pull down to refresh
100 sats \ 3 replies \ @anon 18 May \ on: Your Mac has a hardware wallet in it. You just aren’t using it yet. bitcoin
WARNING! We should review the source code first, the repo only edited the Readme.md and swapped out the download link with some malicious code i think we might be fucked
Hey, thanks for pointing that out, but don’t worry, nothing malicious going on.
The main Specter Desktop repo you're looking at only had its README updated because that's just a fork reference. The actual Secure Enclave integration code is entirely in our dedicated specter-enclave repository:
Everything there is open source and MIT-licensed, and the binaries we distribute are reproducible from that code. Definitely take a look yourself, we encourage reviews, audits, and any scrutiny!
Let me know if you have more questions or find anything unclear - I’m happy to walk you through it!
reply
The fee subtraction logic in create_psbt incorrectly always subtracts from the first recipient, ignoring the subtract_from parameter. This can lead to misconfigured transactions.
and
Command Injection via subprocess.Popen with shell=True
reply
The fee subtraction logic in create_psbt incorrectly always subtracts from the first recipient, ignoring the subtract_from parameter. This can lead to misconfigured transactions. and Command Injection via subprocess.Popen with shell=True
Good catch, thanks for bringing these up.
Fee subtraction logic: You're right; the current implementation overly simplifies and defaults to the first recipient. We're tracking this and are actively working on a patch to correctly respect the subtract_from parameter across multiple recipients.
subprocess.Popen with shell=True: We're aware of this. Although our current usage sanitizes inputs thoroughly, using shell=True isn't ideal from a security perspective.
Really appreciate the scrutiny. If you're open to it, we'd welcome a PR or a deeper security review from your side - happy to discuss a bounty for quality fixes too!
reply