Replying to Avatar The Fishcake (nostr.build)

I think the main problem lies (and I am speculating here since I just woke up and didn’t check the nips yet) in how the event is signed and verified. I think it allowed attacker (somewhat good one in this case) to manipulate the type of the event and potentially some tags. This means that they could have taken any events that are stored on relay and change what they could without breaking signature. Then, any thing like spam reports, emotions, ets, could be converted into DM, or normal note. It’s possible some other method was used but that’s the best I could imagine in my sleep without checking how actuality is. 🐶🐾🫡
Avatar
The Fishcake (nostr.build) 2y ago

Ok, I was wrong. The event ID (which is sha256 public key, created_at, kind, tags, content) is signed by private key. The only thing I can think of is that signature is not verified by client. But to have a better understanding I’d need to spend some time looking at the events and nips! 🐶🐾🫡

Reply to this note

Please Login to reply.

Discussion

Avatar
H 2y ago

Thanks so much!