reply on: Your Mac has a hardware wallet in it. You just aren’t using it yet. \ stacker news ~bitcoin

pull down to refresh

100 sats \ 1 reply \ @NakamotoArchives 18 May \ parent \ on: Your Mac has a hardware wallet in it. You just aren’t using it yet. bitcoin

The fee subtraction logic in create_psbt incorrectly always subtracts from the first recipient, ignoring the subtract_from parameter. This can lead to misconfigured transactions.

and

Command Injection via subprocess.Popen with shell=True

0 sats \ 0 replies \ @CryptOpenDevelopment OP 18 May

The fee subtraction logic in create_psbt incorrectly always subtracts from the first recipient, ignoring the subtract_from parameter. This can lead to misconfigured transactions. and Command Injection via subprocess.Popen with shell=True

Good catch, thanks for bringing these up.

Fee subtraction logic: You're right; the current implementation overly simplifies and defaults to the first recipient. We're tracking this and are actively working on a patch to correctly respect the subtract_from parameter across multiple recipients.

subprocess.Popen with shell=True: We're aware of this. Although our current usage sanitizes inputs thoroughly, using shell=True isn't ideal from a security perspective.

Really appreciate the scrutiny. If you're open to it, we'd welcome a PR or a deeper security review from your side - happy to discuss a bounty for quality fixes too!