Sending false data about AEX9

I created an AEX9 Token with the name WTT.

I send 10 WTTs to account A.

Now account A only has 10WTT, now I use account A to send 100WTT to account B.

The transaction is packaged normally. And it generates a valid TX HASH, available on the chain.

Of course, I can use a negative transfer, send -100wtt, and it will still pack up as normal.

AEX9 lacks judgment on account amount.

While there is no real transfer on the chain, it can be confusing for the blockchain browser, and for the user.

3 Likes

Hi @LiuShao.chain, is this something that could be directly updated on AEXs/aex-9.md at master · aeternity/AEXs · GitHub or is it related to the protocol?

This seems to be a problem caused by aeknow, I am looking for the reason

https://github.com/aeternity/aeternity-fungible-token/blob/master/contracts/fungible-token-full.aes

@erik.chain The contract seems to be missing a require function.
It is complete in the aepp-sophia-examples code base.

In addition, there is a problem with balances, it does not support paging. With thousands or even tens of thousands of accounts, it is impossible to obtain all accounts.

1 Like

th_2onh8mpBsoyS8Qxi73wF7JC4TXAVn8xKAxJcn5Tdo7S77bQfSd

This is a TX with -1000 ABC tokens sent, and it is packed normally.

1 Like

Thanks for pointing this out, could you add a pull request or an issue please if you identified the problem?

@bruteforce.chain
I’ve created the problem.

Transferring negative amounts is not possible in the provided reference implementation. See the two require checks here: aeternity-fungible-token/fungible-token.aes at edd903221db2516ebf9a2d6584db1dab261a06b8 · mradkov/aeternity-fungible-token · GitHub and check the tests here: aeternity-fungible-token/fungible-tokenTest.js at edd903221db2516ebf9a2d6584db1dab261a06b8 · mradkov/aeternity-fungible-token · GitHub

Are you sure the WTT is using the provided reference implementation or did they implement this on their own - if so this is possible to fail.

On another hand the packed transaction is valid of course as before you send it to the contract there is no way for the SDK or node to know if the contract logic forbids transferring of negative amounts.

1 Like

OK, thank you @milenradkov.chain . AEKNOW lacks judgment on contract call failure.

It just so happened that the sending tool I was using lacked validation for the returned results, so it didn’t tell me it failed. AeKnow @LiuYang.chain has improved the prompts.

balances, call the full account, is there another way to do it? It will fail on tens of thousands of accounts.

2 Likes