From f98ec8e1f6367bfe191cff17895767ab9880b29c Mon Sep 17 00:00:00 2001
From: Cedric Fung <cedric@vec.io>
Date: Thu, 6 Oct 2022 18:59:05 +0000
Subject: [PATCH] the used random must be cleared as soon as possible

---
 kernel/cosi.go | 29 ++++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/kernel/cosi.go b/kernel/cosi.go
index 24b86ad4d..691ae776e 100644
--- a/kernel/cosi.go
+++ b/kernel/cosi.go
@@ -136,7 +136,7 @@ func (chain *Chain) checkActionSanity(m *CosiAction) error {
 		if a := chain.CosiAggregators[m.SnapshotHash]; a != nil {
 			s = a.Snapshot
 		}
-	case CosiActionExternalAnnouncement, CosiActionExternalFullChallenge:
+	case CosiActionExternalAnnouncement:
 		if chain.ChainId == chain.node.IdForNetwork {
 			return fmt.Errorf("external action announcement chain %s %s", chain.ChainId, chain.node.IdForNetwork)
 		}
@@ -150,24 +150,35 @@ func (chain *Chain) checkActionSanity(m *CosiAction) error {
 		if ov != nil && s.RoundNumber > 0 && ov.Snapshot.RoundNumber == s.RoundNumber && s.Timestamp < ov.Snapshot.Timestamp+config.SnapshotRoundGap {
 			return fmt.Errorf("a transaction %s only in one round %d of one chain %s", s.SoleTransaction(), s.RoundNumber, chain.ChainId)
 		}
-	case CosiActionExternalChallenge:
+	case CosiActionExternalFullChallenge:
 		if chain.ChainId == chain.node.IdForNetwork {
-			return fmt.Errorf("external action challenge chain %s %s", chain.ChainId, chain.node.IdForNetwork)
+			return fmt.Errorf("external action announcement chain %s %s", chain.ChainId, chain.node.IdForNetwork)
 		}
 		if chain.ChainId != m.PeerId {
-			return fmt.Errorf("external action challenge peer %s %s", chain.ChainId, m.PeerId)
+			return fmt.Errorf("external action announcement peer %s %s", chain.ChainId, m.PeerId)
 		}
-		if v := chain.CosiVerifiers[m.SnapshotHash]; v != nil {
-			s = v.Snapshot
+		if s.Signature != nil || s.Timestamp == 0 || m.Challenge == nil {
+			return fmt.Errorf("only empty snapshot with timestamp and challenge can be fully challenged")
 		}
-	}
-
-	if m.Challenge != nil && m.Action == CosiActionExternalFullChallenge {
 		m.random = chain.cosiRetrieveRandom(m.SnapshotHash, m.PeerId, m.Challenge)
 		if m.random == nil {
 			err := chain.cosiPrepareRandomsAndSendCommitments(m.PeerId, true)
 			return fmt.Errorf("no match random for the commitment %v %v", m, err)
 		}
+		ov := chain.CosiVerifiers[s.SoleTransaction()]
+		if ov != nil && s.RoundNumber > 0 && ov.Snapshot.RoundNumber == s.RoundNumber && s.Timestamp < ov.Snapshot.Timestamp+config.SnapshotRoundGap {
+			return fmt.Errorf("a transaction %s only in one round %d of one chain %s", s.SoleTransaction(), s.RoundNumber, chain.ChainId)
+		}
+	case CosiActionExternalChallenge:
+		if chain.ChainId == chain.node.IdForNetwork {
+			return fmt.Errorf("external action challenge chain %s %s", chain.ChainId, chain.node.IdForNetwork)
+		}
+		if chain.ChainId != m.PeerId {
+			return fmt.Errorf("external action challenge peer %s %s", chain.ChainId, m.PeerId)
+		}
+		if v := chain.CosiVerifiers[m.SnapshotHash]; v != nil {
+			s = v.Snapshot
+		}
 	}
 
 	if s == nil {