Files
nick-doc/Issues/ISSUE-078-scanner-idempotency-path-ignores-mismatched-parameters.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.2 KiB

issue, title, severity, domain, labels, status, created, source
issue title severity domain labels status created source
078 Scanner: idempotency path ignores mismatched parameters — silent collision high Scanner
bug
scanner
idempotency
open 2026-05-30 Full Codebase Audit 2026-05-30

Scanner: idempotency path ignores mismatched parameters — silent collision

Severity: high Domain: Scanner Labels: bug, scanner, idempotency

Description

scanner/api.go:191 returns the existing intent when an intentId collision is detected, but does not compare the stored parameters to the incoming request. If a caller reuses an intentId with different amount, tokenAddress, or callbackUrl, the scanner silently returns the old intent and monitors the wrong payment parameters.

Options

  1. Return 409 Conflict if stored params differ from request.
  2. Return existing intent only if params match; else error.
  3. Treat any reuse as conflict regardless of params.

Recommendation

Compare stored vs incoming params and return 409 Conflict on mismatch (return existing only on exact match). Changes API contract.

Affected Files

  • scanner/api.go:191

References