huzaifa-99
commented
1 year ago At this moment, this is a technical debt
Open huzaifa-99 opened 1 year ago
huzaifa-99
commented
1 year ago At this moment, this is a technical debt
Currently when we do crypto transaction on frontend, we don't validate their hashes on api to check if the transaction actually took place and it has correct data. What we do is just toggle a boolean/string status to store if the user did the transaction, no actual transaction validation occurs on API. For this reason the system is vulnerable, someone could use the CLI to directly call the api and toggle the status without actually doing a transaction.
To fix this, The idea is that the user will send the transaction hash to the api. The api will then check the transaction on chain, verify metadata and other info and only if correct allow the relevant api call to work.