fix: ensure sender_id has a balance is greater than amount (#708)

* fix: ensure `sender_id` has a balance is greater than amount * fix: clippy errors * fix: prevent setting an arbitrary value for `amount` * adding test cases * Update engine-tests/src/tests/eth_connector.rs Co-authored-by: Oleksandr Anyshchenko <oleksandr.anyshchenko@aurora.dev> * Update engine-tests/src/tests/eth_connector.rs Co-authored-by: Oleksandr Anyshchenko <oleksandr.anyshchenko@aurora.dev> --------- Co-authored-by: Oleksandr Anyshchenko <oleksandr.anyshchenko@aurora.dev>
aurora-is-near · Apr 5, 2023 · cff31a4 · cff31a4
1 parent 920707c
commit cff31a4
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 0 deletions.
diff --git a/engine-tests/src/tests/eth_connector.rs b/engine-tests/src/tests/eth_connector.rs
@@ -501,6 +501,46 @@ fn test_ft_transfer_call_without_message() {
     let balance = get_eth_on_near_balance(&master_account, CONTRACT_ACC, CONTRACT_ACC);
     assert_eq!(balance, DEPOSITED_FEE);
 
+    // should revert with `not enough balance` error when sending arbitrary amount while sender_id == receiver_id
+    let transfer_amount = 1000000000;
+    let res = recipient_account.call(
+        CONTRACT_ACC.parse().unwrap(),
+        "ft_transfer_call",
+        json!({
+            "receiver_id": recipient_account.signer.account_id.to_string(),
+            "amount": transfer_amount.to_string(),
+            "msg": "",
+        })
+        .to_string()
+        .as_bytes(),
+        DEFAULT_GAS,
+        1,
+    );
+
+    assert_execution_status_failure(
+        res.outcome().clone().status,
+        "ExecutionError(\"Smart contract panicked: ERR_NOT_ENOUGH_BALANCE\")",
+        "Expected failure in `ft_transfer_call` call, but call succeeded",
+    );
+
+    // should not revert with `not enough balance` error when sending arbitrary amount while sender_id == receiver_id with amount < balance
+    let transfer_amount = 1;
+    let res = recipient_account.call(
+        CONTRACT_ACC.parse().unwrap(),
+        "ft_transfer_call",
+        json!({
+            "receiver_id": recipient_account.signer.account_id.to_string(),
+            "amount": transfer_amount.to_string(),
+            "msg": "",
+        })
+        .to_string()
+        .as_bytes(),
+        DEFAULT_GAS,
+        1,
+    );
+
+    res.assert_success();
+
     // Sending to random account should not change balances
     let transfer_amount = 22;
     let res = recipient_account.call(

diff --git a/engine/src/fungible_token.rs b/engine/src/fungible_token.rs
@@ -251,6 +251,13 @@ impl<I: IO + Copy> FungibleTokenOps<I> {
         current_account_id: AccountId,
         prepaid_gas: NearGas,
     ) -> Result<PromiseWithCallbackArgs, error::TransferError> {
+        // check balance to prevent setting an arbitrary value for `amount` for (receiver_id == receiver_id).
+        let balance = self
+            .get_account_eth_balance(&sender_id)
+            .unwrap_or(ZERO_NEP141_WEI);
+        if amount > balance {
+            return Err(error::TransferError::InsufficientFunds);
+        }
         // Special case for Aurora transfer itself - we shouldn't transfer
         if sender_id != receiver_id {
             self.internal_transfer_eth_on_near(&sender_id, &receiver_id, amount, memo)?;