Join our community: https://t.me/+DOylgFv1jyJlNzM0
Description
POST /loans/submit in backend/src/routes/loanRoutes.ts accepts a signed XDR from the frontend and submits it to Stellar. There is no backend verification that the submitted XDR matches the unsigned transaction that was originally built by the backend (stored as a reference in the DB or in-memory cache).
A malicious frontend or MITM could swap the XDR between the build step and the submit step, replacing a loan request with a different transaction entirely (e.g., an admin transfer or a pool drain).
Expected Behavior
On /loans/submit, retrieve the original unsigned transaction that was built for this request (by idempotency key or transaction hash) and verify that the submitted signed transaction has the same transaction envelope before the signatures were added.
The idempotency middleware exists but only checks for duplicate submissions, not for XDR tampering.
Suggested Fix
Deserialize the submitted XDR, strip the signatures, and compare the resulting envelope hash against the stored unsigned transaction hash.
Impact
High. A compromised frontend or extension could swap the transaction being signed, causing users to unknowingly submit transactions they did not intend to.
Description
POST /loans/submitinbackend/src/routes/loanRoutes.tsaccepts a signed XDR from the frontend and submits it to Stellar. There is no backend verification that the submitted XDR matches the unsigned transaction that was originally built by the backend (stored as a reference in the DB or in-memory cache).A malicious frontend or MITM could swap the XDR between the build step and the submit step, replacing a loan request with a different transaction entirely (e.g., an admin transfer or a pool drain).
Expected Behavior
On
/loans/submit, retrieve the original unsigned transaction that was built for this request (by idempotency key or transaction hash) and verify that the submitted signed transaction has the same transaction envelope before the signatures were added.The idempotency middleware exists but only checks for duplicate submissions, not for XDR tampering.
Suggested Fix
Deserialize the submitted XDR, strip the signatures, and compare the resulting envelope hash against the stored unsigned transaction hash.
Impact
High. A compromised frontend or extension could swap the transaction being signed, causing users to unknowingly submit transactions they did not intend to.