You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This line checks whether the sender is authorized to burn tokens. However, from_address is the payload parameter fully controlled by the sender. So this check is literally saying this: "Do you know "from_address" such that its hash(from_address, my_address) is equal to your actual address "sender_address". It seems to me that instead of provoking an attacker to guess such a payload to bypass the check, it could be better to:
precompute the wallet address as hash(sender_address, my_address(), jetton_wallet_code)
save it, and when checking for authorization, check that hash(sender_address, my_address(), jetton_wallet_code) == saved_hash
The proposed option is "something you are." Other options could include "something you know," "secret," etc.
In a nutshell:
The throw check can be bypassed if an attacker can craft the payload such that sender_address matches the calculated must_be_address = calculate_user_jetton_wallet_address(from_address, my_address(), jetton_wallet_code). What's more, it can be guessed offline.
Please correct me if I'm wrong and thank you for your time.
The text was updated successfully, but these errors were encountered:
Hi everyone! I was looking at the Jetton burn function and noticed a strange authorization check. It seems to me that it could be a security issue.
token-contract/ft/jetton-minter.fc:75
This line checks whether the sender is authorized to burn tokens. However,
from_addressis the payload parameter fully controlled by the sender. So this check is literally saying this: "Do you know "from_address" such that its hash(from_address, my_address) is equal to your actual address "sender_address". It seems to me that instead of provoking an attacker to guess such a payload to bypass the check, it could be better to:The proposed option is "something you are." Other options could include "something you know," "secret," etc.
In a nutshell:
The throw check can be bypassed if an attacker can craft the payload such that sender_address matches the calculated
must_be_address = calculate_user_jetton_wallet_address(from_address, my_address(), jetton_wallet_code). What's more, it can be guessed offline.Please correct me if I'm wrong and thank you for your time.
The text was updated successfully, but these errors were encountered: