Merge pull request #4414 from scsaba/recipient-blacklist

Disallow sending to ganache default accounts on main net

5 files changed, 137 insertions, 1 deletions

diff --git a/app/scripts/controllers/transactions/index.js b/app/scripts/controllers/transactions/index.js
index aff5db984..b53947e27 100644
--- a/app/scripts/controllers/transactions/index.js
+++ b/app/scripts/controllers/transactions/index.js
@@ -10,6 +10,7 @@ const NonceTracker = require('./nonce-tracker')
 const txUtils = require('./lib/util')
 const cleanErrorStack = require('../../lib/cleanErrorStack')
 const log = require('loglevel')
+const recipientBlacklistChecker = require('./lib/recipient-blacklist-checker')
 
 /**
   Transaction Controller is an aggregate of sub-controllers and trackers
@@ -157,8 +158,11 @@ class TransactionController extends EventEmitter {
     let txMeta = this.txStateManager.generateTxMeta({ txParams: normalizedTxParams })
     this.addTx(txMeta)
     this.emit('newUnapprovedTx', txMeta)
-    // add default tx params
+
     try {
+      // check whether recipient account is blacklisted
+      recipientBlacklistChecker.checkAccount(txMeta.metamaskNetworkId, normalizedTxParams.to)
+      // add default tx params
       txMeta = await this.addTxGasDefaults(txMeta)
     } catch (error) {
       console.log(error)
diff --git a/app/scripts/controllers/transactions/lib/recipient-blacklist-checker.js b/app/scripts/controllers/transactions/lib/recipient-blacklist-checker.js
new file mode 100644
index 000000000..84c6df1f0
--- /dev/null
+++ b/app/scripts/controllers/transactions/lib/recipient-blacklist-checker.js
@@ -0,0 +1,24 @@
+const Config = require('./recipient-blacklist-config.json')
+
+/** @module*/
+module.exports = {
+  checkAccount,
+}
+
+/**
+ * Checks if a specified account on a specified network is blacklisted.
+  @param networkId {number}
+  @param account {string}
+*/
+function checkAccount (networkId, account) {
+
+  const mainnetId = 1
+  if (networkId !== mainnetId) {
+    return
+  }
+
+  const accountToCheck = account.toLowerCase()
+  if (Config.blacklist.includes(accountToCheck)) {
+    throw new Error('Recipient is a public account')
+  }
+}
diff --git a/app/scripts/controllers/transactions/lib/recipient-blacklist-config.json b/app/scripts/controllers/transactions/lib/recipient-blacklist-config.json
new file mode 100644
index 000000000..b348eb72e
--- /dev/null
+++ b/app/scripts/controllers/transactions/lib/recipient-blacklist-config.json
@@ -0,0 +1,14 @@
+{
+  "blacklist": [
+    "0x627306090abab3a6e1400e9345bc60c78a8bef57",
+    "0xf17f52151ebef6c7334fad080c5704d77216b732",
+    "0xc5fdf4076b8f3a5357c5e395ab970b5b54098fef",
+    "0x821aea9a577a9b44299b9c15c88cf3087f3b5544",
+    "0x0d1d4e623d10f9fba5db95830f7d3839406c6af2",
+    "0x2932b7a2355d6fecc4b5c0b6bd44cc31df247a2e",
+    "0x2191ef87e392377ec08e7c08eb105ef5448eced5",
+    "0x0f4f2ac550a1b4e2280d04c21cea7ebd822934b5",
+    "0x6330a553fc93768f612722bb8c2ec78ac90b3bbc",
+    "0x5aeda56215b167893e80b4fe645ba6d5bab767de"
+  ]
+}
diff --git a/test/unit/app/controllers/transactions/recipient-blacklist-checker-test.js b/test/unit/app/controllers/transactions/recipient-blacklist-checker-test.js
new file mode 100644
index 000000000..56e8d50db
--- /dev/null
+++ b/test/unit/app/controllers/transactions/recipient-blacklist-checker-test.js
@@ -0,0 +1,77 @@
+const assert = require('assert')
+const recipientBlackListChecker = require('../../../../../app/scripts/controllers/transactions/lib/recipient-blacklist-checker')
+const {
+  ROPSTEN_CODE,
+  RINKEYBY_CODE,
+  KOVAN_CODE,
+} = require('../../../../../app/scripts/controllers/network/enums')
+
+const KeyringController = require('eth-keyring-controller')
+
+describe('Recipient Blacklist Checker', function () {
+
+  let publicAccounts
+
+  before(async function () {
+    const damnedMnemonic = 'candy maple cake sugar pudding cream honey rich smooth crumble sweet treat'
+    const keyringController = new KeyringController({})
+    const Keyring = keyringController.getKeyringClassForType('HD Key Tree')
+    const opts = {
+      mnemonic: damnedMnemonic,
+      numberOfAccounts: 10,
+    }
+    const keyring = new Keyring(opts)
+    publicAccounts = await keyring.getAccounts()
+  })
+
+  describe('#checkAccount', function () {
+    it('does not fail on test networks', function () {
+      let callCount = 0
+      const networks = [ROPSTEN_CODE, RINKEYBY_CODE, KOVAN_CODE]
+      for (let networkId in networks) {
+        publicAccounts.forEach((account) => {
+           recipientBlackListChecker.checkAccount(networkId, account)
+            callCount++
+        })
+      }
+      assert.equal(callCount, 30)
+    })
+
+    it('fails on mainnet', function () {
+      const mainnetId = 1
+      let callCount = 0
+      publicAccounts.forEach((account) => {
+        try {
+          recipientBlackListChecker.checkAccount(mainnetId, account)
+          assert.fail('function should have thrown an error')
+        } catch (err) {
+          assert.equal(err.message, 'Recipient is a public account')
+        }
+        callCount++
+      })
+      assert.equal(callCount, 10)
+    })
+
+    it('fails for public account - uppercase', function () {
+      const mainnetId = 1
+      const publicAccount = '0X0D1D4E623D10F9FBA5DB95830F7D3839406C6AF2'
+      try {
+        recipientBlackListChecker.checkAccount(mainnetId, publicAccount)
+        assert.fail('function should have thrown an error')
+      } catch (err) {
+        assert.equal(err.message, 'Recipient is a public account')
+      }
+    }) 
+
+    it('fails for public account - lowercase', async function () {
+      const mainnetId = 1
+      const publicAccount = '0x0d1d4e623d10f9fba5db95830f7d3839406c6af2'
+      try {
+        await recipientBlackListChecker.checkAccount(mainnetId, publicAccount)
+        assert.fail('function should have thrown an error')
+      } catch (err) {
+        assert.equal(err.message, 'Recipient is a public account')
+      }
+    }) 
+  })
+})
diff --git a/test/unit/app/controllers/transactions/tx-controller-test.js b/test/unit/app/controllers/transactions/tx-controller-test.js
index 1f32a0f37..9bdfe7c1a 100644
--- a/test/unit/app/controllers/transactions/tx-controller-test.js
+++ b/test/unit/app/controllers/transactions/tx-controller-test.js
@@ -185,6 +185,23 @@ describe('Transaction Controller', function () {
       .catch(done)
     })
 
+    it('should fail if recipient is public', function (done) {
+      txController.networkStore = new ObservableStore(1)
+      txController.addUnapprovedTransaction({ from: '0x1678a085c290ebd122dc42cba69373b5953b831d', to: '0x0d1d4e623D10F9FBA5Db95830F7d3839406C6AF2' })
+      .catch((err) => {
+        if (err.message === 'Recipient is a public account') done()
+        else done(err)
+      })
+    })
+
+    it('should not fail if recipient is public but not on mainnet', function (done) {
+      txController.once('newUnapprovedTx', (txMetaFromEmit) => {
+        assert(txMetaFromEmit, 'txMeta is falsey')
+        done()
+      })
+      txController.addUnapprovedTransaction({ from: '0x1678a085c290ebd122dc42cba69373b5953b831d', to: '0x0d1d4e623D10F9FBA5Db95830F7d3839406C6AF2' })
+      .catch(done)
+    })
   })
 
   describe('#addTxGasDefaults', function () {