Skip to content

fix(bounty): prevent cross-store payout and coupon reuse in claim flow (#37)#40

Open
chenlinxi890-spec wants to merge 1 commit into
profullstack:masterfrom
chenlinxi890-spec:codex/fix-coupon-validation-37
Open

fix(bounty): prevent cross-store payout and coupon reuse in claim flow (#37)#40
chenlinxi890-spec wants to merge 1 commit into
profullstack:masterfrom
chenlinxi890-spec:codex/fix-coupon-validation-37

Conversation

@chenlinxi890-spec

Copy link
Copy Markdown

Summary

Fixes a security vulnerability in the bounty claim flow where any user could:

  1. Claim any bounty with a coupon from a different store (cross-store exploitation)
  2. Reuse a single coupon to claim multiple bounties (wallet drain)

Fix

Added two validations in �pps/web/app/api/bounties/[id]/claim/route.ts:

  1. Store match check — Returns 400 if coupon store != bounty store
  2. Coupon reuse check — Returns 409 if coupon was already used

Tests

  • Syntax validated
  • Additive changes only, no breaking API changes

profullstack#37)

Add two critical validations to POST /api/bounties/[id]/claim:
1. Validate coupon store matches bounty store (prevents cross-store exploitation)
2. Prevent coupon reuse (a coupon can only claim one bounty)

This fixes a security vulnerability where any user could claim any bounty
with any coupon, potentially draining the merchant wallet.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant