TUI - bad accounts list

There should be a list of bad accounts. Users cannot make a transfer to the receiver from the list.

To be discussed:

1. Where can we get a list? Is it updated frequently? Is Clive or a user responsibility to keep it up to date?
2. Should the list be managed by the user (user may remove or add any accounts to the list)? Or maybe there should be two list one manages by application and one manages by user?
3. If a user wants to make a transfer to a receiver from the list, what should happen? It should be impossible, there is only warning?

added Priority::High To Do labels

1. For a quick-win solution we could use this one: https://gitlab.syncad.com/hive/condenser/-/blob/develop/src/app/utils/BadActorList.js?ref_type=heads at compile time. Frequency: per release (fetched at build)

2. Will be solved eventually by using decentralized blacklists (hivemind feature). Although there are some scenarios to consider; blacklisted users list on (con)denser might not be the same that user would want to have blacklisted for financial operations.

3. BadActor list is really bad actors not just people w don't like, so I'm for making it impossible to transfer. When [2] is implemented it could be overridden by user. But there's a security trade-off. Malicious actor using leaked Posting key, could then adjust user defined exception list in a way to add bad actors there, and then trick user to make a transfer. So I think global list managed by Clive shouldn't be possible to override.

assigned to @dan

@agrabowska Let's get someone assigned to this soon. We'll proceed as per gandalf's suggestion and use the badactors list for now as a hardcoded list.

bad accounts list can be overridden if user marks the account as "known", but they will still show as "bad" on the transfer page (similar to way known is shown). Bad text should be displayed in red.

assigned to @agrabowska and unassigned @dan

removed To Do label

added Doing label

assigned to @jziebinski and unassigned @agrabowska

Doubts:

• Should we allow bad accounts to be added to the watched list, or them as working accounts?

I don't think it matters much either way. You can block them if you want.

great, thanks

mentioned in merge request !473 (merged)

removed Doing label

added Review label

Summary and tests:

1. The Bad account list is hardcoded.
2. The user cannot manage the bad account list (add, remove, modify).
3. The bad account list is available in the Configuration/Account management
4. The search on the bad account list works
5. A user can add a bad account to The Known account list

6. A user cannot add a bad account as tracked account

7. A user cannot create an operation to a bad account

Checked:

• transfer
• transfer to/from savings
• power up
• set withdraw routes
• delegate your shares
• proxy

8. A user can create an operation to a bad account if the bad account is the known account, but account is marked as Bad account

Checked:

• transfer
• transfer to/from savings
• power up
• set withdraw routes
• delegate your shares
• proxy

mentioned in issue #283

closed with merge request !473 (merged)

changed milestone to %Release v1.27.5.16

mentioned in merge request !481 (merged)