Unreliable authorization check in op::burn_notification()

[esuwu]

Hi everyone! I was looking at the Jetton burn function and noticed a strange authorization check. It seems to me that it could be a security issue.

token-contract/ft/jetton-minter.fc:75

            equal_slices(calculate_user_jetton_wallet_address(from_address, my_address(), jetton_wallet_code), sender_address));

This line checks whether the sender is authorized to burn tokens. However, from_address is the payload parameter fully controlled by the sender. So this check is literally saying this: "Do you know "from_address" such that its hash(from_address, my_address) is equal to your actual address "sender_address". It seems to me that instead of provoking an attacker to guess such a payload to bypass the check, it could be better to: 1) precompute the wallet address as hash(sender_address, my_address(), jetton_wallet_code) 2) save it, and when checking for authorization, check that hash(sender_address, my_address(), jetton_wallet_code) == saved_hash

The proposed option is "something you are." Other options could include "something you know," "secret," etc.

In a nutshell: The throw check can be bypassed if an attacker can craft the payload such that sender_address matches the calculated must_be_address = calculate_user_jetton_wallet_address(from_address, my_address(), jetton_wallet_code). What's more, it can be guessed offline.

Please correct me if I'm wrong and thank you for your time.