Feedback
Roadmap
Changelog
← Back to all posts

[Eco Bounty] ioPay - Duplicate Wallet Names via Trailing Whitespace Bypass

Summary
The ioPay wallet allows users to create visual duplicate names for different wallet addresses if one name contains a trailing space. The system fails to "trim" whitespace or validate for uniqueness against existing names when a space is added to the end of the input string.

Steps to Reproduce

  1. Open the ioPay app and go to the Wallets management screen.

  2. Select a wallet and rename it to a specific name (e.g., "Cryptotestnet").

  3. Select a different wallet address.

  4. Attempt to rename this second wallet to the exact same name: "Cryptotestnet". (The app usually blocks this).

  5. Now, rename it to the same word but add a space at the end: "Cryptotestnet " (note the space after the last letter).

  6. Save the change.

Expected Behavior

  • The app should automatically trim trailing/leading whitespace from the name field before saving.

  • The app should detect that "Cryptotestnet " is functionally identical to "Cryptotestnet" and prevent the duplicate name to avoid user confusion.

Actual Behavior

  • The app accepts the name with the trailing space as a "unique" string.

  • The Wallet list now shows two different addresses with the exact same visual label (see screenshot), making it difficult for the user to distinguish between them.

Visual Evidence The provided screenshot shows two wallets labeled "Cryptotestnet" with different EVM addresses (0x5d9d... and 0x5f55...). The arrows indicate that the system has allowed these identical-looking labels to coexist.

Impact

  • User Confusion: Users may send funds to the wrong address because they cannot tell which "Cryptotestnet" wallet is which.

  • Security/UX Risk: Lack of string validation and trimming is a common UI/UX oversight that can lead to data management issues.

Suggested Fix Implement a .trim() function on the name input field before the uniqueness check occurs, ensuring that names are compared based on alphanumeric characters only.

Wallet Address: io1tkw393kejmxwnd454twc6020sxcyvh5dxqmren

Device & Environment:

-Operating system: Android 13

-Device model: Redmi Note 10 Pro

Please authenticate to join the conversation.

Upvoters
Status

In Review

Board
πŸ’‘

New Issue

Date

24 days ago

Author

cryptotestnet

Subscribe to post

Get notified by email when there are changes.