Skip to content
Permalink
Browse files Browse the repository at this point in the history
patch for critical vulnerability in mint tool
related to #126

This commit fixes an issue where the order of SLP outputs could be reordered because the "mandatory_coins" parameter was not being used as it should be with all SLP transactions.  Reordering the output addresses could sometimes cause the token mint baton receiver and token receiver addresses to be switched.
  • Loading branch information
jcramer committed Apr 24, 2020
1 parent e7c81b9 commit ea3912c
Showing 1 changed file with 1 addition and 11 deletions.
12 changes: 1 addition & 11 deletions gui/qt/slp_create_token_mint_dialog.py
Expand Up @@ -209,7 +209,7 @@ def mint_token(self, preview=False):

desired_fee_rate = 1.0 # sats/B, just init this value for paranoia
try:
tx = self.main_window.wallet.make_unsigned_transaction(coins, outputs, self.main_window.config, fee, None)
tx = self.main_window.wallet.make_unsigned_transaction(coins, outputs, self.main_window.config, fee, None, mandatory_coins=[baton_input])
desired_fee_rate = tx.get_fee() / tx.estimated_size() # remember the fee coin chooser & wallet gave us as a fee rate so we may use it below after adding baton to adjust fee downward to this rate.
except NotEnoughFunds:
self.show_message(_("Insufficient funds"))
Expand All @@ -222,16 +222,6 @@ def mint_token(self, preview=False):
self.show_message(str(e))
return

# Find & Add baton to tx inputs
try:
baton_utxo = self.main_window.wallet.get_slp_token_baton(self.token_id_e.text())
except SlpNoMintingBatonFound:
self.show_message(_("There is no minting baton found for this token."))
return

tx.add_inputs([baton_utxo])
for txin in tx._inputs:
self.main_window.wallet.add_input_info(txin)

def tx_adjust_change_amount_based_on_baton_amount(tx, desired_fee_rate):
''' adjust change amount (based on amount added from baton) '''
Expand Down

0 comments on commit ea3912c

Please sign in to comment.