tolya-yanot
commented
1 month ago Should be accounted by the backend, but it looks like there's no problem in the contract.
Closed akifoq closed 1 month ago
tolya-yanot
commented
1 month ago Should be accounted by the backend, but it looks like there's no problem in the contract.
Please note that an attacker might try to blacklist an innocent wallet by front-running the internal message with the signed request to increase seqno prior to the original gas provider message. That is, by sending the copy of the request extracted from the mempool from attacker-controlled address and hoping it arrives earlier.
The issue is mitigated by the fact that the attacker-provided request is the original one, so it will send the jetton payment for the gas to the service anyways, but the service backend might account it for cheating and blacklist the wallet since the original message transaction would fail due to seqno increase.