8000 Lisk-mobile: Inconsistent validation of the amount field in “Send token” functionality of lisk-mobile · Issue #1921 · LiskHQ/lisk-mobile · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Lisk-mobile: Inconsistent validation of the amount field in “Send token” functionality of lisk-mobile #1921

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you ag 8000 ree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Tracked by #1368
ManuGowda opened this issue Jul 13, 2023 · 0 comments · Fixed by #1929
Closed
Tracked by #1368

Lisk-mobile: Inconsistent validation of the amount field in “Send token” functionality of lisk-mobile #1921

ManuGowda opened this issue Jul 13, 2023 · 0 comments · Fixed by #1929
Assignees
@clemente-xyz
Labels
domain: transaction type: bug
Milestone
Sprint 68

Comments

@ManuGowda
Copy link
Contributor

Description

The lisk-mobile “Send token” feature consists of two screens. In the first one a user provides values like amount to send and recipient address. The second one displays all the provided data for confirmation. An adversary may perform a phishing attack by providing values that are different when shown on a phone screen and when used by the code. One of the discoveried attack vectors is related to the “Amount” field. That field is expected to contain a number with optional decimal separator. However, any data is accepted by the code.

Actual behavior

A partial validation of the “Amount” is done in the useSendTokenAmountChecker method. There, the amount variable holds a user-provided string. The isTransactionAmountValid method checks the format of the string. If the amount is in invalid format, the code will set the validatedAmount variable to 0, and so the isMaxAllowedAmountExceeded variable is set to true.

lisk-mobile/src/modules/SendToken/hooks/useSendTokenAmountChecker.js

Lines 32 to 43 in 52ac8a1

const validatedAmount =
selectedToken && isTransactionAmountValid(amount)
? BigInt(
fromDisplayToBaseDenom({
amount,
displayDenom: selectedToken.displayDenom,
denomUnits: selectedToken.denomUnits,
})
)
: BigInt(0);
const isMaxAllowedAmountExceeded = maxAllowedAmount - validatedAmount <= 0;

image
image

Recommendations

Short term, improve validation of the “Amount” field to be more strict. Make sure that the user is always presented with the exact value that is used by the code.

Long term, perform root cause analysis of the issue and review similar attack vectors.
@sridharmeganathan sridharmeganathan added this to the Sprint 68 milestone Jul 17, 2023
@clemente-xyz clemente-xyz self-assigned this Jul 18, 2023
@clemente-xyz clemente-xyz moved this to In Progress in Lisk Mobile Version 3.0.0 Jul 18, 2023
@clemente-xyz clemente-xyz mentioned this issue Jul 18, 2023
Merged
6 tasks
@clemente-xyz clemente-xyz moved this from In Progress to Pending Review in Lisk Mobile Version 3.0.0 Jul 18, 2023
@sridharmeganathan sridharmeganathan mentioned this issue Jul 18, 2023
Closed
97 tasks
@clemente-xyz clemente-xyz moved this from Pending Review to Done in Lisk Mobile Version 3.0.0 Jul 20, 2023
@ManuGowda ManuGowda changed the title Mobile application insufficiently validates and incorrectly displays amount value in transaction transfer Lisk-mobile: Inconsistent validation of the amount field in “Send token” functionality of lisk-mobile Aug 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@clemente-xyz clemente-xyz

Labels
domain: transaction type: bug
Projects
No open projects
Lisk Mobile Version 3.0.0
Status: Done
Milestone
Sprint 68
Development

Successfully merging a pull request may close this issue.

Strengthen deep link params validation LiskHQ/lisk-mobile
3 participants
@ManuGowda @clemente-xyz @sridharmeganathan
0