fix: ensure sender_id has a balance is greater than amount

engine-tests/src/tests/eth_connector.rs

@@ -501,6 +501,46 @@ fn test_ft_transfer_call_without_message() {
     let balance = get_eth_on_near_balance(&master_account, CONTRACT_ACC, CONTRACT_ACC);
     assert_eq!(balance, DEPOSITED_FEE);
 
+    // should revert with `not enough balance` error when sending arbitray amount while sender_id = receiver_id
+    let transfer_amount = 1000000000;
+    let res = recipient_account.call(
+        CONTRACT_ACC.parse().unwrap(),
+        "ft_transfer_call",
+        json!({
+            "receiver_id": recipient_account.signer.account_id.to_string(),
+            "amount": transfer_amount.to_string(),
+            "msg": "",
+        })
+        .to_string()
+        .as_bytes(),
+        DEFAULT_GAS,
+        1,
+    );
+
+    assert_execution_status_failure(
+        res.outcome().clone().status,
+        "ExecutionError(\"Smart contract panicked: ERR_NOT_ENOUGH_BALANCE\")",
+        "Expected failure in `ft_transfer_call` call, but call succeeded",
+    );
+
+    // should not revert with `not enough balance` error when sending arbitray amount while sender_id = receiver_id with amount < balance
+    let transfer_amount = 1;
+    let res = recipient_account.call(
+        CONTRACT_ACC.parse().unwrap(),
+        "ft_transfer_call",
+        json!({
+            "receiver_id": recipient_account.signer.account_id.to_string(),
+            "amount": transfer_amount.to_string(),
+            "msg": "",
+        })
+        .to_string()
+        .as_bytes(),
+        DEFAULT_GAS,
+        1,
+    );
+
+    res.assert_success();
+
     // Sending to random account should not change balances
     let transfer_amount = 22;
     let res = recipient_account.call(

engine/src/fungible_token.rs

@@ -251,6 +251,13 @@ impl<I: IO + Copy> FungibleTokenOps<I> {
         current_account_id: AccountId,
         prepaid_gas: NearGas,
     ) -> Result<PromiseWithCallbackArgs, error::TransferError> {
+        // check balance to prevent setting an arbitrary value for `amount` for (receiver_id == receiver_id).
+        let balance = self
+            .get_account_eth_balance(&sender_id)
+            .unwrap_or(ZERO_NEP141_WEI);
+        if amount > balance {
+            return Err(error::TransferError::InsufficientFunds);
+        }
         // Special case for Aurora transfer itself - we shouldn't transfer
         if sender_id != receiver_id {
             self.internal_transfer_eth_on_near(&sender_id, &receiver_id, amount, memo)?;