From 4384a1c0f28d9a6f70a092daf89e5fae582c2353 Mon Sep 17 00:00:00 2001
From: Rhys Bartels-Waller <rhys.bartelswaller@iohk.io>
Date: Mon, 9 Sep 2024 19:32:50 +0100
Subject: [PATCH 1/2] fix: warn if collateral return is not owned by account

It's currently possible for an adversarial DApp to craft a transaction that intentionally consumes collateral,
with the return owned by an address it controls. This fix reduces the risk by warning the user, however we
cannot block the transaction given the collateral could be provided by another source. Ideally we could block
if the return is not being sent to the input supplier, but that would require a costly input resolution, which
is not acceptable here.
---
 src/ui/app/pages/signTx.jsx | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/ui/app/pages/signTx.jsx b/src/ui/app/pages/signTx.jsx
index 4d498100..16bc9eb3 100644
--- a/src/ui/app/pages/signTx.jsx
+++ b/src/ui/app/pages/signTx.jsx
@@ -66,6 +66,7 @@ const SignTx = ({ request, controller }) => {
   const [isLoading, setIsLoading] = React.useState({
     loading: true,
     error: null,
+    warning: null
   });
 
   const assetsModalRef = React.useRef();
@@ -480,7 +481,17 @@ const SignTx = ({ request, controller }) => {
           }
           const collateralReturn = tx.body().collateral_return();
           // presence of collateral return means "account" collateral can be ignored
-          if (collateralReturn) return;
+          if (collateralReturn) {
+            // collateral return usually is paid to account's payment address, however, the DApp
+            // could be providing collateral so blocking the tx is not appropriate.
+            if (collateralReturn.address().to_bech32() !== account.paymentAddr) {
+              setIsLoading((l) => ({
+                ...l,
+                warning: 'Collateral return is being directed to another owner. Ensure you are not providing the collateral input'
+              }));
+            }
+            return;
+          }
           if (!account.collateral) {
             setIsLoading((l) => ({ ...l, error: 'Collateral not set' }));
             return;
@@ -740,6 +751,16 @@ const SignTx = ({ request, controller }) => {
             justifyContent="center"
             flexDirection={'column'}
           >
+            {isLoading.warning && (
+                <>
+                  <Box py={2} px={4} rounded={'full'} background={background}>
+                    <Text fontSize="xs" color={'orange.500'}>
+                      Warning! {isLoading.warning}
+                    </Text>
+                  </Box>
+                  <Box h={6} />
+                </>
+            )}
             {isLoading.error && (
               <>
                 <Box py={2} px={4} rounded={'full'} background={background}>

From 00a7a145362467358f7f6b3481633ae5e6ae8695 Mon Sep 17 00:00:00 2001
From: Rhys Bartels-Waller <rhys.bartelswaller@iohk.io>
Date: Wed, 11 Sep 2024 08:37:42 +0100
Subject: [PATCH 2/2] chore: bump to v3.8.3

---
 package.json      | 2 +-
 src/manifest.json | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 84006532..2e3ec305 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "nami-wallet",
-  "version": "3.8.2",
+  "version": "3.8.3",
   "description": "Maintained by IOG",
   "license": "Apache-2.0",
   "repository": {
diff --git a/src/manifest.json b/src/manifest.json
index 48e3f5d5..81cf6e21 100644
--- a/src/manifest.json
+++ b/src/manifest.json
@@ -1,7 +1,7 @@
 {
   "manifest_version": 3,
   "name": "Nami",
-  "version": "3.8.2",
+  "version": "3.8.3",
   "description": "Maintained by IOG",
   "background": { "service_worker": "background.bundle.js" },
   "action": {