapper via the ptag on note zaps. Fix this by first looking up the cached event's ptag instead. This prevents zappers from trying to trick Damus into picking the wrong zapper. Fixes: #1357 Changelog-Fixed: Fix issue where malicious zappers can send fake zaps to another user's posts Reported-by: benthecarman <benthecarman@live.com> Cc: Tony Giorgio <tonygiorgio@protonmail.com>
2023-07-08 21:15:11 -07:00
parent 1be2a9e1b1
commit 6031fe0847
1 changed files with 12 additions and 2 deletions
--- a/damus/Models/HomeModel.swift
+++ b/damus/Models/HomeModel.swift
@@ -1238,11 +1238,21 @@ enum ProcessZapResult {

 func process_zap_event(damus_state: DamusState, ev: NostrEvent, completion: @escaping (ProcessZapResult) -> Void) {
    // These are zap notifications
-    guard let ptag = event_tag(ev, name: "p") else {
+    let etag = event_tag(ev, name: "e")
+
+    var ptag: String? = nil
+    if let etag {
+        // we can't trust the p tag on note zaps because they can be faked
+        ptag = damus_state.events.lookup(etag)?.pubkey
+    } else {
+        ptag = event_tag(ev, name: "p")
+    }
+
+    guard let ptag else {
        completion(.failed)
        return
    }
-    
+
    // just return the zap if we already have it
    if let zap = damus_state.zaps.zaps[ev.id], case .zap(let z) = zap {
        completion(.already_processed(z))