tonwhales / wallet Goto Github PK

Hey, check this out!
👀Bitcoin BTC ₹2.16 M -0.52% @CoinMarketCap 🚀https://coinmarketcap.com/link/currencies/bitcoin

This feature will allow us to create so called "cold" wallets without using external tools like hardware wallets. Currently it's impossible to get wallet address created offline without actually connecting to the internet:

Bug Type

Security

Reproduction steps

1- Open your TonHub.

Actual result

The APP opens normally without requiring a password.

Expected result

The APP should ask for password or fingerprint so intruders don't get to know the user's balance.

Also one could possibly log user out of the APP without require a password, which would be troublesome if the user didn't back the recovery phrase up.

Suggested Severity

Vulnerability

Device

Smartphone (please complete the following information):

• Device: Redmi Note 7
• OS: Android 12
• Version 2.5.2

Bug Type

Security

Reproduction steps

1- Open your TonHub.
2- Head to Settings then Backup keys.
3- Take a screenshot of the recovery phrase.

Actual result

The APP takes a screenshot with the recovery phrase visible (not black screened).

Expected result

Such a sensitive info should be black screened (such as in the android APP version of wallet.ton.org), this is because other APPs might have access to this screenshot. Or maybe the device has some spyware.

Suggested Severity

Vulnerability

Device

Smartphone (please complete the following information):

• Device: Redmi Note 7
• OS: Android 12
• Version 2.5.2

Add a push notification about the start of a new cycle.
Not bad in the push notification is also to see the count of coins earned for the last cycle

Bug Type

UX

Reproduction steps

1- You need to have an obsolete wallet and use the same recovery phrase to open a wallet on TonHub.
2- Migrate old coins to TonHub using the migration feature.
3- Observe the migration take forever if you have an old wallet with very low balance.

Actual result

When it comes turn for the wallet with very low balance to be migrated, the app will just get stuck trying to migrate it. This might be problematic because it might prevent other wallet version to be migrated after it.

This page will keep there forever:

Expected result

Get some error about that wallet being very low balance and keep on migrating other wallets.

Suggested Severity

Medium

Device

Smartphone (please complete the following information):

• Device: Redmi Note 7
• OS: Android 12
• Version 1.19.7

Hello! I tried to use transaction like https://tonhub.com/transfer/${address}?amount=${amount}&bin=${payload}

How I generated payload:

beginCell()
  .storeUint(777, 32)
  .storeDict(someDictAsCell)
  .storeRef(someRefAsCell)
  .endCell()
  .toBoc() // or with idx: false. Same result
  .toString('base64')
  

What I did
When I try to use it via Sandbox wallet (with test.tonhub.com) it's looks like everything is fine. I saw popup with message info and can tap on send button but sandbox environment didn't see my testnet ton coins I guess it's another network.

I decided to try it on mainnet with Tonhub wallet (ios version) and real coins but when I open link nothing happened. No error messages, just nothing. (I used same link like for Sandbox but without 'test.')

Question
I wanna ask, have it is implemented on mainnet wallet (ios/android) and can I use it for sign my custom payload in transactions or I should use another way for to do this? If it's not implemented do you have some plans and estimates for doing it?

p.s. Sorry, if it's wrong place for asking about it. I didn't find any tech channels for questions to whales.

Bug Type

Functional

Reproduction steps

When sending jettons from a jetton account the receiver cannot be chosen from the contacts.

Actual result

The contacts allow for sending TONs only.

Expected result

When sending using Contacts the expected behavior is either

1. to choose from the token-acount list (currency, e.g. TON, Jetton1, Jetton2, ...), or
2. to send from any account (basic TON or a jettons's) providing Contact list to choose recipient from

Suggested Severity

High

Device

Android

Additional Context

No response

Bug Type

Functional

Reproduction steps

1. Open Tonhub app
2. Log in to your wallet with positive balance
3. Go to Settings
4. Open SPAM filter feature and set the 'Min TON amount' = 10, click 'Apply' button and confirm the action in pop-up.
5. Make send transaction less than 10 TON, with some comment, to another wallet. Pay attention for the list of transactions.
   Actual result: The transaction is displayed in history with SPAM mark
6. Make send transaction less than 10 TON, without any comment, to another wallet. Pay attention for the list of transactions.

Actual result

The transaction is displayed in history without SPAM mark

Expected result

The transaction is displayed in history with SPAM mark

Suggested Severity

High

Device

• Device: iPhone 11
• OS: 14.3

Bug Type

UX

Reproduction steps

1. See Red Coin jetton invoice in Tonkeeper. Red Coin is here
2. Copy and paste wallet adresses from TonHub and Tonkeeper (proof that the same wallet)
3. See Red Coin jetton invoice in TonHub. Red Coin missing

Actual result

Red Coin missing

Expected result

Red Coin is here

Suggested Severity

Medium

Device

Device: Apple iPhone 11
OS: iOS 15.6.1
App Version 1.19.7

Additional Context

No response

Sending transactions with long comment text

Bug type

Functional

Reproduction steps

1. Open Tonhub
2. Click the send menu.
3. Fill amount and address wallet fields.
4. Insert into comment long enough text
5. Click Continue and Confirm the transaction.
   

Actual result

Tonhub application is trying to send the transaction but can't. Then, It's asked a user to confirm the transaction again, and loop in these two steps infinitely.

Expected result

The application should not allow inserting/sending text, which could harm sending the transactions.

Suggest severity

Medium

Device

Smartphone:

• Device: iPhone12
• OS: iOS 15.6.1
• Tonhub: v1.19.7

Bug type

Functional

Reproduction steps

1. Click "Send"
2. Click "scan qr code"
3. Allow camera access if this is first launch

Actual result

Infinile loading screen, flash button also doesn't work. You can't use image from gallery, because such button doesn't exist

Expected result

QR scanner opens, flash button works, using images from gallery is possible

Suggested Severity

High

Device

Smartphone: Redmi Note 8
OS: MIUI Global 12.5.2 Stable
App version: 1.19.7

Thank you for your work on the wallet! Cool!
It would be great if you added the ability to choose from which version of the wallet contract (for example, v3 or v4, i.e. from which address) the tones will be sent.
An example of a situation where this is necessary: I staked a coin with v3 using the nominator’s contract, the wallet application has been updated to v4, but in order to withdraw coins from the nominator’s contract, you need to send a withdrawal request from the v3 wallet.

I did it

TonHub v1.19.7
Iphone 11 iOS 15.3.1

Steps:

1. Go to Staking
2. Tap on first pool
3. Tap on "Unstake"
4. Enter amount: 0,1,

Actual Result:
app crashed

Expected result:
entering two commas in amount field is imposible

Bug Type

Functional

Reproduction steps

1. Open app
2. Create new or add existing wallet
3. Tap on "Protect with biometrics"
4. Confirm biometrics

Actual result

Biometrics not accepted, unable to create wallet

Expected result

Biometrics accepted

Suggested Severity

Critical

Device

Smartphone (please complete the following information):

• Device: OPPO Reno 7 Pro
• OS: Android 12
• Version v1.22.1

Additional Context

logcat could be useful:

01-26 21:23:52.717  2188  2188 D BiometricPrompt/AuthContainerView: pendingCallback: 4
01-26 21:23:52.717  2188  2188 D AuthController: onDialogDismissed: 4
01-26 21:23:52.720  1542  1969 D BiometricService/AuthSession: addAuthToken: 0
01-26 21:23:52.721  1542  1969 D BiometricService/AuthSession: sensorId: 0, shouldCancel: true
01-26 21:23:52.721  1542  1969 D FingerprintService: cancelAuthenticationFromService, sensorId: 0
01-26 21:23:52.721  1542  1969 D Fingerprint21: cancelAuthentication, sensorId: 0
01-26 21:23:52.721  1542  1969 E Biometrics/Fingerprint21/OplusFingerprint21ServiceProviderExtImpl: Current client is null
01-26 21:23:52.721  1542  1969 E BiometricScheduler/Fingerprint21: Unable to cancel authentication, null operation
01-26 21:23:52.722  2188  3091 I BufferQueueProducer: [ViewRootImpl[OplusBiometricPrompt]#634(BLAST Consumer)634](id:88c00000280,api:1,p:2188,c:2188) disconnect: api 1
01-26 21:23:52.723   648   648 D TlcTeeKeyMaster: TEE_Begin 4.1
01-26 21:23:52.723   648   648 D TlcTeeKeyMaster: purpose = 0x00000000
01-26 21:23:52.723  2188  3091 E BLASTBufferQueue: BLASTBufferItemConsumer::onDisconnect()
01-26 21:23:52.723  2188  2188 D View    : [Warning] assignParent to null: this = com.android.systemui.biometrics.AuthContainerView{3391add IFE...... .F.....D 0,0-1080,2400 aid=202}
01-26 21:23:52.724  1542  2973 D OplusDisplayPolicy: com.android.systemui, change system app cutoutMode: oplus always
01-26 21:23:52.724  1542  2973 I OplusScreenSecurityMask: remove WindowsName list: Window{3782dae u0 OplusBiometricPrompt} list size: 0 isFromSetSecure: false , surfaceShown = false , displayId = 0
01-26 21:23:52.724  1542  2973 I OplusScreenSecurityMask: onSecurityPageFlagChanged size: 0 , surfaceShown = false , displayId = 0
01-26 21:23:52.724   648   648 E TlcTeeKeyMaster: (keymaster_error_t)tci->response.header.returnCode == -26
01-26 21:23:52.724   648   648 E TlcTeeKeyMaster: transact(session_handle, tci) == -26
01-26 21:23:52.725   648   648 D TlcTeeKeyMaster: TEE_Begin exiting with -26
01-26 21:23:52.725  1542  2973 W WindowManager: Changing focus from Window{3782dae u0 OplusBiometricPrompt} to Window{ddb49bc u0 com.tonhub.wallet/com.tonhub.wallet.MainActivity} displayId=0 Callers=com.android.server.wm.RootWindowContainer.updateFocusedWindowLocked:492 com.android.server.wm.WindowM
anagerService.updateFocusedWindowLocked:6011 com.android.server.wm.WindowManagerService.relayoutWindow:2601 com.android.server.wm.Session.relayout:247 
01-26 21:23:52.725   647 31494 E keystore2: keystore2::error: In create_operation: Failed to begin operation.
01-26 21:23:52.725   647 31494 E keystore2: 
01-26 21:23:52.725   647 31494 E keystore2: Caused by:
01-26 21:23:52.725   647 31494 E keystore2:     0: In upgrade_keyblob_if_required_with: Called closure failed.
01-26 21:23:52.725   647 31494 E keystore2:     1: Error::Km(ErrorCode(-26))
01-26 21:23:52.727  1542  2973 D Theia.NoFocusWindow: FocusWindowErrorScene cancelCheckFreezeScreen

TonHub v1.19.7
Iphone 11 iOS 15.3.1

Steps:

1. Go to Staking
2. Tap on first pool
3. Tap on "Unstake"
4. Enter 0 amount
5. Tap On "Continue"

Actual Result:
Main screen opened
Balance decreased due to commissions
In operations list i got 2 operations -0.2 and +0.09 but really, I lost my money =(

Expected result:
errror "...you don't have enougth coins staked"
withdrawal request screen still open

Bug type

other

Reproduction steps

1. Click "Send"
2. Enter value and receiver address
   
3. Click continue
   

Actual result

Confirmation screen and operation log shows receiver address with 2 different last characters, which can confuse user about why it changed

Expected result

The address is exactly the same to exclude possibility of misunderstanding

Suggested Severity

Low

Device

Smartphone: Redmi Note 8
OS: MIUI Global 12.5.2 Stable
App version: 1.19.7

Bug Type

Functional

Reproduction steps

1. Open the transfer window in Tonhub
2. Input valid .ton / .t.me domain address
3. Click the continue button.

Actual result

Got the error "Invalid domain"

Expected result

Successful sending funds

Suggested Severity

Medium

Device

Smartphone (please complete the following information):

• Device: iPhone 12
• OS: 16.3.1
• Tonhub: v.1.24.0

Additional Context

Video

Bug Type

UX

Reproduction steps

1. Open Tonhub
2. Click 'Import existing wallet'
3. Copy phrases "forum plug observe jealous beach brave two improve imitate apology pen dwarf fade dream crop play drum stuff metal winner icon shuffle inner calm" and paste

Actual result

Phrase is pasted into one line. Impossible to pass the flow fast, a little inconvenient every time to write it manually

Expected result

Phrase is parsed for words and each of them pasted into fields

Suggested Severity

Medium

Device

• Device: iPhone 11
• OS: 14.3

Additional Context

The same behavior is tested on Tonkeeper and it works as expected.

TonHub v1.19.7
Iphone 11 iOS 15.3.1

Steps:

1. Tap on send
2. Enter amount
3. Enter address of telegram wallet (https://t.me/wallet)
4. Add comment
5. Tap on continue
6. Confirm
7. Go to transaction details

Actual result:
wallet address does not match with address from step 3

Expected result:
wallet address from step 3

Bug Type

UX

Reproduction steps

1- In an account with zero balance (brand new) go to staking extension.
2- Select any staking pool.
3- Press MAX button on the top right.

Actual result

The APP chooses a staking balance of -0.2 instead of 0.

Expected result

The APP should select 0 or fire a prompt that the account is balance-less.

Suggested Severity

Low

Device

Smartphone (please complete the following information):

• Device: Redmi Note 7
• OS: Android 12
• Version 1.19.7

Current version 1.13.3 won't load entire transaction history for the account, and after updating the app older entries are removed too.

Even more than that, new feature of showing jettons will only work if the transaction in which these tokens were added was loaded by the app.

TonHub v1.19.7
Iphone 11 iOS 15.3.1

Steps:

1. Go to Staking which has tons
2. Tap on "Unstake"
3. Enter amount with ten numbers after point\comma (for example 1.1234567890)

Actual result:
app crashed

Expected result:
number added to the end amount

Among basic features like sending / showing balances, the wallet should also support the standard call "burn".
This is needed for WTON token which enable reedem of native toncoin via token burning.

Creator of the open source Jetton Deployer here.

We have chosen to store jettons deployed with our tool on-chain.

Quoting from our readme on the issue:

• Where is this metadata stored? - The Jetton standard supports storing metadata either on-chain or in an off-chain URL (a JSON file hosted somewhere). It is our belief that the best practice is storing metadata on-chain. Why? Let's explore the alternatives:

  • On-chain - On-chain data is immutable, users can be guaranteed that important fields like the symbol will not change without their consent. On-chain data is also guaranteed to always be available. This deployer always stores metadata on-chain.

  • Off-chain IPFS (ipfs:// URL) - IPFS data is immutable so it's safe like on-chain. But IPFS data is not guaranteed to always be available. Availability depends if someone is willing to pin the data (similar to seeding in torrents). If this someone goes out of business or suffers downtime, token metadata will disappear. This is an unnecessary risk in our eyes.

  • Off-chain website (https:// URL) - This is by far the worst option. The owner of the website could change the metadata without user consent (not necessarily on purpose if the website is hacked). The website can also be taken down and the metadata will disappear. Users should never invest money in tokens that have their metadata stored this way.

  What about the Jetton Logo URI, if it's stored on a website, can't it change? Yes, it can change and this is a feature. We believe that logos can go through rebranding without putting users at risk. Satoshi Nakamoto didn't design the current logo of Bitcoin when he wrote the initial code.

An example code for parsing such metadata can be found here

We believe it would be an important addition to support this, both in tonhub wallet and the tonwhales chain explorer.

Bug Type

Functional

Reproduction steps

1. Update App to v1.21.4
2. Run the App.
3. App Immediately crash

Actual result

App Immediately crash

Expected result

App run correctly

Suggested Severity

Critical

Device

Smartphone:

• Device: Samsung Note 20 Ultra 5G
• OS: Android 13, One-UI 5
• Version v1.21.4

Additional Context

App run normally before v1.21.4 update. After update crash immediately after start. UI not rendering, just boot logo and closing.

Al entrar en la billetera que descargue de PlayStore no te deja crear una cuenta se mantiene en "Protect you wallet" y no pasa de ahí.