The TokenContract.transfer() function produces two account updates: one for the sender of the funds and one for the receiver.
Rather than creating the AccountUpdates from scratch, it can accept a from and toAccountUpdate. In this case, it overwrites the balanceChange field to the amount being transferred.
However, from and to may have non-zero balanceChanges when passed to transfer(). Setting balanceChange overrides whatever the previous value was.
Impact
If users pass an AccountUpdate with an existing balance change to this function generated by another application, they may experience difficult-to-debug prover errors due to the mutation.
Recommendation
Use AccountUpdate.balance.addInPlace() and AccountUpdate.balance.subInPlace() instead of overwriting balances. Note that, if from and to have existing balances, this will require they are negatives of each other
The
TokenContract.transfer()function produces two account updates: one for the sender of the funds and one for the receiver.Rather than creating the
AccountUpdates from scratch, it can accept afromandtoAccountUpdate. In this case, it overwrites thebalanceChangefield to theamountbeing transferred.However,
fromandtomay have non-zerobalanceChanges when passed totransfer(). SettingbalanceChangeoverrides whatever the previous value was.Impact
If users pass an
AccountUpdatewith an existing balance change to this function generated by another application, they may experience difficult-to-debug prover errors due to the mutation.Recommendation
Use
AccountUpdate.balance.addInPlace()andAccountUpdate.balance.subInPlace()instead of overwriting balances. Note that, iffromandtohave existing balances, this will require they are negatives of each other