I was told when i could provide the Tx hash from vitim to attacker to resubmit my report i did so this morning with a full breakdown and NA it imediatly, so instead
Thank you for your submission. After reviewing your report with the team, we are closing this as Not Applicable. The behavior you described is the intended functionality of the API, and the threat model relies on a misunderstanding of where the security boundary lies in this interaction.
The get_token_swap_quote endpoint operates purely as a stateless utility. It calculates the necessary routing and outputs the required calldata to perform a specific swap. Generating this calldata does not execute a transaction, nor does it move any funds.
To exploit this, an attacker would have to deliver this generated payload to a victim and socially engineer them into signing it via their wallet. Because the security boundary relies entirely on the user's private key signature, the API does not require a JWT to calculate the payload. Furthermore, a malicious actor does not need this API to execute this attack; they could construct the exact same malicious execute() calldata locally using standard Web3 libraries (like ethers.js).
We value your expertise and look forward to reviewing your future findings. Good luck!
like fuck off
[link] [comments]
from hacking: security in practice https://ift.tt/yLqVp5D
Comments
Post a Comment