Problem Statement
The getOwnerAddress() method in the following three Actuators uses incorrect Protobuf types for any.unpack():
| Actuator |
Location |
Current (Wrong) Type |
Correct Type |
UpdateAssetActuator |
L174 |
AccountUpdateContract |
UpdateAssetContract |
MarketCancelOrderActuator |
L224 |
AssetIssueContract |
MarketCancelOrderContract |
MarketSellAssetActuator |
L286 |
AssetIssueContract |
MarketSellAssetContract |
Impact Analysis
-
Currently not triggered: The getOwnerAddress() override method on AbstractActuator is not called in production code.
-
Protobuf field number analysis:
MarketCancelOrderActuator / MarketSellAssetActuator: The incorrectly used AssetIssueContract and the correct types all define owner_address as bytes at field number 1. Since Protobuf decodes by field number, this happens to produce the correct result at runtime.UpdateAssetActuator: The incorrectly used AccountUpdateContract defines owner_address at field number 2, while UpdateAssetContract.owner_address is at field number 1. If this method were called, it would return the value of account_name (field 1) as owner_address, resulting in incorrect address data.
-
Code quality: Incorrect type parameters pose a maintenance risk for future development.
This issue was identified during a security audit.
Proposed Solution
Replace the unpack() calls in getOwnerAddress() with the correct Contract type corresponding to each Actuator.
Specification
API Changes: None
Configuration Changes: None
Protocol Changes: None
Scope of Impact
- Core protocol (Actuator layer)
Breaking Changes: None. Only corrects type parameters.
Backward Compatibility: Fully compatible. This method is not called in production code, so the fix does not affect existing behavior.
Implementation
Approach:
Modify the getOwnerAddress() method in each of the three files to use the correct Contract type for unpack(). Minimal change — one line per file.
Willing to implement: Yes
Estimated Complexity: Low (minor changes)
Testing Strategy
Test Scenarios:
- Verify that
getOwnerAddress() returns the correct owner address after the fix for all three Actuators
- Run existing unit tests to ensure no regressions
Performance Considerations: None
Additional Context (Optional)
Related Issues/PRs: None
References: Claude AI Scan
Problem Statement
The
getOwnerAddress()method in the following three Actuators uses incorrect Protobuf types forany.unpack():UpdateAssetActuatorAccountUpdateContractUpdateAssetContractMarketCancelOrderActuatorAssetIssueContractMarketCancelOrderContractMarketSellAssetActuatorAssetIssueContractMarketSellAssetContractImpact Analysis
Currently not triggered: The
getOwnerAddress()override method onAbstractActuatoris not called in production code.Protobuf field number analysis:
MarketCancelOrderActuator/MarketSellAssetActuator: The incorrectly usedAssetIssueContractand the correct types all defineowner_addressasbytesat field number 1. Since Protobuf decodes by field number, this happens to produce the correct result at runtime.UpdateAssetActuator: The incorrectly usedAccountUpdateContractdefinesowner_addressat field number 2, whileUpdateAssetContract.owner_addressis at field number 1. If this method were called, it would return the value ofaccount_name(field 1) asowner_address, resulting in incorrect address data.Code quality: Incorrect type parameters pose a maintenance risk for future development.
This issue was identified during a security audit.
Proposed Solution
Replace the
unpack()calls ingetOwnerAddress()with the correct Contract type corresponding to each Actuator.Specification
API Changes: None
Configuration Changes: None
Protocol Changes: None
Scope of Impact
Breaking Changes: None. Only corrects type parameters.
Backward Compatibility: Fully compatible. This method is not called in production code, so the fix does not affect existing behavior.
Implementation
Approach:
Modify the
getOwnerAddress()method in each of the three files to use the correct Contract type forunpack(). Minimal change — one line per file.Willing to implement: Yes
Estimated Complexity: Low (minor changes)
Testing Strategy
Test Scenarios:
getOwnerAddress()returns the correct owner address after the fix for all three ActuatorsPerformance Considerations: None
Additional Context (Optional)
Related Issues/PRs: None
References: Claude AI Scan