search

vacuumlabs / adalite

A lightweight web wallet for Cardano cryptocurrency with Trezor, Ledger and BitBox02 support. Please note that the only valid domain for our wallet is adalite.io
https://adalite.io
235 stars 49 forks source link

Incorrect ordering of tokens in the token bundle supplied to Ledger #877

Closed refi93 closed 3 years ago

refi93 commented 3 years ago

I just checked the code for the preparation of the token bundle for Ledger: https://github.com/vacuumlabs/adalite/blob/develop/app/frontend/wallet/shelley/shelley-ledger-crypto-provider.ts#L206 and it seems that we are not properly ordering the keys before passing them to ledgerjs which currently delegates that to the integrating party: https://github.com/vacuumlabs/ledgerjs-cardano-shelley/blob/develop/docs/signTransaction.md#outputtypeaddress

Even though Adalite is sending only one token at a time, this can have impact on chainge outputs containing a mixture of tokens, as they would not be serialized in the correct order.

For guidance on how to order the keys canonically see https://tools.ietf.org/html/rfc7049 page 26

PeterBenc commented 3 years ago

Should be already fixed so closing.