NEP-5 balanceOf validation

nash-io / neo-ico-template

An ICO Template for NEO projects

GNU General Public License v3.0

117 stars 56 forks source link

NEP-5 balanceOf validation #13

Closed brianlenz closed 3 years ago

brianlenz commented 6 years ago

Added proper validation to the balanceOf function so that the function only works with proper addresses as opposed to any arbitrary argument that could read any data from the storage.

brianlenz commented 6 years ago

Agreed it’s not a security issue! All of the data is on the blockchain, after all. It just addresses the expected, functional behavior for “balanceOf”.

FWIW, this was identified via our security audit (low risk, of course)...

shargon commented 6 years ago

Is not a security issue, but maybe could be inside good practice to accustom people to check the parameters received, it does not affect safety, but we think it is good to do the checking.

Imagine the following scenario. An application rewards or checks that the address of a user's profile has a balance. However, the address has no balance, but the user instead of a valid address (already reserved by other profiles) sets an arbitrary value that returns a value with balance correctly.