[Security] AST-06: Assignment Operator in Consolidation Script Masks Transfer Failures #87
Description
AST-06: Assignment Operator in Consolidation Script Masks Transfer Failures
Severity: HIGH
Affected File(s): consolidation.js:198
Description
A JavaScript bug uses assignment (=) instead of comparison (===). The expression sendToMainAddressRes['status'] = 'SUCCESS' always evaluates to true, masking all transfer failures. The else branch is dead code.
Vulnerable Code
if(sendToMainAddressRes['status'] = 'SUCCESS'){
console.log('Consolidation success');
}else{
console.log('Consolidation failed'); // dead code
}
Impact
Financial loss. Script always reports successful consolidation and proceeds to withdraw even when transfers failed. Users believe funds were moved when they were not.
Proof of Concept
Run consolidation.js when the API returns a FAILED status. The script still reports success and proceeds to withdrawal phase.
Recommended Fix
if(sendToMainAddressRes['status'] === 'SUCCESS'){
Methodology: Triple-verification static analysis -- each finding verified across three independent code review passes.
Researcher: Independent Security Researcher -- Mefai Security Team