Closed Pabl0cks closed 6 months ago
vercel[bot]
commented
6 months ago The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Comments | Updated (UTC) |
|---|---|---|---|---|
| grants-bg | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | Mar 22, 2024 4:10pm |
carletex
commented
6 months ago Thank you @Pabl0cks !! Everything looks good!
Just pushed https://github.com/BuidlGuidl/grants.buidlguidl.com/pull/90/commits/346ad39a2906e5ef90f6107eb8ba19107a9b0388 to avoid some possible security implications (which is I not a big deal in this case): since we are not signing the askAmount anymore, you could do a replay attack => send the same exact signature but change the askAmount (1000 ETH :D) in the POST payload => the backend will swallow it since we are not validating the askAmount on the signature.
So now we are just hardcoding it on the backend.
Pabl0cks
commented
6 months ago Just pushed https://github.com/BuidlGuidl/grants.buidlguidl.com/commit/346ad39a2906e5ef90f6107eb8ba19107a9b0388 to avoid some possible security implications (which is I not a big deal in this case): since we are not signing the askAmount anymore, you could do a replay attack => send the same exact signature but change the askAmount (1000 ETH :D) in the POST payload => the backend will swallow it since we are not validating the askAmount on the signature.
Ohh dang! Good to learn about it, TYSM for the catch and detailed explanation! 🙌❤
Description
Tackling what we could consider bugs, or stuff that could confuse the user during his grant application process.
Leaving last item from #85 for another PR, since we could consider it more like an improvement/extra feedback:
show a link of the TXs sent (approved / completed). <ins>50 % sent TX</ins>If you prefer to split in different PRs some of those items, or add the last item from the feedback in this PR, let me know! 🙌