New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Polluting buyer's and agent's available funds #679

Open

zajck opened this issue Jun 9, 2023 · 0 comments

Labels

wontfix

Member

zajck commented Jun 9, 2023

#322 addresses the possibility to fill up the seller's available funds with unwanted tokens since anyone can deposit funds on the seller's behalf.

It's possible to do the same to buyers and agents as well.

To fill up the buyer's available funds, a malicious actor can act as a seller and:

create an offer with an unwanted token and non-zero seller deposit;
commit on the buyer's behalf
revoke voucher, which releases unwanted token (seller deposit) to the buyer

To fill up the agent's available funds, a malicious actor can act as a seller and:

create an offer with an unwanted token and assign the agent to the offer;
commit to the offer;
redeem the voucher;
finalize the exchange, which releases the unwanted token (percentage of the price) to the agent

This fills up their available funds but does not send the (potentially malicious) token directly to the recipient. But the recipient can still withdraw it.
This does not affect the withdrawal of other buyer's or agent's funds
This pollutes getAvailableFunds with unwanted tokens
Dispute resolvers are not affected, since they can receive DR fees only in the exchange tokens they specify.

The text was updated successfully, but these errors were encountered:

zajck mentioned this issue

More flexible getAvailableFunds #698

Merged

mischat added the wontfix label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment