search

poanetwork / poa-popa

DApp for proof of physical address (PoPA) attestation for validators of POA Network
https://popa.poa.network
GNU General Public License v3.0
24 stars 18 forks source link

Third party Tokens can be sent to the contract with no way of retrieving them #126

Closed pablofullana closed 6 years ago

pablofullana commented 6 years ago

Observation: It is possible for someone to transfer tokens to the contract address when they meant to send ETH. It is best practice to implement a function for the owner to retrieve tokens - An example is the claimToken() safety function in the latest version of MinimeToken claimToken() Example

fvictorio commented 6 years ago

I'm not really sure how to implement this. I can't just send all the tokens to the caller, because then if A accidentally sends tokens to the contract, B can claim them. And I don't have a way to know that the contract received them from A.

The only thing I can think of is to transfer them to the owner of the contract, and then the owner can send the tokens to the person that sent them. But this requires trusting the owner, and the cost of the transaction is not paid by the claimer.

I'm not sure, but I think the linked contract (MiniMe) does something similar (but to a "Controller" instead of an owner).

@phahulin Thoughts?

igorbarinov commented 6 years ago

We use it in many apps. E.g. claim tokens in the bridge.

https://github.com/poanetwork/poa-bridge-contracts/blob/93969cd934190649d42691f054676d0d16a9777e/contracts/POA20.sol#L59