namada
namada copied to clipboard
anoma
Transfer of more NAAN than is on balance - successful
When I send from my address to my address more naan than I have on my balance, this transaction is signed as successful in the blockchain.
- Check ballance:
namada client balance --owner my-account --node https://namada-se100-rpc.gatadao.com
naan: 772.118076
- I make a transaction of 3000 naan from my address to my
namada client transfer --source my-account --target my-account --token NAAN --signing-keys my-account --node https://namada-se100-rpc.gatadao.com --amount 3000 --memo tpknam1qpgpfta82vnexmh6td5mjfrczmpucyslg4gwjnk33hm895750n6ny6hauyd
Error:
0: The balance of the source tnam1qz4h8drmfhtqx3kgev22sd8lkpn4gy82qy3fqkmw of token tnam1qxvg64psvhwumv3mwrrjfcz0h3t3274hwggyzcee is lower than the amount to be transferred. Amount to transfer is 3000.000000 and the balance is 772.118076.
1: The balance of the source tnam1qz4h8drmfhtqx3kgev22sd8lkpn4gy82qy3fqkmw of token tnam1qxvg64psvhwumv3mwrrjfcz0h3t3274hwggyzcee is lower than the amount to be transferred. Amount to transfer is 3000.000000 and the balance is 772.118076.
Location:
/root/namada/crates/apps/src/lib/cli/client.rs:66
Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it.
Run with RUST_BACKTRACE=full to include source snippets.
- I do the same transaction but with a flag --force
namada client transfer --source my-account --target my-account --token NAAN --signing-keys my-account --node https://namada-se100-rpc.gatadao.com --amount 3000 --memo tpknam1qpgpfta82vnexmh6td5mjfrczmpucyslg4gwjnk33hm895750n6ny6hauyd --force
The balance of the source tnam1qz4h8drmfhtqx3kgev22sd8lkpn4gy82qy3fqkmw of token tnam1qxvg64psvhwumv3mwrrjfcz0h3t3274hwggyzcee is lower than the amount to be transferred. Amount to transfer is 3000 and the balance is 772.118076.
Transaction added to mempool.
Wrapper transaction hash: 3AA6E6A3B20D0EF2639A6B11DC3E3E34A990AC07154A41527B6E39C9CC6FB88E
Inner transaction hash: 55F3716C90C698D3F55A59CA3B5DA0B4EA399C82C6D1AE7E1E73718F05A3BD7C
Wrapper transaction accepted at height 352906. Used 24 gas.
Waiting for inner transaction result...
Transaction was successfully applied at height 352907. Used 3397 gas.
P.S. The balance during such a transaction remains the same
Why are you transferring to yourself though? If you transferred to another address (say one that you also owned), you don't see this, correct? You should receive a wasm error if you did this with different source and target addresses.
Of course the balance is going to stay the same since the source and target addresses are the same.
Why are you transferring to yourself though? If you transferred to another address (say one that you also owned), you don't see this, correct? You should receive a wasm error if you did this with different
sourceandtargetaddresses.Of course the balance is going to stay the same since the
sourceandtargetaddresses are the same.
Why did i send it to my address? I was just testing, because I know a couple of projects in which there was a bug due to an incorrectly written contract, and when I sent it to myself, the balance increased. Namada is good at this, the balance remains in place.. But this still should not be the case for the transaction to be successful when sending a larger balance to oneself, since such transactions can at least become manipulation, because the blockchain defines them as successful, although no changes in the balance occur.
I don't see any provocative issue here! Although the flow and implementation could be accepted if it was x to y, not x to x.
I don't see any provocative issue here! Although the flow and implementation could be accepted if it was x to y, not x to x.
I think this is very strange. Imagine that this exists, for example, on the Ethereum blockchain. There are various statistics that are collected, one of which is the volume of transferred tokens on the network per month, such data is checked from the transaction, it doesn’t matter whether you sent it to yourself or not - the blockchain defined it as a successful transfer of tokens and thus I can transfer 1,000,000 tokens and various statistical services will take this volume into account as real. Even a trivial example with network statistics will be distorted due to this possibility of transaction. Not to mention that the possibility of such a transaction at all could theoretically open up opportunities for a backdoor.
Everything related to the balance and tokens should work correctly, and not introduce false information into the blockchain
I agree, the dynamics and system must be robust and fault tolerant.
This could later cause some random unverified metrics and statistics.
Well good one on your finding!
I'll leave the decisions with the team.
@banananas1vb I agree, while this does not pose a security vulnerability for Namada (the tx will error with Insufficient balance if source != target), it does not seem wise to allow such a tx to post successfully to the chain and thus provide bad data to other services. We'll work on sorting out this edge case more properly.
Thanks for testing and finding!
