Closed maesitos closed 6 years ago
The pull request https://github.com/Sailias/bitcoin_payable/pull/41 solves the problem and gives more clarity to the code.
Actually since BitcoinPayable::Interactors::TransactionProcessor::DeterminePaymentStatus
only sets the payment as confirmed if the total fiat received is correct the steps to bypass the payment system is:
BitcoinPayable.config.confirmations - 1
confirmations BitcoinPayable.config.confirmations
BitcoinPayable.config.confirmations
making the whole payment as confirmed while the 9.9BTC will never reach BitcoinPayable.config.confirmations
confirmations.It's obviously a pretty involved process and a very hard attack but the user of the Gem can receive a double spend attack when he thought he was waiting for n confirmations.
@maesitos I see. It should ensure each transaction meets the minimum confirmation count.
@Sailias PR #41 is a simple fix to this problem.
Since
BitcoinPayable::Interactors::TransactionProcessor::DeterminePaymentStatus
checks a single transaction and sets the payment as:confirmed
if only that particular transaction has more confirmations thanBitcoinPayable.config.confirmations
there is an immediate loophole::confirmed
without it being first:fully_paid
or receiving the correct number of coins.It's true AASM restricts the states the class can transition from
Nonetheless the current code still allows the class to transition from
:pending
to:confirm
and I don't recommend to limit the transition from only:paid_in_full