fix(crypto): ensure only one signature per participant

__tests__/helpers/transaction-factory.ts

@@ -76,7 +76,7 @@ export class TransactionFactory {
             factory.withPassphraseList(passphrases);
         }
 
-        factory.builder.senderPublicKey(participants[0]);
+        factory.withSenderPublicKey(participants[0]);
         return factory;
     }
 
@@ -306,8 +306,6 @@ export class TransactionFactory {
                 this.builder.expiration(this.expiration);
             }
 
-            this.builder.senderPublicKey(this.senderPublicKey);
-
             let sign: boolean = true;
             if (this.passphraseList && this.passphraseList.length) {
                 sign = this.builder.constructor.name === "MultiSignatureBuilder";

__tests__/unit/core-transactions/handler.test.ts

@@ -3,7 +3,7 @@ import "jest-extended";
 import { State, TransactionPool } from "@arkecosystem/core-interfaces";
 import { Wallets } from "@arkecosystem/core-state";
 import { formatTimestamp } from "@arkecosystem/core-utils";
-import { Crypto, Identities, Interfaces, Managers, Transactions, Utils } from "@arkecosystem/crypto";
+import { Crypto, Errors, Identities, Interfaces, Managers, Transactions, Utils } from "@arkecosystem/crypto";
 import {
     AlreadyVotedError,
     HtlcLockExpiredError,
@@ -630,6 +630,63 @@ describe("MultiSignatureRegistrationTransaction", () => {
             );
         });
 
+        it("should throw if the same participant provides multiple signatures", async () => {
+            const passphrases = ["secret1", "secret2", "secret3"];
+            const participants = [
+                Identities.PublicKey.fromPassphrase(passphrases[0]),
+                Identities.PublicKey.fromPassphrase(passphrases[1]),
+                Identities.PublicKey.fromPassphrase(passphrases[2]),
+            ];
+
+            const participantWallet = walletManager.findByPublicKey(participants[0]);
+            participantWallet.balance = Utils.BigNumber.make(1e8 * 100);
+
+            const multSigRegistration = TransactionFactory.multiSignature(participants)
+                .withPassphrase(passphrases[0])
+                .withPassphraseList(passphrases)
+                .build()[0];
+
+            const multiSigWallet = walletManager.findByPublicKey(
+                Identities.PublicKey.fromMultiSignatureAsset(multSigRegistration.data.asset.multiSignature),
+            );
+
+            await expect(
+                handler.throwIfCannotBeApplied(multSigRegistration, participantWallet, walletManager),
+            ).toResolve();
+
+            expect(multiSigWallet.hasMultiSignature()).toBeFalse();
+
+            await handler.apply(multSigRegistration, walletManager);
+
+            expect(multiSigWallet.hasMultiSignature()).toBeTrue();
+
+            multiSigWallet.balance = Utils.BigNumber.make(1e8 * 100);
+
+            const transferBuilder = Transactions.BuilderFactory.transfer()
+                .recipientId(multiSigWallet.address)
+                .nonce("1")
+                .amount("100")
+                .senderPublicKey(multiSigWallet.publicKey);
+
+            // Different valid signatures of same payload and private key
+            const signatures = [
+                "774b430573285f09bd8e61bf04582b06ef55ee0e454cd0f86b396c47ea1269f514748e8fb2315f2f0ce4bb81777ae673d8cab44a54a773f3c20cb0c754fd67ed",
+                "dfb75f880769c3ae27640e1214a7ece017ddd684980e2276c908fe7806c1d6e8ceac47bb53004d84bdac22cdcb482445c056256a6cd417c5dc973d8266164ec0",
+                "64233bb62b694eb0004e1d5d497b0b0e6d977b3a0e2403a9abf59502aef65c36c6e0eed599d314d4f55a03fc0dc48f0c9c9fd4bfab65e5ac8fe2a5c5ac3ed2ae",
+            ];
+
+            // All verify with participants[0]
+            transferBuilder.data.signatures = [];
+            for (const signature of signatures) {
+                transferBuilder.data.signatures.push(`${Utils.numberToHex(0)}${signature}`);
+            }
+
+            expect(() => transferBuilder.build()).toThrow(Errors.DuplicateParticipantInMultiSignatureError);
+            expect(() => multiSigWallet.verifySignatures(transferBuilder.getStruct())).toThrow(
+                Errors.DuplicateParticipantInMultiSignatureError,
+            );
+        });
+
         it("should throw if wallet has insufficient funds", async () => {
             senderWallet.forgetAttribute("multiSignature");
             senderWallet.balance = Utils.BigNumber.ZERO;

packages/core-state/src/wallets/wallet.ts

@@ -1,6 +1,14 @@
 import { State } from "@arkecosystem/core-interfaces";
 import { Errors, Handlers } from "@arkecosystem/core-transactions";
-import { Crypto, Enums, Identities, Interfaces, Transactions, Utils } from "@arkecosystem/crypto";
+import {
+    Crypto,
+    Enums,
+    Errors as CryptoErrors,
+    Identities,
+    Interfaces,
+    Transactions,
+    Utils,
+} from "@arkecosystem/crypto";
 import assert from "assert";
 import dottie from "dottie";
 
@@ -122,11 +130,19 @@ export class Wallet implements State.IWallet {
             excludeMultiSignature: true,
         });
 
+        const publicKeyIndexes: { [index: number]: boolean } = {};
         let verified: boolean = false;
         let verifiedSignatures: number = 0;
         for (let i = 0; i < signatures.length; i++) {
             const signature: string = signatures[i];
             const publicKeyIndex: number = parseInt(signature.slice(0, 2), 16);
+
+            if (!publicKeyIndexes[publicKeyIndex]) {
+                publicKeyIndexes[publicKeyIndex] = true;
+            } else {
+                throw new CryptoErrors.DuplicateParticipantInMultiSignatureError();
+            }
+
             const partialSignature: string = signature.slice(2, 130);
             const publicKey: string = publicKeys[publicKeyIndex];
 

packages/crypto/src/errors.ts

@@ -153,3 +153,9 @@ export class InvalidMultiSignatureAssetError extends CryptoError {
         super(`The multi signature asset is invalid.`);
     }
 }
+
+export class DuplicateParticipantInMultiSignatureError extends CryptoError {
+    constructor() {
+        super(`Invalid multi signature, because duplicate participant found.`);
+    }
+}

packages/crypto/src/transactions/deserializer.ts

@@ -1,6 +1,10 @@
 import ByteBuffer from "bytebuffer";
 import { TransactionType, TransactionTypeGroup } from "../enums";
-import { MalformedTransactionBytesError, TransactionVersionError } from "../errors";
+import {
+    DuplicateParticipantInMultiSignatureError,
+    MalformedTransactionBytesError,
+    TransactionVersionError,
+} from "../errors";
 import { Address } from "../identities";
 import { IDeserializeOptions, ITransaction, ITransactionData } from "../interfaces";
 import { BigNumber, isSupportedTansactionVersion } from "../utils";
@@ -147,9 +151,18 @@ class Deserializer {
             if (buf.remaining() % 65 === 0) {
                 transaction.signatures = [];
 
-                const count = buf.remaining() / 65;
+                const count: number = buf.remaining() / 65;
+                const publicKeyIndexes: { [index: number]: boolean } = {};
                 for (let i = 0; i < count; i++) {
-                    const multiSignaturePart = buf.readBytes(65).toString("hex");
+                    const multiSignaturePart: string = buf.readBytes(65).toString("hex");
+                    const publicKeyIndex: number = parseInt(multiSignaturePart.slice(0, 2), 16);
+
+                    if (!publicKeyIndexes[publicKeyIndex]) {
+                        publicKeyIndexes[publicKeyIndex] = true;
+                    } else {
+                        throw new DuplicateParticipantInMultiSignatureError();
+                    }
+
                     transaction.signatures.push(multiSignaturePart);
                 }
             } else {

packages/crypto/src/transactions/factory.ts

@@ -1,5 +1,10 @@
 // tslint:disable:member-ordering
-import { MalformedTransactionBytesError, TransactionSchemaError, TransactionVersionError } from "../errors";
+import {
+    DuplicateParticipantInMultiSignatureError,
+    MalformedTransactionBytesError,
+    TransactionSchemaError,
+    TransactionVersionError,
+} from "../errors";
 import {
     IDeserializeOptions,
     ISerializeOptions,
@@ -85,7 +90,11 @@ export class TransactionFactory {
 
             return transaction;
         } catch (error) {
-            if (error instanceof TransactionVersionError || error instanceof TransactionSchemaError) {
+            if (
+                error instanceof TransactionVersionError ||
+                error instanceof TransactionSchemaError ||
+                error instanceof DuplicateParticipantInMultiSignatureError
+            ) {
                 throw error;
             }
 

packages/crypto/src/transactions/types/schemas.ts

@@ -166,6 +166,7 @@ export const multiSignature = extend(transactionBaseSchema, {
                             minItems: 1,
                             maxItems: 16,
                             additionalItems: false,
+                            uniqueItems: true,
                             items: { $ref: "publicKey" },
                         },
                     },