make a "Voucher" contract

Question

make a "Voucher" contract

Closed this issue 7 years ago · 3 comments

This contract holds some PTI and a list of vouchers. On sending he voucher to the contract, it should invalidate the voucher and transfer the correspondign PTI.

Precisely:

The contract is Owned
The owner can call registerVoucher(hashOfVoucher, amountOfPTI)
The owner can call invalidateVoucher(hashOfVoucer)
Anyone can call redeemVoucher(voucher). A call to this function will
- check if hash(voucher) equals hashOfVoucher
- if the check passes, invalidate the voucher and send the PTI to the addressee

There is one security problem here - the person who calls redeemVoucher is sending the voucher in the clear, so an attacker could intercept the transaction, read the voucher, and claim the PTI himself.

Answer 1 · 2018-02-06T14:37:24.000Z

(we can, perhaps, just ignore the security problem, but it would be nice to fid a solution for it)

Answer 2 · 2018-02-07T10:39:30.000Z

The following article by matthew ferrante describes exactly our problem (he calls it "frontrunning") and a solution ("blinded commitments"). https://medium.com/@matthewdif/mechanism-design-security-in-smart-contracts-87f08555b38b

We are not going to implement that solution :-)

Answer 3 · 2018-02-07T18:00:58.000Z

Voucher.sol is there and (slightly) tested