From 54cae4b57088b5200ef8e9b071ddc0c2c27ebce6 Mon Sep 17 00:00:00 2001 From: TLSM Date: Fri, 16 Sep 2022 04:43:20 -0400 Subject: [PATCH] Fix shop double-spend exploit. --- files/routes/awards.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/files/routes/awards.py b/files/routes/awards.py index 7a6afd139..657410e49 100644 --- a/files/routes/awards.py +++ b/files/routes/awards.py @@ -67,10 +67,10 @@ def buy(v, award): if request.values.get("mb"): if v.procoins < price: return {"error": "Not enough marseybux."}, 400 if award == "grass": return {"error": "You can't buy the grass award with marseybux."}, 403 - v.procoins -= price + v.charge_account('procoins', price) else: if v.coins < price: return {"error": "Not enough coins."}, 400 - v.coins -= price + v.charge_account('coins', price) v.coins_spent += price if v.coins_spent >= 1000000: badge_grant(badge_id=73, user=v)