Files
nick-doc/Issues/ISSUE-129-scanner-ton-processTransfer-doesnt-verify-jettonmasteraddress.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.2 KiB

issue, title, severity, domain, labels, status, created, source
issue title severity domain labels status created source
129 Scanner: TON processTransfer doesn't verify JettonMasterAddress vs intent.TokenAddress low Scanner
bug
scanner
token-verification
open 2026-05-30 Full Codebase Audit 2026-05-30

Scanner: TON processTransfer doesn't verify JettonMasterAddress vs intent.TokenAddress

Severity: low Domain: Scanner Labels: bug, scanner, token-verification

Description

scanner/ton_chain.go:203 processes TON jetton transfers without explicitly verifying that tr.JettonMasterAddress equals intent.TokenAddress. It trusts the API filtering to return only the correct jetton, but a compromised API or a jetton with the same wallet address could pass silently.

Options

  1. Assert tr.JettonMasterAddress === intent.TokenAddress before confirming.
  2. Trust API filtering but log mismatches.
  3. Verify and reject on mismatch.

Recommendation

Add an explicit equality check and reject mismatches rather than trusting API filtering.

Affected Files

  • scanner/ton_chain.go:203

References