Missing Account ID Checks for get_balance #54
Assignees
Labels
Comments
evgenykuzyakov
pushed a commit
to near/near-sdk-rs
that referenced
this issue
Jun 5, 2020
evgenykuzyakov
pushed a commit
to near/NEPs
that referenced
this issue
Jun 5, 2020
Fixes: near/core-contracts#47 Fixes: near/core-contracts#49 ### Changelog `0.2.0` - Introduce storage deposits. Make every method payable. Require caller to attach enough deposit to cover potential storage increase. See [core-contracts/#47](near/core-contracts#47) - Replace `set_allowance` with `inc_allowance` and `dec_allowance` to address the issue of allowance front-running. See [core-contracts/#49](near/core-contracts#49) - Validate `owner_id` account ID. See [core-contracts/#54](near/core-contracts#54) - Enforce that the `new_owner_id` is different from the current `owner_id` for transfer. See [core-contracts/#55](near/core-contracts#55)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Informational
Reported by a third party.
Description
There are currently checks to validate the input accounts for get_allowance() . These checks prevent contracts accidentally checking the allowance of an invalid account.
The function get_balance() does not posses the same checks. Users may accidently check the balance of an invalid account. The return value of the call would be zero.
Furthermore, there is a comment for get_allowance() stating how the allowance may have already changed by the time the return value is read by a contract. The same principle also applies to get_balance() , however it is not documented.
Recommendations
While these checks and comments are not necessary, it is recommended to have a consistent behaviour across similar functions.
The text was updated successfully, but these errors were encountered: