maesitos
commented
6 years ago The pull request https://github.com/Sailias/bitcoin_payable/pull/41 solves the problem and gives more clarity to the code.
Closed maesitos closed 6 years ago
maesitos
commented
6 years ago The pull request https://github.com/Sailias/bitcoin_payable/pull/41 solves the problem and gives more clarity to the code.
maesitos
commented
6 years ago Actually since BitcoinPayable::Interactors::TransactionProcessor::DeterminePaymentStatus only sets the payment as confirmed if the total fiat received is correct the steps to bypass the payment system is:
BitcoinPayable.config.confirmations - 1 confirmations BitcoinPayable.config.confirmationsBitcoinPayable.config.confirmations making the whole payment as confirmed while the 9.9BTC will never reach BitcoinPayable.config.confirmations confirmations.It's obviously a pretty involved process and a very hard attack but the user of the Gem can receive a double spend attack when he thought he was waiting for n confirmations.
Sailias
commented
6 years ago @maesitos I see. It should ensure each transaction meets the minimum confirmation count.
maesitos
commented
6 years ago @Sailias PR #41 is a simple fix to this problem.
Since
BitcoinPayable::Interactors::TransactionProcessor::DeterminePaymentStatuschecks a single transaction and sets the payment as:confirmedif only that particular transaction has more confirmations thanBitcoinPayable.config.confirmationsthere is an immediate loophole::confirmedwithout it being first:fully_paidor receiving the correct number of coins.It's true AASM restricts the states the class can transition from
Nonetheless the current code still allows the class to transition from
:pendingto:confirmand I don't recommend to limit the transition from only:paid_in_full