Rapidly sending multiple requests to the faucet can obtain multiple test coins

cosmos / cosmjs

The Swiss Army knife to power JavaScript based client solutions ranging from Web apps/explorers over browser extensions to server-side clients like faucets/scrapers.

https://cosmos.github.io/cosmjs/

Apache License 2.0

636 stars 324 forks source link

Rapidly sending multiple requests to the faucet can obtain multiple test coins #1556

Closed 170210 closed 4 months ago

170210 commented 4 months ago

Hello, I am trying to use cosmjs/faucet.

However, I have noticed that if I send the same request multiple times in a short period, either through CLI or the frontend, I can obtain multiple test coins, thereby bypassing the rule (https://github.com/cosmos/cosmjs/blob/main/packages/faucet/src/api/webserver.ts#L69-L77) set that one can only receive coins once within a certain period.

Is it necessary to implement a exclusive lock to prevent the same address from making multiple requests within a short period?

webmaster128 commented 4 months ago

There is no multithreading in a node.js app, so the issue is probably not the lock itself.

I think the main issue are those lines here: https://github.com/cosmos/cosmjs/blob/main/packages/faucet/src/api/webserver.ts#L86-L88. Since the await faucet.credit(address, matchingDenom) call only returns when the transaction is in a block, the date is set too late. We should swap the two.

170210 commented 4 months ago

Thank you for your reply! I tried swapping these two commands, and it successfully prevented multiple requests.

webmaster128 commented 4 months ago

Could you open a PR with that change?