Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add Blockaid bypass for send value without 0x prefix #329

Merged
merged 1 commit into from
Apr 26, 2024
Merged

feat: add Blockaid bypass for send value without 0x prefix #329

merged 1 commit into from
Apr 26, 2024

Conversation

seaona
Copy link
Contributor

@seaona seaona commented Apr 26, 2024
edited
Loading

Description

This PR adds a new identified bypass, where dapps could pass a value in hex, without the 0x prefix, and this would make the validation fail - but the transaction will succeed.
This is now fixed in the current MM version 11.14, but it was happening in previous versions.

window.ethereum.sendAsync({
  "method": "eth_sendTransaction",
  "params": [
    {
          "from": "0x9A4834c232923d7Ff5F8F52741546E14097C2b24",
          "to": "0xbD28258AD16776B34495323F21599761e47f4c8F",
          "value": "ffffff" // see value without 0x
    }
  ],
  "timestamp": 1693229271999
}
)

Screenshots

Screenshot from 2024-04-26 11-26-50

blockaid-bypass-prefix-value.mp4

Manual QA

  1. Install an older version of the wallet ie MM version 11.12
  2. Try the new bypass -- see the blockaid validation fails
  3. Install 11.14 version of MM
  4. Try the new bypass -- see the blockaid validation is successful, bc a fix was released in the last version

seaona
seaona commented Apr 26, 2024
View reviewed changes
src/index.js
maliciousApproveERC20WithOddHexData,
maliciousPermitHexPaddedChain,
maliciousPermitIntAddress,
maliciousSendWithOddHexData,
maliciousApproveERC20WithOddHexData,
Copy link
Contributor Author

@seaona seaona Apr 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was mistakenly duplicated a couple of lines above, so it's now removed

@seaona seaona marked this pull request as ready for review April 26, 2024 13:47
@seaona seaona merged commit 390ff3b into main Apr 26, 2024
7 checks passed
@seaona seaona deleted the bypass-send-without-prefix branch April 26, 2024 16:04
@seaona seaona mentioned this pull request May 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthewwalsh0 matthewwalsh0 matthewwalsh0 approved these changes

@digiwand digiwand digiwand approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@seaona @matthewwalsh0 @digiwand