From 41ad78750eb886b29c035c799577a2525529f434 Mon Sep 17 00:00:00 2001 From: CalDescent Date: Mon, 24 May 2021 18:59:41 +0100 Subject: [PATCH] Don't allow QORT addresses to be used as the receiving address when redeeming LTC This is probably more validation than is actually needed, but given that we use the same field for LTC and QORT receiving addresses in the database, it is best to be extra careful. --- .../qortal/api/resource/CrossChainHtlcResource.java | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/qortal/api/resource/CrossChainHtlcResource.java b/src/main/java/org/qortal/api/resource/CrossChainHtlcResource.java index e024c8e3..119ac2f8 100644 --- a/src/main/java/org/qortal/api/resource/CrossChainHtlcResource.java +++ b/src/main/java/org/qortal/api/resource/CrossChainHtlcResource.java @@ -26,6 +26,7 @@ import org.qortal.api.ApiExceptionFactory; import org.qortal.api.Security; import org.qortal.api.model.CrossChainBitcoinyHTLCStatus; import org.qortal.crosschain.*; +import org.qortal.crypto.Crypto; import org.qortal.data.at.ATData; import org.qortal.data.crosschain.CrossChainTradeData; import org.qortal.data.crosschain.TradeBotData; @@ -267,9 +268,9 @@ public class CrossChainHtlcResource { // Search for the litecoin receiving address in the tradebot data byte[] litecoinReceivingAccountInfo = null; - if (tradeBotData != null) - // Use receiving address PKH from tradebot data - litecoinReceivingAccountInfo = tradeBotData.getReceivingAccountInfo(); + if (tradeBotData != null) + // Use receiving address PKH from tradebot data + litecoinReceivingAccountInfo = tradeBotData.getReceivingAccountInfo(); return this.doRedeemHtlc(atAddress, decodedPrivateKey, decodedSecret, litecoinReceivingAccountInfo); @@ -304,6 +305,12 @@ public class CrossChainHtlcResource { if (litecoinReceivingAccountInfo == null || litecoinReceivingAccountInfo.length != 20) throw ApiExceptionFactory.INSTANCE.createException(request, ApiError.INVALID_CRITERIA); + // Make sure the receiving address isn't a QORT address, given that we can share the same field for both QORT and LTC + if (Crypto.isValidAddress(litecoinReceivingAccountInfo)) + if (Base58.encode(litecoinReceivingAccountInfo).startsWith("Q")) + // This is likely a QORT address, not an LTC + throw ApiExceptionFactory.INSTANCE.createException(request, ApiError.INVALID_CRITERIA); + // Use secret-A to redeem P2SH-A