Skip to content

Fix issue with claims #188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Schwartz10 merged 3 commits into from
Jan 22, 2026
Merged

Fix issue with claims #188

Schwartz10 merged 3 commits into from
Jan 22, 2026

Conversation

@Schwartz10
Copy link
Contributor

@Schwartz10 Schwartz10 commented Jan 22, 2026

No description provided.

@claude
Copy link

claude bot commented Jan 22, 2026

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

@Schwartz10
Copy link
Contributor Author

Schwartz10 commented Jan 22, 2026

@claude do you see any bugs or security issues?

@claude
Copy link

claude bot commented Jan 22, 2026
edited
Loading

Claude finished @Schwartz10's task in 1m 19s —— View job

Code Review: Bugs and Security Issues

Tasks

  • Read repository guidelines (CLAUDE.md)
  • Review cmd/airdrop.go changes
  • Review new cmd/plus_change_owner_for_agent.go file
  • Analyze for bugs and security issues
  • Post findings

Findings

After reviewing the code changes, I found no bugs or security issues. Here's what I verified:

cmd/airdrop.go Changes (Lines 62-74, 118-119, 123-124)

The changes fix a bug where agent claims weren't being resolved properly by:

  1. Storing the agent address when an address maps to an agent owner (line 74)
  2. Passing the agent address to merkle tree methods for proper duplicate resolution (lines 118, 123)

Security validation:

  • ✅ Authorization check exists: if addressToClaimOnBehalf != auth.From prevents claiming on behalf of others (line 85-87)
  • ✅ Input validation: AddressOrAccountNameToEVM validates and parses addresses (line 56)
  • ✅ Proper error handling throughout
  • ✅ No privilege escalation: Users can only claim for themselves or their own agents
  • ✅ Agent-to-owner mapping is read from a trusted source (token.ReadAgentOwnerMap)

The logic is sound: if the input address is an agent, the code switches addressToClaimOnBehalf to the owner while preserving the original agent address for merkle tree lookups. The authorization check ensures the transaction signer matches the owner address.

cmd/plus_change_owner_for_agent.go (New File)

This command transfers GLIF Card ownership when an agent's owner changes.

Security validation:

  • ✅ Uses commonSetupOwnerCall which requires owner authentication (line 23)
  • ✅ Input validation through helper functions
  • ✅ Proper transaction confirmation with StateWaitReceipt (line 44)
  • ✅ No external input accepted (Args: cobra.NoArgs)
  • ✅ Calls SDK method SPPlusChangeOwnerForAgent which should enforce its own business logic

The security model relies on:

  1. commonSetupOwnerCall retrieving the agent address from local storage
  2. Wallet authentication via passphrase/environment variable
  3. SDK enforcement of ownership rules

Recommendations (minor):

  • Consider adding a confirmation prompt before executing the transfer, as this changes ownership of assets
  • Consider logging the agent address and new owner address for audit purposes

Summary

No security vulnerabilities or bugs detected. The airdrop fix properly handles agent claim resolution, and the new transfer command follows the established authentication patterns in the codebase.

@Schwartz10 Schwartz10 merged commit e3b8209 into main Jan 22, 2026
2 checks passed
@Schwartz10 Schwartz10 deleted the schwartz-fixes branch January 22, 2026 22:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Schwartz10