The join_split circuit now skips signature verification for merge join_splits since It checks that the spender and total amounts are going to remain the same and that only note aggregation is happening.
However, using the account_required flag an exploiter that has control over an account key but no spending keys could still drain the notes that have account_required to true:
- Decode the notes using the account key
- Do regular merge join_splits with them, with a fake signature (since it's going to be skipped) to the same owner BUT creating the output notes as account_required =
false
- Now the attacker can spend the notes with the account key since the output notes are account_required
false
The join_split circuit now skips signature verification for merge join_splits since It checks that the spender and total amounts are going to remain the same and that only note aggregation is happening.
However, using the account_required flag an exploiter that has control over an account key but no spending keys could still drain the notes that have account_required to
true:falsefalse