This PR adds a new identified bypass, where dapps could pass a value in hex, without the 0x prefix, and this would make the validation fail - but the transaction will succeed.
This is now fixed in the current MM version 11.14, but it was happening in previous versions.
window.ethereum.sendAsync({
"method": "eth_sendTransaction",
"params": [
{
"from": "0x9A4834c232923d7Ff5F8F52741546E14097C2b24",
"to": "0xbD28258AD16776B34495323F21599761e47f4c8F",
"value": "ffffff" // see value without 0x
}
],
"timestamp": 1693229271999
}
)
Description
This PR adds a new identified bypass, where dapps could pass a value in hex, without the
0x
prefix, and this would make the validation fail - but the transaction will succeed. This is now fixed in the current MM version 11.14, but it was happening in previous versions.Screenshots
https://github.com/MetaMask/test-dapp/assets/54408225/8dd578b4-b988-46c9-bf7d-f5cb21d3da62
Manual QA