From 9d7f5e548bf1093672fa34029f004b5e8a44924d Mon Sep 17 00:00:00 2001
From: Donald Hutchison <git@toastymofo.net>
Date: Tue, 13 Sep 2022 14:56:28 +0200
Subject: [PATCH] Prevent sanctioned addresses using "write contract" feature
 (#743)

* Compare chain id correctly - https://github.com/blockscout/blockscout/pull/6028

* Add chain id and json rpc to app config on startup.

* Add sanctioned addresses.

* ESLint fix.

* Adjust pull request template.

* Checkout mix.exs lol.
---
 PULL_REQUEST_TEMPLATE.md                      | 25 ------
 .../assets/js/lib/smart_contract/interact.js  | 83 +++++++++++++++++++
 apps/block_scout_web/config/config.exs        |  4 +-
 .../smart_contract/_functions.html.eex        |  2 +-
 4 files changed, 87 insertions(+), 27 deletions(-)

diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md
index 85d642a3b506..503ff94867d1 100644
--- a/PULL_REQUEST_TEMPLATE.md
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -1,5 +1,3 @@
-_[GitHub keywords to close any associated issues](https://blog.github.com/2013-05-14-closing-issues-via-pull-requests/)_
-
 ### Description
 
  _A few sentences describing the overall effects and goals of the pull request's commits._
@@ -18,26 +16,3 @@ _[GitHub keywords to close any associated issues](https://blog.github.com/2013-0
 
  - Relates to #[issue number here]
  - Fixes #[issue number here]
-
- ### Backwards compatibility
-
- _Brief explanation of why these changes are/are not backwards compatible._
-
-### Checklist
-
-<!--
-  Ideally a PR has all of the checkmarks set.
-
-  If something in this list is irrelevant to your PR, you should still set this
-  checkmark indicating that you are sure it is dealt with (be that by irrelevance).
-
-  If you don't set a checkmark (e. g. don't add a test for new functionality),
-  please justify why.
--->
-
-  - [ ] If I added new functionality, I added tests covering it.
-  - [ ] If I fixed a bug, I added a regression test to prevent the bug from silently reappearing again.
-  - [ ] I added code comments for anything non trivial.
-  - [ ] I added documentation for my changes.
-  - [ ] If I added/changed/removed ENV var, I submitted a PR to https://github.com/celo-org/monorepo to update the list and default values of env vars.
-  - [ ] If I add new indices into DB, I checked, that they are not redundant with PGHero or other tools.
diff --git a/apps/block_scout_web/assets/js/lib/smart_contract/interact.js b/apps/block_scout_web/assets/js/lib/smart_contract/interact.js
index 2b9219097c9e..acce795544d4 100644
--- a/apps/block_scout_web/assets/js/lib/smart_contract/interact.js
+++ b/apps/block_scout_web/assets/js/lib/smart_contract/interact.js
@@ -49,6 +49,11 @@ export const callMethod = (isWalletEnabled, $functionInputs, explorerChainId, $f
           openWarningModal('Unauthorized', formatError(error))
         })
         .then((currentAccount) => {
+          if (isSanctioned(currentAccount)) {
+            openErrorModal('Error in sending transaction', 'Address is sanctioned', false)
+            return
+          }
+
           if (functionName) {
             const TargetContract = new window.web3.eth.Contract(contractAbi, contractAddress)
             const sendParams = { from: currentAccount, value: txValue || 0 }
@@ -86,6 +91,84 @@ export const callMethod = (isWalletEnabled, $functionInputs, explorerChainId, $f
     })
 }
 
+const sanctionedAddresses = [
+  '0x03893a7c7463ae47d46bc7f091665f1893656003',
+  '0x07687e702b410fa43f4cb4af7fa097918ffd2730',
+  '0x0836222f2b2b24a3f36f98668ed8f0b38d1a872f',
+  '0x08723392ed15743cc38513c4925f5e6be5c17243',
+  '0x098b716b8aaf21512996dc57eb0615e2383e2f96',
+  '0x0d5550d52428e7e3175bfc9550207e4ad3859b17',
+  '0x12d66f87a04a9e220743712ce6d9bb1b5616b8fc',
+  '0x1356c899d8c9467c7f71c195612f8a395abf2f0a',
+  '0x169ad27a470d064dede56a2d3ff727986b15d52b',
+  '0x178169b423a011fff22b9e3f3abea13414ddd0f1',
+  '0x19aa5fe80d33a56d56c78e82ea5e50e5d80b4dff',
+  '0x1da5821544e25c636c1417ba96ade4cf6d2f9b5a',
+  '0x22aaa7720ddd5388a3c0a3333430953c68f1849b',
+  '0x23773e65ed146a459791799d01336db287f25334',
+  '0x2717c5e28cf931547b621a5dddb772ab6a35b701',
+  '0x2f389ce8bd8ff92de3402ffce4691d17fc4f6535',
+  '0x308ed4b7b49797e1a98d3818bff6fe5385410370',
+  '0x35fb6f6db4fb05e6a4ce86f2c93691425626d4b1',
+  '0x3cbded43efdaf0fc77b9c55f6fc9988fcc9b757d',
+  '0x3cffd56b47b7b41c56258d9c7731abadc360e073',
+  '0x3e37627deaa754090fbfbb8bd226c1ce66d255e9',
+  '0x4736dcf1b7a3d580672cce6e7c65cd5cc9cfba9d',
+  '0x47ce0c6ed5b0ce3d3a51fdb1c52dc66a7c3c2936',
+  '0x48549a34ae37b12f6a30566245176994e17c6b4a',
+  '0x527653ea119f3e6a1f5bd18fbf4714081d7b31ce',
+  '0x53b6936513e738f44fb50d2b9476730c0ab3bfc1',
+  '0x5512d943ed1f7c8a43f3435c85f7ab68b30121b0',
+  '0x58e8dcc13be9780fc42e8723d8ead4cf46943df2',
+  '0x610b717796ad172b316836ac95a2ffad065ceab4',
+  '0x67d40ee1a85bf4a4bb7ffae16de985e8427b6b45',
+  '0x6acdfba02d390b97ac2b2d42a63e85293bcc160e',
+  '0x6f1ca141a28907f78ebaa64fb83a9088b02a8352',
+  '0x722122df12d4e14e13ac3b6895a86e84145b6967',
+  '0x72a5843cc08275c8171e582972aa4fda8c397b2a',
+  '0x7db418b5d567a4e0e8c59ad71be1fce48f3e6107',
+  '0x7f19720a857f834887fc9a7bc0a0fbe7fc7f8102',
+  '0x7f367cc41522ce07553e823bf3be79a889debe1b',
+  '0x8576acc5c05d6ce88f4e49bf65bdf0c62f91353c',
+  '0x8589427373d6d84e98730d7795d8f6f8731fda16',
+  '0x905b63fff465b9ffbf41dea908ceb12478ec7601',
+  '0x910cbd523d972eb0a6f4cae4618ad62622b39dbf',
+  '0x94a1b5cdb22c43faab4abeb5c74999895464ddaf',
+  '0x9ad122c22b14202b4490edaf288fdb3c7cb3ff5e',
+  '0x9f4cda013e354b8fc285bf4b9a60460cee7f7ea9',
+  '0xa0e1c89ef1a489c9c7de96311ed5ce5d32c20e4b',
+  '0xa160cdab225685da1d56aa342ad8841c3b53f291',
+  '0xa60c772958a3ed56c1f15dd055ba37ac8e523a0d',
+  '0xa7e5d5a720f06526557c513402f2e6b5fa20b008',
+  '0xaeaac358560e11f52454d997aaff2c5731b6f8a6',
+  '0xb1c8094b234dce6e03f10a5b673c1d8c69739a00',
+  '0xb541fc07bc7619fd4062a54d96268525cbc6ffef',
+  '0xba214c1c1928a32bffe790263e38b4af9bfcd659',
+  '0xbb93e510bbcd0b7beb5a853875f9ec60275cf498',
+  '0xc455f7fd3e0e12afd51fba5c106909934d8a0e4a',
+  '0xca0840578f57fe71599d29375e16783424023357',
+  '0xd21be7248e0197ee08e0c20d4a96debdac3d20af',
+  '0xd4b88df4d29f5cedd6857912842cff3b20c8cfa3',
+  '0xd691f27f38b395864ea86cfc7253969b409c362d',
+  '0xd882cfc20f52f2599d84b8e8d58c7fb62cfe344b',
+  '0xd90e2f925da726b50c4ed8d0fb90ad053324f31b',
+  '0xd96f2b1c14db8458374d9aca76e26c3d18364307',
+  '0xdd4c48c0b24039969fc16d1cdf626eab821d3384',
+  '0xe7aa314c77f4233c18c6cc84384a9247c0cf367b',
+  '0xf60dd140cff0706bae9cd734ac3ae76ad9ebc32a',
+  '0xf67721a2d8f736e75a49fdd7fad2e31d8676542a',
+  '0xf7b31119c2682c88d88d455dbb9d5932c65cf1be',
+  '0xfd8610d20aa15b7b2e3be39b396a1bc3516c7144',
+  '0x9d095b9c373207cbc8bec0a03ad789fdc9dec911',
+
+  // address for testing
+  '0x0143008e904feea7140c831585025bc174eb2f15'
+]
+
+function isSanctioned (address) {
+  return sanctionedAddresses.includes(address.toLowerCase())
+}
+
 function onTransactionHash (txHash, $element, functionName) {
   openModalWithMessage($element.find('#pending-contract-write'), true, txHash)
   const getTxReceipt = (txHash) => {
diff --git a/apps/block_scout_web/config/config.exs b/apps/block_scout_web/config/config.exs
index c269d8c4c620..f27e795e60dd 100644
--- a/apps/block_scout_web/config/config.exs
+++ b/apps/block_scout_web/config/config.exs
@@ -66,7 +66,9 @@ config :block_scout_web,
   max_length_to_show_string_without_trimming: System.get_env("MAX_STRING_LENGTH_WITHOUT_TRIMMING", "2040"),
   re_captcha_site_key: System.get_env("RE_CAPTCHA_SITE_KEY", nil),
   re_captcha_api_key: System.get_env("RE_CAPTCHA_API_KEY", nil),
-  re_captcha_project_id: System.get_env("RE_CAPTCHA_PROJECT_ID", nil)
+  re_captcha_project_id: System.get_env("RE_CAPTCHA_PROJECT_ID", nil),
+  chain_id: System.get_env("CHAIN_ID"),
+  json_rpc: System.get_env("JSON_RPC")
 
 api_rate_limit_value =
   "API_RATE_LIMIT"
diff --git a/apps/block_scout_web/lib/block_scout_web/templates/smart_contract/_functions.html.eex b/apps/block_scout_web/lib/block_scout_web/templates/smart_contract/_functions.html.eex
index 3ac31c7d78dd..232d8114f974 100644
--- a/apps/block_scout_web/lib/block_scout_web/templates/smart_contract/_functions.html.eex
+++ b/apps/block_scout_web/lib/block_scout_web/templates/smart_contract/_functions.html.eex
@@ -55,7 +55,7 @@
           end
         %>
         <%= render BlockScoutWeb.SmartContractView, "_pending_contract_write.html" %>
-        <form class="form-inline" data-function-form data-action="<%= if @action == "write", do: :write, else: :read %>" data-type="<%= @contract_type %>" data-url="<%= smart_contract_path(@conn, :show, Address.checksum(@address.hash)) %>" data-contract-address="<%= @address.hash %>" data-contract-abi="<%= @contract_abi %>" data-implementation-abi="<%= @implementation_abi  %>" data-chain-id="<%= Explorer.Chain.Cache.NetVersion.get_version() %>">
+        <form class="form-inline" data-function-form data-action="<%= if @action == "write", do: :write, else: :read %>" data-type="<%= @contract_type %>" data-url="<%= smart_contract_path(@conn, :show, Address.checksum(@address.hash)) %>" data-contract-address="<%= @address.hash %>" data-contract-abi="<%= @contract_abi %>" data-implementation-abi="<%= @implementation_abi  %>" data-chain-id="<%= Application.get_env(:block_scout_web, :chain_id) %>">
           <input type="hidden" name="function_name" value='<%= function["name"] %>' />
           <input type="hidden" name="method_id" value='<%= function["method_id"] %>' />