[Critical] Transfer UI changes username in "To" field, sends to wrong account #473
Comments
|
Openledger is not the reference wallet. please contact openledger. |
|
@btsfav do you know whether the reference wallet has this issue as well? if yes IMHO it need to be fixed. I remember that I got similar complaint from another user as well recently, not sure on which hosted UI or the light client. |
|
mh, looks like it falls back to the next best name. try to send something to favvv, it fell back to fav. like autocorrect, definitely a bug in core too |
|
This issue is related to the max-100-account subscription bug. It affects not only the |
Using the GUI currently running on https://bitshares.openledger.info/, go to the transfer form, and type a nonexistent username in the "To" field, and set a valid amount. Even though the "To" field has a "Unknown account" warning, the Send button highlights and works if clicked. Click the Send button, and a confirmation dialog appears offering to send tokens to what appears to be the last valid account name less than the one specified, which, in practice, is a completely arbitrary account. If the user confirms the transaction, tokens are sent to the arbitrary account.
If it helps, an example of such a transfer is on chain with operation ID 1.11.74005217 -- the transfer went to the
nathanaccount even though the To field was populated withnathantest11.This is a severe bug, as it may cause users to send money to the wrong people in a moment of carelessness. The correct response would be to disable the Send button when the To field is populated with an invalid username, though ideally the bug causing the UI to send to an arbitrary-but-valid account if the Send button gets triggered anyways should be fixed as well.
Bug confirmed present on Opera and Chrome, latest versions.
The text was updated successfully, but these errors were encountered: