Creation verification for reissuance token validness

[Sdoba16]

Project version

0.3.1

What happened?

While creating the option, user is able to send reissuance tokens to himself(not the valid covenant). Therefore there is a possible attack on the buyers of the issuance tokens if they are not checking the blockchain.

Minimal reproduction steps

To recreate attack the creator could mint issuance tokens. Then sell the issuance tokens to somebody. In the end close the option with cancellation path and left buyers without their tokens.
In order to fix it, the option funder(or seller of the issuance tokens) should provide the creation transaction, so the buyer could verify that reissuance tokens are sent to the trusted covenant rather than the option creator himself.

[KyrylR]

Thanks, I do understand the issue, though would love to have more references to the Options whitepaper, so it is more clear

[Sdoba16]

Thanks, I do understand the issue, though would love to have more references to the Options whitepaper, so it is more clear

Issue is mostly connected to the part of the paper written in the picture above In this transaction reissuance tokens(option token generator, grantor token generator) can be send to the transaction creator himself, which allows the described trick.

During the next step option creator mints issuance tokens(option token and grantor token). Then during the next step(option trading), user could sell them to people who will be scammed.

And here where the attack finishes: when the issuance tokens are sold, option creator(as not valid covenant) could take money of the buyers, who want to use their option and cancel the option with cancellation path.