bitshares · oxarbitrage · Sep 6, 2017 · Dec 8, 2016 · Dec 17, 2016 · Jan 2, 2017
diff --git a/libraries/chain/hardfork.d/23.hf b/libraries/chain/hardfork.d/23.hf
@@ -0,0 +1,5 @@
+// Issue #23: Withdrawal claims made before the first withdrawal period are incorrectly allowed
+// Fork time set to 2017-02-01 00:00:00 UTC
+#ifndef HARDFORK_23_TIME
+#define HARDFORK_23_TIME (fc::time_point_sec( 1485907200 ))
+#endif
diff --git a/libraries/chain/include/graphene/chain/withdraw_permission_object.hpp b/libraries/chain/include/graphene/chain/withdraw_permission_object.hpp
@@ -27,7 +27,6 @@
 #include <boost/multi_index/composite_key.hpp>
 
 namespace graphene { namespace chain {
-
   /**
    * @class withdraw_permission_object
    * @brief Grants another account authority to withdraw a limited amount of funds per interval
@@ -52,14 +51,23 @@ namespace graphene { namespace chain {
         asset              withdrawal_limit;
         /// The duration of a withdrawal period in seconds
         uint32_t           withdrawal_period_sec = 0;
-        /// The beginning of the next withdrawal period
+       /***
+        * The beginning of the next withdrawal period
+        * WARNING: Due to caching, this value does not always represent the start of the next or current period (because it is only updated after a withdrawal operation such as claim).  For the latest current period, use current_period().
+        */
         time_point_sec     period_start_time;
         /// The time at which this withdraw permission expires
         time_point_sec     expiration;
 
-        /// tracks the total amount
+       /***
+        * Tracks the total amount
+        * WARNING: Due to caching, this value does not always represent the total amount claimed during the current period; it may represent what was claimed during the last claimed period (because it is only updated after a withdrawal operation such as claim).  For the latest current period, use current_period().
+        */
         share_type         claimed_this_period;
-        /// True if the permission may still be claimed for this period; false if it has already been used
+
+       /***
+        * Determine how much is still available to be claimed during the period that contains a time of interest.  This object and function is mainly intended to be used with the "current" time as a parameter.  The current time can be obtained from the time of the current head of the blockchain.
+        */
         asset              available_this_period( fc::time_point_sec current_time )const
         {
            if( current_time >= period_start_time + withdrawal_period_sec )

diff --git a/libraries/chain/withdraw_permission_evaluator.cpp b/libraries/chain/withdraw_permission_evaluator.cpp
@@ -59,12 +59,16 @@ object_id_type withdraw_permission_create_evaluator::do_apply(const operation_ty
 void_result withdraw_permission_claim_evaluator::do_evaluate(const withdraw_permission_claim_evaluator::operation_type& op)
 { try {
    const database& d = db();
+   time_point_sec head_block_time = d.head_block_time();
 
    const withdraw_permission_object& permit = op.withdraw_permission(d);
-   FC_ASSERT(permit.expiration > d.head_block_time() );
+   FC_ASSERT(permit.expiration > head_block_time);
    FC_ASSERT(permit.authorized_account == op.withdraw_to_account);
    FC_ASSERT(permit.withdraw_from_account == op.withdraw_from_account);
-   FC_ASSERT(op.amount_to_withdraw <= permit.available_this_period( d.head_block_time() ) );
+   if (head_block_time >= HARDFORK_23_TIME) {
+      FC_ASSERT(permit.period_start_time <= head_block_time);
+   }
+   FC_ASSERT(op.amount_to_withdraw <= permit.available_this_period( head_block_time ) );
    FC_ASSERT(d.get_balance(op.withdraw_from_account, op.amount_to_withdraw.asset_id) >= op.amount_to_withdraw);
 
    const asset_object& _asset = op.amount_to_withdraw.asset_id(d);