The transaction processing logic for Tron2STEEM Swap did not filter out TRC-10 token transfers, which was a severe oversight. In theory, this vulnerability could be exploited to trigger unintended swaps, leading to significant financial losses.
Impact:
Exploitation Risk: Malicious users could craft transactions with TRC-10 tokens (other than TRX) to mimic legitimate swap requests, draining the system's resources.
Incorrect Transaction Handling: Non-TRX token transfers were being processed incorrectly, potentially polluting the database with invalid records.
Financial Losses: Triggering swaps on TRC-10 tokens might result in losses due to unintended conversions or incorrect exchange rate calculations.
Fix Summary:
To mitigate this issue, a strict filter has been added to process only TRX or USDT, USDD transactions by verifying the transaction's contract type.
for (let tx of currentPageTransactions) {
// Check if the transaction is a TRX transfer (TransferContract)
const contractType = tx.raw_data.contract[0].type;
if (contractType !== "TransferContract") {
console.log(`Skipping non-TRX transaction: ${contractType}`);
continue;
}
// the rest of the code
Key Changes in Code:
Added Contract Type Validation: Ensures only transactions with TransferContract (TRX transfers) are processed. Transactions involving TransferAssetContract (TRC-10 tokens) are now skipped.
Improved Logging: Logs are updated to highlight when non-TRX transactions are filtered out for traceability.