Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Provider fees check #307

Closed
alexcos20 opened this issue Mar 4, 2024 · 0 comments
Closed

Security: Provider fees check #307

alexcos20 opened this issue Mar 4, 2024 · 0 comments
Assignees
@alexcos20
Labels
Type: Question Further information is requested
Milestone
alfa release

Comments

@alexcos20
Copy link
Member

We do provider fees checks, but we don't validate that providerAddress is actually our address (ie: we signed those provider fees)

Attack vector:

  • I will deploy my own node
  • Prepare providerFees for an asset with 0 fees (free)
  • pass that providerFee structure in an order
  • use that order with the attack node download endpoint -> I get to download for free, because providerFee structure is valid
@alexcos20 alexcos20 added Type: Bug Something isn't working Priority: Critical labels Mar 4, 2024
@alexcos20 alexcos20 self-assigned this Mar 4, 2024
alexcos20 added a commit that referenced this issue Mar 5, 2024
@alexcos20
fix #307
16a7be9
@alexcos20 alexcos20 added this to the alfa release milestone Jul 8, 2024
@alexcos20 alexcos20 added Type: Question Further information is requested and removed Type: Bug Something isn't working Priority: Critical labels Aug 19, 2024
@giancu4 giancu4 closed this as completed Nov 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexcos20 alexcos20

Labels
Type: Question Further information is requested
Projects
None yet
Milestone
alfa release
Development

No branches or pull requests
2 participants
@alexcos20 @giancu4