A security issue for a contract invocation was found

Baixin.chain · December 22, 2020, 9:30am

Here’s the thing
We know that AEPP is dependent on the wallet.
However, there is a scenario in which AEPP will ask the wallet to sign when invoking the contract, and the user agrees to continue the operation, but the callData user cannot see the specific call information when invoking the contract and has no idea what the value is
For example, when AEPP operates the AEX9 contract, it wants to transfer 100 tokens to Tom, which is shown on the UI. However, at the time of sending, the server changed to send to Jerry. The callData seen by the user in the wallet cannot see the specific value of transmission, so the data is inconsistent, and the token will be lost.

As is shown in
The user has no idea what the parameters I passed in are, it’s just a scenario. The biggest problem should be on the AEX9 token

It is also possible that when the user calls contract A, the user actually calls contract B, and the user will not be able to distinguish which contract is directly, resulting in the user losing the token

dimitar.chain · December 23, 2020, 8:35am

@Baixin.chain this is a correct observation. This is a well-known flaw and @bruteforce.chain can elaborate on the plans of addressing it. To the best of my knowledge this requires the erlscripten to be finalised. As you probably know, the reference protocol implementation is in Erlang. The erlscripten will allow translating Erlang code to PureScript and thus compiling it to JavaScript. Once this is in place a lot of interesting features would be made available, including the encode/decode of callData client side

Kudos to @gorbak25 and @radrow.chain for the progress on erlscripten.