[Calypso] LTSID not checked on the Write contract

[nkcr]

The write contract gets an LTSID upon creation, which should correspond to a valid InstanceID of an LTS smart contract instance. This LTSID is used for the ZKP and during the decryption process, to get the roster. This LTSID is actually never checked. One could indeed use any other value, with the following consequences:

• The ZKP checks fails, in case the client is using the real LTSID. But it would pass if the client uses the same wrong LTSID
• The decryption process fails, because the service can't retrieve the roster. Hopefully this case is handled and won't make the system crash (+1).

[nkcr]

Some pointers:

• Where I would expect a check:

  cothority/calypso/contracts.go

  Line 74 in 3b1a235

  }

• Use of the LTSID in the ZKP:

  cothority/calypso/struct.go

  Line 78 in 3b1a235

  gBar := suite.Point().Embed(wr.LTSID.Slice(), keccak.New(wr.LTSID.Slice()))

• Use of the LTSID to get the roster:

  cothority/calypso/service.go

  Line 549 in 3b1a235

  roster := s.storage.Rosters[id]

[ineiti]

Thanks for the bug report. Are you actively using the Calypso module in a project?

For your two cases:

1. That's how the system is supposed to work. The LTSID must be respected, even if it doesn't exist - it also might've been deleted in the meantime
2. As you point out, the calypso/service.go returns an error if it cannot find the LTSID

[nkcr]

No not really, but we are porting some of it to Dela, which is how I came to discover this bug.

[ineiti]

Cool - looking forward to it! Don't forget to ask us to run a node if you decide to have a long-time DELA network running!