<aside> 💡 The developer would like to mention that the smart contract is still in development and might change before an actual release.
</aside>
<aside> 💡 Audits are not a guarantee of bug-free contracts, vulnerabilities may still arise after audits.
</aside>
Commit: 435b547faedffec9cbcde5a99c43077921ffab88
flovatar/FlovatarInbox.cdc at dust-inbox · crash13override/flovatar
FlovatarInbox contract with the commit hash specified above.276 to 278: Is there a reason to check whether the component is nil? I don’t see a situation where it becomes nil.<aside> 💡 The issue is patched according to the recommendation.
</aside>
// line 395, 364
pub fun claimFlovatarCommunityDust(id: UInt64, address: Address) {
if let claimableDust: ClaimableDust = self.getClaimableFlovatarCommunityDust(id: id, address: address){
pub fun getClaimableFlovatarCommunityDust(id: UInt64, address: Address): ClaimableDust? {
if let flovatarScore: UFix64 = Flovatar.getFlovatarRarityScore(address: address, flovatarId: id){
The claimFlovatarCommunityDust functionality relies on the return value from the Flovatar contract to determine the Flovatar rarity score. As seen in the getFlovatarRarityScore function, any resource that is stored inside the CollectionPublicPath path with {Flovatar.CollectionPublic} interface is blindly trusted as the correct resource.
// line 552 to 562
pub fun getFlovatarRarityScore(address: Address, flovatarId: UInt64) : UFix64? {
let account = getAccount(address)
if let flovatarCollection = account.getCapability(self.CollectionPublicPath).borrow<&{Flovatar.CollectionPublic}>() {
if let flovatar = flovatarCollection.borrowFlovatar(id: flovatarId) {
return flovatar.getRarityScore()
}
}
return nil
}