- Describe how guardian keys are used and how message confusion is avoided.
Message confusion could occur when a Guardian signs a message and an attacker replays that message elsewhere where it is interpreted as a different message type, which could lead to unintended behavior.
The Guardian Key is used to:
- Sign gossip messages
- heartbeat
- governor config and governor status
- observation request
- Sign Observations
- Version 1 VAAs
- Sign Guardian identification
- Wormchain account registration
- Sign Accountant observations
- Token Bridge
- NTT
- Sign Query responses
Signing of gossip messages:
- Prepend the message type prefix to the payload
- Compute Keccak256Hash of the payload.
- Compute ethcrypto.Sign()
Signing of Observations:
- v1 VAA:
double-Keccak256(observation).
Rationale
- Gossip messages cannot be confused with other gossip messages because the message type prefix is prepended.
- Gossip messages cannot be confused with observations because observations utilize a double-Keccak256 and the payload is enforced to be
>=34bytes.
acct_sub_obsfig_000000000000000000| // token bridge accountant observation
ntt_acct_sub_obsfig_00000000000000| // ntt accountant observation
governor_config_000000000000000000| // gossip governor config
governor_status_000000000000000000| // gossip governor status
heartbeat| // gossip heartbeat
signed_observation_request| // gossip signed observation request
mainnet_query_request_000000000000| // query request (mainnet, not signed by guardian)
testnet_query_request_000000000000| // query request (testnet, not signed by guardian)
devnet_query_request_0000000000000| // query request (devnet, not signed by guardian)
query_response_0000000000000000000| // query response
query_response_0000000000000000000| // query response
signed_wormchain_address_00000000| // wormchain register account as guardian