Merge pull request cardano-foundation#254 from cardano-foundation/fix/ID-503-Voucher-Refund-Exploit

nemo83 · web-flow · commit a9330fb74f13 · 2025-08-08T14:55:38.000+01:00
Fix/id 503 voucher refund exploit
diff --git a/cardano/onchain/validators/minting_voucher.ak b/cardano/onchain/validators/minting_voucher.ak
@@ -16,6 +16,7 @@ use ibc/apps/transfer/transfer_module_redeemer.{Transfer}
 use ibc/apps/transfer/types/coin as transfer_coin
 use ibc/apps/transfer/types/fungible_token_packet_data.{FungibleTokenPacketData}
 use ibc/auth.{AuthToken}
+use ibc/core/ics_004/types/acknowledgement_response.{AcknowledgementError}
 use ibc/core/ics_005/types/ibc_module_redeemer.{
   Callback, IBCModuleRedeemer, OnAcknowledgementPacket, OnRecvPacket,
   OnTimeoutPacket, Operator, TransferModuleData, TransferModuleOperator,
@@ -139,7 +140,11 @@ validator mint_voucher(module_token: AuthToken) {
         let data =
           when ibc_module_callback is {
             OnTimeoutPacket { data, .. } -> data
-            OnAcknowledgementPacket { data, .. } -> data
+            OnAcknowledgementPacket { acknowledgement, data, .. } ->
+              when acknowledgement.response is {
+                AcknowledgementError { .. } -> data
+                _ -> fail
+              }
             _ -> fail
           }
         expect TransferModuleData(data) = data
diff --git a/cardano/onchain/validators/minting_voucher.test.ak b/cardano/onchain/validators/minting_voucher.test.ak
@@ -15,9 +15,10 @@ use ibc/apps/transfer/types/coin as transfer_coin
 use ibc/apps/transfer/types/fungible_token_packet_data.{FungibleTokenPacketData}
 use ibc/auth.{AuthToken}
 use ibc/core/ics_004/types/acknowledgement
+use ibc/core/ics_004/types/acknowledgement_response.{AcknowledgementResult}
 use ibc/core/ics_005/types/ibc_module_redeemer.{
-  Callback, OnRecvPacket, OnTimeoutPacket, Operator, TransferModuleData,
-  TransferModuleOperator,
+  Callback, OnAcknowledgementPacket, OnRecvPacket, OnTimeoutPacket, Operator,
+  TransferModuleData, TransferModuleOperator,
 }
 use ibc/utils/string as string_utils
 use minting_voucher
@@ -297,3 +298,92 @@ test test_refund_voucher() {
     transaction,
   )
 }
+
+// ID-503-Not possible to refund voucher if transfer suceeds
+test test_refund_voucher_fail() fail {
+  let mock_data = prepare_mock_data()
+
+  //=========================arrange packet data===============================
+  let packet_source_port = "port-99"
+  let packet_source_channel = "channel-99"
+  let packet_dest_channel = "channel-99"
+
+  let transfer_amount = 100
+
+  let source_prefix =
+    transfer_coin.get_denom_prefix(packet_source_port, packet_source_channel)
+  let prefixed_denom = bytearray.concat(source_prefix, "ibc/usdt")
+
+  //525f6e2b0f8a15a3c95d82c8113b99dfebfe40f124cb2bc71ee99e22
+  let sender =
+    #"3532356636653262306638613135613363393564383263383131336239396466656266653430663132346362326263373165653939653232"
+
+  let ftpd =
+    FungibleTokenPacketData {
+      denom: prefixed_denom,
+      amount: string.from_int(transfer_amount) |> string.to_bytearray(),
+      sender,
+      receiver: "cosmos address",
+      memo: "",
+    }
+
+  //==================================arrange output============================
+  let token_name = crypto.sha3_256(ftpd.denom)
+
+  let mint =
+    from_asset(mock_data.voucher_minting_policy_id, token_name, transfer_amount)
+
+  expect Some(sender_public_key_hash) = string_utils.hex_string_to_bytes(sender)
+
+  let sender_output =
+    Output {
+      address: from_verification_key(sender_public_key_hash),
+      value: mint,
+      datum: NoDatum,
+      reference_script: None,
+    }
+  let outputs = [sender_output]
+
+  //==================================arrange redeemers============================
+  let mint_voucher_redeemer =
+    RefundVoucher { packet_source_port, packet_source_channel }
+  let purpose = Mint(mock_data.voucher_minting_policy_id)
+
+  let packet_data = TransferModuleData(ftpd)
+
+  let spend_module_redeemer =
+    Callback(
+      OnAcknowledgementPacket {
+        channel_id: packet_dest_channel,
+        acknowledgement: acknowledgement.new_result_acknowledgement(#[1]),
+        data: packet_data,
+      },
+    )
+  let mint_voucher_redeemer_in_data: Redeemer = mint_voucher_redeemer
+  let spend_module_redeemer_in_data: Redeemer = spend_module_redeemer
+
+  let redeemers: Pairs<ScriptPurpose, Redeemer> =
+    [
+      Pair(purpose, mint_voucher_redeemer_in_data),
+      Pair(
+        Spend(mock_data.module_input.output_reference),
+        spend_module_redeemer_in_data,
+      ),
+    ]
+
+  let transaction =
+    Transaction {
+      ..transaction.placeholder,
+      inputs: [mock_data.module_input],
+      outputs: outputs,
+      redeemers: redeemers,
+      mint: mint,
+    }
+
+  minting_voucher.mint_voucher.mint(
+    mock_data.module_token,
+    mint_voucher_redeemer,
+    mock_data.voucher_minting_policy_id,
+    transaction,
+  )
+}
