Signature alone is not enough to identify signed data

raiden_contracts/data/source/services/MonitoringService.sol

@@ -126,6 +126,8 @@ contract MonitoringService is Utils {
         address raiden_node_address = recoverAddressFromRewardProof(
             address(this),
             token_network.chain_id(),
+            token_network_address,
+            non_closing_participant,
             non_closing_signature,
             reward_amount,
             reward_proof_signature
@@ -350,6 +352,8 @@ contract MonitoringService is Utils {
     function recoverAddressFromRewardProof(
         address monitoring_service_contract_address,
         uint256 chain_id,
+        address token_network_address,
+        address non_closing_participant,
         bytes memory non_closing_signature,
         uint256 reward_amount,
         bytes memory signature
@@ -358,16 +362,29 @@ contract MonitoringService is Utils {
         pure
         returns (address signature_address)
     {
+        // This message shows the intention of the signer to pay
+        // a reward to a Monitoring Service, provided that the
+        // call of updateNonClosingBalanceProof() succeeds.
+        // The triple (non_closing_participant, non_closing_signature, token_network_address)
+        // uniquely identifies the call that's supposed to be made.
+        // (Just checking non_closing_signature is not enough because
+        // when an attacker tampers with the payload, the signature
+        // verification doesn't fail but emits a different address.)
+        // (Without a token_network, there will be some ambiguity
+        // what the payload means.)
         bytes32 message_hash = keccak256(abi.encodePacked(
-            "\x19Ethereum Signed Message:\n181",  // 20 + 32 + 32 + 65 + 32
+            "\x19Ethereum Signed Message:\n221",  // 20 + 32 + 32 + 20 + 20 + 65 + 32
             monitoring_service_contract_address,
             chain_id,
             uint256(MessageTypeId.MSReward),
+            token_network_address,
+            non_closing_participant,
             non_closing_signature,
             reward_amount
         ));
 
         signature_address = ECVerify.ecverify(message_hash, signature);
+        require(signature_address == non_closing_participant, "Reward proof with wrong non_closing_participant");
     }
 }
 

raiden_contracts/data/source/test/MonitoringServiceInternalsTest.sol

@@ -55,6 +55,8 @@ contract MonitoringServiceInternalsTest is MonitoringService {
     function recoverAddressFromRewardProofPublic(
         address monitoring_service_contract_address,
         uint256 chain_id,
+        address token_network_address,
+        address non_closing_participant,
         bytes memory non_closing_signature,
         uint256 reward_amount,
         bytes memory signature
@@ -66,6 +68,8 @@ contract MonitoringServiceInternalsTest is MonitoringService {
         return MonitoringService.recoverAddressFromRewardProof(
             monitoring_service_contract_address,
             chain_id,
+            token_network_address,
+            non_closing_participant,
             non_closing_signature,
             reward_amount,
             signature

raiden_contracts/tests/test_monitoring_service.py

@@ -72,6 +72,8 @@ def f(monitoring_service_contract: Contract) -> Dict:
             privatekey=get_private_key(B),
             monitoring_service_contract_address=monitoring_service_contract.address,
             chain_id=token_network.functions.chain_id().call(),
+            token_network_address=token_network.address,
+            non_closing_participant=B,
             non_closing_signature=non_closing_signature_B,
             reward_amount=REWARD_AMOUNT,
         )
@@ -408,6 +410,8 @@ def test_recoverAddressFromRewardProof(
     recovered_address = recoverAddressFromRewardProof(
         monitoring_service_contract_address=monitoring_service_internals.address,
         chain_id=token_network.functions.chain_id().call(),
+        token_network_address=token_network.address,
+        non_closing_participant=B,
         non_closing_signature=monitor_data_internal["non_closing_signature"],
         reward_amount=REWARD_AMOUNT,
         signature=monitor_data_internal["reward_proof_signature"],

raiden_contracts/tests/test_print_gas.py

@@ -283,6 +283,8 @@ def print_gas_monitoring_service(
         privatekey=get_private_key(B),
         monitoring_service_contract_address=monitoring_service_external.address,
         chain_id=token_network.functions.chain_id().call(),
+        token_network_address=token_network.address,
+        non_closing_participant=B,
         reward_amount=reward_amount,
         non_closing_signature=non_closing_signature_B,
     )

raiden_contracts/utils/proofs.py

@@ -111,13 +111,17 @@ def pack_withdraw_message(
 def pack_reward_proof(
     monitoring_service_contract_address: HexAddress,
     chain_id: int,
+    token_network_address: HexAddress,
+    non_closing_participant: HexAddress,
     non_closing_signature: bytes,
     reward_amount: int,
 ) -> bytes:
     return (
         Web3.toBytes(hexstr=monitoring_service_contract_address)
         + encode_single("uint256", chain_id)
         + encode_single("uint256", MessageTypeId.MSReward)
+        + Web3.toBytes(hexstr=token_network_address)
+        + Web3.toBytes(hexstr=non_closing_participant)
         + non_closing_signature
         + encode_single("uint256", reward_amount)
     )
@@ -231,13 +235,17 @@ def sign_reward_proof(
     privatekey: str,
     monitoring_service_contract_address: HexAddress,
     chain_id: int,
+    token_network_address: HexAddress,
+    non_closing_participant: HexAddress,
     non_closing_signature: bytes,
     reward_amount: int,
     v: int = 27,
 ) -> bytes:
     packed_data = pack_reward_proof(
         monitoring_service_contract_address=monitoring_service_contract_address,
         chain_id=chain_id,
+        token_network_address=token_network_address,
+        non_closing_participant=non_closing_participant,
         non_closing_signature=non_closing_signature,
         reward_amount=reward_amount,
     )