invoice-canister icon indicating copy to clipboard operation
invoice-canister copied to clipboard

Published 20 hours ago verified publisher icon dfinity

[SEC-F30] Funds can get stuck in invoice accounts

Open krpeacock opened this issue 3 years ago • 2 comments

Observation

if invoice is paid again after the invoice was verified, the money is locked. TODO: expand on this

Recommendations

Offer a new method:

type AmountConsolidated = Nat;
consolidate_account({accountIdentifier: AccountIdentifier}) : AmountConsolidated

krpeacock avatar Feb 23 '22 17:02 krpeacock

changed recommendation - instead, use the invoice id as the lookup. Do no allow the consolidation if the invoice has not yet been satisfied.

krpeacock avatar Feb 23 '22 19:02 krpeacock

Would adding a "parity refund" method resolve this?

Any funds in an invoice subaccount would be transferred to the specific account identifier address passed in (less the transfer cost, unless the balance of that invoice subaccount is less than the transfer fee, in which case there's not much that can be done without losing more value than it's worth which would naturally return as an error).

Should this require a new permission or just be limited to the particular invoice creator and those who can add and remove principals from the creation allow list (ie at least the original deployer-er)?

atengberg avatar Jan 03 '23 23:01 atengberg