Skip to content

fix(bounties): only allow claiming a funded bounty (prevents payout for unfunded bounties)#36

Open
AliaksandrNazaruk wants to merge 1 commit into
profullstack:masterfrom
AliaksandrNazaruk:fix/claim-only-funded-bounties
Open

fix(bounties): only allow claiming a funded bounty (prevents payout for unfunded bounties)#36
AliaksandrNazaruk wants to merge 1 commit into
profullstack:masterfrom
AliaksandrNazaruk:fix/claim-only-funded-bounties

Conversation

@AliaksandrNazaruk

Copy link
Copy Markdown

Problem

POST /api/bounties/[id]/claim accepted status IN ('open','funded'). A bounty is created open and only becomes funded after the CoinPay funding webhook confirms the creator's payment. So an unfunded bounty (abandoned/failed creator checkout) could still be claimed — and the claim path then prepares + broadcasts a real payout of bounty.reward_usd from the merchant web wallet to the claimer (see #35).

Fix

Gate on status = 'funded' in both places:

  • pre-check (line 23): if (bounty.status !== 'funded')
  • atomic UPDATE ... WHERE (line 38): AND status = 'funded' — closes the concurrent-flip TOCTOU

A payout can now only fire after the funding webhook has set funded. Two-line change, no behavior change for funded bounties.

Fixes #35.

…or unfunded bounties)

POST /api/bounties/[id]/claim gated on status IN ('open','funded'). A bounty
is created 'open' and only becomes 'funded' after the CoinPay funding webhook
confirms the creator's payment. Accepting 'open' meant a bounty whose funding
was never completed (creator abandoned/failed the CoinPay checkout) could still
be claimed — and the claim path then prepares and broadcasts a real payout of
bounty.reward_usd from the merchant web wallet to the claimer.

Gate both the pre-check (line 23) and the atomic UPDATE ... WHERE (closing the
TOCTOU) on status = 'funded' so a payout can only fire after funding is
confirmed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Claiming an unfunded ('open') bounty triggers a real payout from the merchant wallet

1 participant