namada icon indicating copy to clipboard operation
namada copied to clipboard
verified publisher icon anoma

Report of Confusing Behavior in Namada Transfer Command

Open tphat2616 opened this issue 1 year ago • 2 comments

Title: Finding Security Vulnerabilities

Summery: While utilizing the transfer command with the "--source multi" and "--target phat" options, along with the "--signing-keys phat,teo" parameter, I encountered an issue. Specifically, during the process, when the source account is initialized with a threshold of 1, the transfer command prompts for only one account signature. However, it erroneously accepts any input for the second signature prompt, even without the correct password. This behavior might confuse users as it implies that the second key is not essential for the transaction.

Here is a summary of the encountered scenario:

Command:namadac transfer --source multi --target phat --token naan --amount 1 --signing-keys phat,teo

Response from the console:Enter your decryption password: [Correct password for key 1] Enter your decryption password: [Any input is accepted for key 2] Transaction added to mempool.

I believe addressing this issue could enhance the clarity and security of the transfer process for users. It's essential to ensure that when the source account is initialized with a threshold of 1, only one account signature should be required during the transfer process.

tphat2616 avatar Mar 11 '24 02:03 tphat2616

~~This issue has been reported and will be fixed in this ticket https://github.com/anoma/namada/pull/2747~~

quangtuyen88 avatar Mar 11 '24 04:03 quangtuyen88

This issue has been reported and will be fixed in this ticket #2747

This PR has nothing to relate with my bug at all.

tphat2616 avatar Mar 30 '24 03:03 tphat2616