How To guarantee that the input of the smart contract is not manipulated?

Question

Let's say that my DApp got the following (smart) contract:

module.exports = {
  winner: async function(value) {

    if (value===10) {

        } 
  } 
}

Now the Dapp user can do someting which invoke the contract with some value which can be 10 or not. The Dapp determines if value equals 10 or not. So far so good.

But now it seems that anyone with a valid secret (and some XAS send to the Dapps's side chain) can invoke the contract with a simple PUT request to api/<dappId>//transactions/unsigned with value set to whatever they want.

How to ensure that the value of value is set by the Dapp and can not be manipulated?

Bass Jobsen · Accepted Answer · 2018-07-31T11:29:10.837

As far as i do understand Asch DApps run on a express server, with the cors middleware enabled, which means that anyone can do a request (GET, POST, PUT, etc ) from anywhere.

So one can invoke your contract easily with a script like that shown below:

const axios = require('axios');
var fee = '10000000'
var data = {
        secret: "<your secret>",
    fee: fee,
         type: 1001, //the number for contractfile.function
         args: 1000 // a very high score
         }
axios.put('http://<domain>:4096/api/dapps/<dappid>/transactions/unsigned',data)
  .then(function (response) {
    console.log(response);
  })
  .catch(function (error) {
    console.log(error);
  })
  .then(function () {
    // always executed
  });

Due to the above it is not possible to guarantee that in input is not manipulated (send from outside the DApp). Also see: https://github.com/AschPlatform/asch/issues/228

How To guarantee that the input of the smart contract is not manipulated?

1 Answers1