From a5a39baee0aa5184225a50bb09c5d237e422cb92 Mon Sep 17 00:00:00 2001 From: Valisthea Date: Sun, 5 Apr 2026 13:02:20 -0400 Subject: [PATCH 1/2] fix(consolidation): critical assignment bug masks transfer failures (#87) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Line 198: `status = 'SUCCESS'` (assignment) → `status === 'SUCCESS'` (comparison) This bug causes the if-condition to ALWAYS evaluate to true, silently masking failed consolidation transfers - Add null checks on sendToMainAddressRes and spotWithdraw API responses - Fix typo: `withdraw_ignature` → `withdraw_signature` - Replace all implicit globals with `let`/`const` declarations - Replace all loose `==` with strict `===` --- consolidation.js | 50 ++++++++++++++++++++++++------------------------ 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/consolidation.js b/consolidation.js index aaf5136..6aca084 100644 --- a/consolidation.js +++ b/consolidation.js @@ -87,7 +87,7 @@ var value = { } async function getUrl(my_dict) { - content = '' + let content = '' for (let key in my_dict) { content = content + key + '=' + my_dict[key] + '&' } @@ -105,12 +105,12 @@ async function sign_v1(secretKey, message) { } async function sendRequest(url, method) { - headers = {} - key = api_key - if (use_new_apikey == true) { + let headers = {} + let key = api_key + if (use_new_apikey === true) { key = new_address_apikey } - if (method == 'POST') { + if (method === 'POST') { headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'X-MBX-APIKEY': key, @@ -134,12 +134,12 @@ async function sendRequest(url, method) { } async function send_v1(path, method, my_dict) { - content = await getUrl(my_dict) - secret = api_secret - if (use_new_apikey == true) { + const content = await getUrl(my_dict) + let secret = api_secret + if (use_new_apikey === true) { secret = new_address_apiSecret } - signature = await sign_v1(secret, content) + const signature = await sign_v1(secret, content) path = path + '?' + content + '&signature=' + signature return await sendRequest(host + path, method) } @@ -156,32 +156,32 @@ async function generateSignature() { } async function send(config, addParams) { - path = config['url'] - method = config['method'] - my_dict = { ...config['params'], ...addParams } + const path = config['url'] + const method = config['method'] + const my_dict = { ...config['params'], ...addParams } return await send_v1(path, method, my_dict) } async function sign(private_key, message) { - wallet = new ethers.Wallet(private_key); + const wallet = new ethers.Wallet(private_key); const signature = await wallet.signMessage(message); return signature } async function main() { //循环归集 - i = 0 + let i = 0 for (const config of new_address_config) { console.log('开始归集账户:', config.address); //获取创建apikey的nonce let nonce = await send(spot_get_nonce, {'address': config.address}) //给新地址创建api_key api_secret - message = 'You are signing into Astherus ${nonce}'.replace('${nonce}', nonce) - userSignature = await sign(config.private_key,message) + const message = 'You are signing into Astherus ${nonce}'.replace('${nonce}', nonce) + const userSignature = await sign(config.private_key,message) //创建apikey时的描述信息 注意同一账户的desc不能重复 - var key_desc = Date.now() +'_' + i + const key_desc = Date.now() +'_' + i i = i + 1 let new_api = await send(spot_create_apikey, { 'userSignature': userSignature,'address': config.address,'desc': key_desc }) new_address_apikey = new_api['apiKey'] @@ -192,10 +192,10 @@ async function main() { use_new_apikey = true //归集 使用新生成的apikey api_secret 将新地址的CDL转账到老地址账户 - sendToMainAddressRes = await send(spot_send_toAddress, { 'asset': config.asset, "amount": config.amount, "toAddress": main_address }) + const sendToMainAddressRes = await send(spot_send_toAddress, { 'asset': config.asset, "amount": config.amount, "toAddress": main_address }) console.log('sendToMainAddressRes:', sendToMainAddressRes) use_new_apikey = false - if(sendToMainAddressRes['status'] = 'SUCCESS'){ + if(sendToMainAddressRes && sendToMainAddressRes['status'] === 'SUCCESS'){ console.log('归集成功:', config.address); }else{ console.log('归集失败:', config.address); @@ -203,25 +203,25 @@ async function main() { } - estimateFee = await send(spot_withdraw_estimateFee, {}) + const estimateFee = await send(spot_withdraw_estimateFee, {}) console.log('estimateFee:', estimateFee) //归集和提现的手续费 代币 数量配置 - fee = estimateFee['gasCost'] + const fee = estimateFee['gasCost'] value.fee = fee*1.5+'' console.log('提现手续费:', value.fee) - withdraw_ignature = await generateSignature() + const withdraw_signature = await generateSignature() //使用老账户进行提现操作 - spotWithdraw = await send(spot_withdraw, { + const spotWithdraw = await send(spot_withdraw, { 'fee': value.fee, 'nonce': withdraw_nonce, - 'userSignature': withdraw_ignature, 'receiver': main_address, 'asset': withdraw_asset, 'amount': withdraw_amount + 'userSignature': withdraw_signature, 'receiver': main_address, 'asset': withdraw_asset, 'amount': withdraw_amount }) - if(spotWithdraw['hash'] != ''){ + if(spotWithdraw && spotWithdraw['hash'] !== ''){ console.log('提现成功:', spotWithdraw['hash']); }else{ console.log('提现失败:', spotWithdraw); From bc30cf3adb805b618495e3d5728688ecb2d58e9c Mon Sep 17 00:00:00 2001 From: Valisthea Date: Sun, 5 Apr 2026 13:02:27 -0400 Subject: [PATCH 2/2] fix(demo): remove hardcoded wallet addresses from example files (#88) - aster-code.py: replace real ETH addresses (0x014c85ff..., 0xC98Fd64e...) with YOUR_* placeholder values + warning comment - sol_agent.py: replace real SOL address (6mSp4BuW...) and ETH addresses (0x71949710..., 0x014c85ff...) with YOUR_* placeholders + warning comment - Prevents users from accidentally sending funds to developer wallets --- demo/aster-code.py | 12 +++++++----- demo/sol_agent.py | 11 ++++++----- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/demo/aster-code.py b/demo/aster-code.py index bbfdc21..15461bb 100644 --- a/demo/aster-code.py +++ b/demo/aster-code.py @@ -13,14 +13,16 @@ # aster_chain = 'Testnet' # chain_id = 714 -user = '0x014c85ffb0fF2F2972237AA950B452f92C69Ae1D' -main_private_key = '*' +# ⚠️ WARNING: Replace these with your own addresses and keys before use. +# These are PLACEHOLDER values — do NOT use on mainnet. +user = '0xYOUR_MAIN_WALLET_ADDRESS' +main_private_key = '0xYOUR_MAIN_PRIVATE_KEY' -signer = '0xC98Fd64eBc39E28b92849d9cCef9495663439014' -priKey = '*' +signer = '0xYOUR_AGENT_WALLET_ADDRESS' +priKey = '0xYOUR_AGENT_PRIVATE_KEY' -builder = '0x014c85ffb0fF2F2972237AA950B452f92C69Ae1D' +builder = '0xYOUR_BUILDER_ADDRESS' approveAgent = {'url': '/fapi/v3/approveAgent', 'method': 'POST', 'params':{'agentName': 'ivanbuilder','agentAddress':signer, 'ipWhitelist':'', 'expired':1967945395040,'canSpotTrade':True, diff --git a/demo/sol_agent.py b/demo/sol_agent.py index 201db78..1c62ded 100644 --- a/demo/sol_agent.py +++ b/demo/sol_agent.py @@ -8,12 +8,13 @@ import time import requests -user = '6mSp4BuWCNgRSwv8JopQwCma26hmBT8jrcgJNadq23Gt' -base58_private_key = '*' -signer = '0x71949710270163F096A8Bd342b266183Ae742e5E' -signer_pri_key = '*' +# ⚠️ WARNING: Replace these with your own addresses and keys before use. +user = 'YOUR_SOLANA_PUBLIC_KEY' +base58_private_key = 'YOUR_SOLANA_PRIVATE_KEY' +signer = '0xYOUR_AGENT_WALLET_ADDRESS' +signer_pri_key = '0xYOUR_AGENT_PRIVATE_KEY' -builder = '0x014c85ffb0fF2F2972237AA950B452f92C69Ae1D' +builder = '0xYOUR_BUILDER_ADDRESS' host = 'https://fapi3.asterdex.com' headers = {