proposal version 0.01 this is a rough spec for what a client-side trading infrastructure expects from an interface. There should be a client-side wrapper matching the hosts API. we ignore funding requests here (deposit/withdraw)
private
function diff-branch() { | |
if [ -z $1 ]; then | |
echo please provide an branch | |
read WORKBRANCH | |
else | |
WORKBRANCH=$1 | |
fi | |
if [ -z $2 ]; then | |
STABLEBRANCH='master' |
import json | |
import os | |
from collections import defaultdict | |
from json import JSONDecodeError | |
from pprint import pprint | |
from typing import Dict, Union, List | |
import requests | |
from bs4 import BeautifulSoup |
// Running on the page, in the browser | |
// This API will go live in early 2020 | |
// It will be the only API available after a 6-week deprecation period | |
if (!ethereum || !ethereum.isMetaMask) { | |
throw new Error('Please install MetaMask.') | |
} | |
/*********************************************************/ |
#!/usr/bin/python3 | |
from python_graphql_client import GraphqlClient | |
from json import dumps | |
from asyncio import run | |
from re import compile as re_compile | |
from pytimeparse import parse | |
reg = re_compile(r'^(\d+(\.\d+)?)') | |
handle = None |
# See this article for reference: https://help.github.com/articles/dealing-with-line-endings/ | |
# Refreshing repo after line ending change: | |
# https://help.github.com/articles/dealing-with-line-endings/#refreshing-a-repository-after-changing-line-endings | |
# Handle line endings automatically for files detected as text | |
# and leave all files detected as binary untouched. | |
* text=auto | |
# | |
# The above will handle all files NOT found below |
// File: contracts/child/ChildToken/ChildERC20.sol | |
pragma solidity 0.6.6; | |
contract ChildERC20 is | |
ERC20, | |
IChildToken, | |
AccessControlMixin, | |
NativeMetaTransaction, | |
ChainConstants, |
pragma solidity ^0.4.23; | |
import "./HumanStandardToken.sol"; | |
import "../../LedgerChannel.sol"; | |
contract ReentrancyToken is HumanStandardToken { | |
LedgerChannel ledgerChannel; | |
uint256 constant MAX_REENTRIES = 5; | |
uint256 numReentries = 0; |
Currently TSS works by the system auto-generating a set of TSS invitees that collectively generate a new vault pubkey outside of process. Each node that participates in the signing ceremony then posts in their results into THORChain as a MsgTssPool
.
Two evil nodes are able to front-run a TSS signing ceremony by posting in a fake TSS result and voting twice, which achieves consensus and creates a vault controlled by attacker, stealing funds (before the valid tx arrives).
Note: #thorsec team found a similar bug allowing spoofing ID which was patched in https://gitlab.com/thorchain/thornode/-/merge_requests/1922 - this vulnerability is similar but works even with the original ID spoof patch. After disclosure, MR 1922 also incorporated fixes to stop this attack presented below.
function watchEtherTransfers() { | |
// Instantiate web3 with WebSocket provider | |
const web3 = new Web3(new Web3.providers.WebsocketProvider('wss://rinkeby.infura.io/ws')) | |
// Instantiate subscription object | |
const subscription = web3.eth.subscribe('pendingTransactions') | |
// Subscribe to pending transactions | |
subscription.subscribe((error, result) => { | |
if (error) console.log(error) |