From 6ec5fe5c618125f4d00e3f4cd8a5dc2bbddf1dc4 Mon Sep 17 00:00:00 2001
From: Wei-Ning Huang <w@cobinhood.com>
Date: Thu, 11 Oct 2018 14:05:09 +0800
Subject: core: vm: check pk ownership in stake()

---
 core/vm/governance.go | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'core')

diff --git a/core/vm/governance.go b/core/vm/governance.go
index e4c3b31e3..b78d1bf94 100644
--- a/core/vm/governance.go
+++ b/core/vm/governance.go
@@ -1182,7 +1182,18 @@ func (g *GovernanceContract) stake(publicKey []byte) ([]byte, error) {
 		return nil, errExecutionReverted
 	}
 
-	// TODO(w): check of pk belongs to the address.
+	pk, err := crypto.DecompressPubkey(publicKey)
+	if err != nil {
+		g.penalize()
+		return nil, errExecutionReverted
+	}
+
+	// Make sure the public key belongs to the caller.
+	if crypto.PubkeyToAddress(*pk) != caller {
+		g.penalize()
+		return nil, errExecutionReverted
+	}
+
 	offset = g.state.nodesLength()
 	g.state.pushNode(&nodeInfo{
 		owner:     caller,
-- 
cgit