Skip to content

Commit

Permalink
tapchannel: compare asset id of htlc records with quote
Browse files Browse the repository at this point in the history 
In this commit we use the previously defined helper to fetch the asset
ID of the accepted quote, then we compare it with the asset ID of each
HTLC. This is done as an extra strict check to guard against HTLC and
RFQ asset ID mismatch, which can lead to malicious behavior where a
quote for a different asset is being accounted for when accepting an
asset HTLC.
  • Loading branch information
@GeorgeTsagk
GeorgeTsagk committed Jan 14, 2025
1 parent 9571c6e commit 7eb3643
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions tapchannel/aux_invoice_manager.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,15 @@ func (s *AuxInvoiceManager) handleInvoiceAccept(_ context.Context,
// Convert the total asset amount to milli-satoshis using the price from
// the accepted quote.
rfqID := htlc.RfqID.ValOpt().UnsafeFromSome()

assetID := s.assetIDFromQuote(rfqID)
for _, v := range htlc.Balances() {
if v.AssetID.Val != *assetID {
return nil, fmt.Errorf("mismatch between htlc asset " +
"ID and rfq quote asset ID")
}
}

assetRate, err := s.priceFromQuote(rfqID)
if err != nil {
return nil, fmt.Errorf("unable to get price from quote with "+
Expand Down

0 comments on commit 7eb3643

Please sign in to comment.