search

MetaMask / test-dapp

The sample dapp used for e2e testing and metamask-extension QA
https://metamask.github.io/test-dapp/
MIT License
587 stars 347 forks source link

feat: add Blockaid bypass for send value without 0x prefix #329

Closed seaona closed 4 months ago

seaona commented 4 months ago

Description

This PR adds a new identified bypass, where dapps could pass a value in hex, without the 0x prefix, and this would make the validation fail - but the transaction will succeed. This is now fixed in the current MM version 11.14, but it was happening in previous versions.

window.ethereum.sendAsync({
  "method": "eth_sendTransaction",
  "params": [
    {
          "from": "0x9A4834c232923d7Ff5F8F52741546E14097C2b24",
          "to": "0xbD28258AD16776B34495323F21599761e47f4c8F",
          "value": "ffffff" // see value without 0x
    }
  ],
  "timestamp": 1693229271999
}
)

Screenshots

Screenshot from 2024-04-26 11-26-50

https://github.com/MetaMask/test-dapp/assets/54408225/8dd578b4-b988-46c9-bf7d-f5cb21d3da62

Manual QA

  1. Install an older version of the wallet ie MM version 11.12
  2. Try the new bypass -- see the blockaid validation fails
  3. Install 11.14 version of MM
  4. Try the new bypass -- see the blockaid validation is successful, bc a fix was released in the last version