[E-Lang] ERTP-aware MintMaker

hal@finney.org hal@finney.org
Wed, 14 Feb 2001 08:34:15 -0800


Here are a couple of other potential problems.

>                 to depositAll(src) :any { 
>                     def assay := issuer vouch(src.assay)
>                     assay transfer(src,Purse)
>                     assay
>                 }

This is supposed to transfer all the contents from the src purse into
this one.  However I think you can trick it into transferring less than
the whole contents.

src could be a bogus purse which wraps a legitimate one.  It would still
implement getAssay to return a legitimate assay, but with less than the
total amount in the legitimate purse.  Then for the assay transfer to
work, src would implement getSealed to return the legit purse.  But since
the amount in the assay is wrong, not all the data will be transfered.

Another minor problem comes from using the same sealer for both purses
and assays:

>                 to transfer(var src,var dest) { 
>                     src := issuer vouch(src)
>                     dest := issuer vouch(dest)
>                     unsealer unseal(src.decr)(quantity)
>                     unsealer unseal(dest.incr)(quantity)
>                 }

You could pass one of src or dest as an assay rather than a purse, and
the first vouches would work.  However the calls to getDecr or getIncr
will fail.  Wisely, the code does the Decr before the Incr.  If it were
the other way around you could increment a purse and then have it fail
on the decrement, making money illegitimately.

However even with it this way, you can decrement a purse and then have it
fail on the increment.  This is not a very appealing fraud since it throws
money away.  However it might be said to violate a desirable property
of the mint system, which is conservation of money supply under transfers.

I'm not sure this is really any worse than just putting some money into
a purse and then forgetting about it, but it would be nice to fix it.

A fix would be to use a different sealer/unsealer pair for purses
than for assays.  You could then replace vouch with vouchForPurse and
vouchForAssay.  You could also use a third sealer/unsealer for Incr/Decr,
which I think would fix the problem Mark found yesterday where vouch was
used to unseal an Incr.

Hal