Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
carauction-network
Advanced tools
This is an interactive, distributed, car auction demo, backed by Hyperledger Fabric. Invite participants to join your distributed auction, list assets for sale (setting a reserve price), and watch as assets that have met their reserve price are automatically transferred to the highest bidder at the end of the auction.
The easiest way to interact with the demo is using our work-in-progress Hyperledger Composer web application. Hyperledger Composer allows you to define a business network (defining the data model and writing transaction processing logic), manage assets & participants and submit transactions.
The data model for the auction business network is defined in a CTO model file, managed in GitHub here.
The data model is very simple (less than 50 lines). It defines the structure of the assets, participants and transactions for a very simple auction.
The business logic is defined in a single Javascript file here. The logic consists of two Javascript functions that are automatically invoked by the Hyperledger Composer runtime chain code when transactions are submitted for processing.
The makeOffer
function is called when an Offer
transaction is submitted. The logic simply checks that the listing for the offer is still for sale, and then adds the offer to the listing, and then updates the offer in the VehicleListing
asset registry.
The closeBidding
function is called when a CloseBidding
transaction is submitted for processing. The logic checks that the listing is still for sale, sorts the offers by bid price, and then if the reserve has been met, transfers the ownership of the vehicle associated with the listing to the highest bidder. Money is transferred from the buyer's account to the seller's account, and then all the modified assets are updated in their respective registries.
Access control for the business network is defined here.
Note that if you
git clone
the repository for the Business Network you can run a unit tests for the logic in the business network using the Hyperledger Composer embedded runtime which simulates a Hyperledger Fabric using a pure Javascript runtime. Simply run:
cd packages/carAuction-network
npm install
npm test
The unit test here simulates an entire auction and checks that the business logic functions as expected.
You can connect to Hyperledger Composer here. If you have used Hyperledger Composer before you may need to clear your cached browser data.
Hyperledger Composer currently only supports the web profile.
After you are connected make sure that Hyperledger Composer is communicating with the 'hyperledger' connection profile by clicking the network dropdown at the top-right of the menu. The web profile allows you to test in isolation using a simulated Hyperledger, storing the ledger in browser local storage. The 'bluemix' connection profile is to a version of Hyperledger Composer deployed to bluemix.
Before you can hold an auction you need to create and invite some participants to your business network and have something to sell!
Switch to the Test tab, then click on the User
participant registry, then click on the Create Participant
button to create a new instance of a user.
The JSON representation of the User should be:
{
"$class": "org.acme.vehicle.auction.User",
"email": "a.participant@example.com",
"firstName": "Daniel",
"lastName": "Selman",
"balance": 10000
}
Substitute a.participant@example.com
with your email address. Congratulations you are now a participant in this business network!
Hyperledger Composer does not yet support issuing and managing Hyperledger Fabric identities.
You now need to issue an identity card for this participant. Click the green ID card icon to the right of your participant. Enter an user id, for example a.participant
and select the "Identity can be used to issue other identities?" checkbox so that this user has permission to invite other users into the business network.
You can switch between identities using the menu option at the top right of the screen.
Now that you are a participant in the business network and have been issued an identity card you can own assets and take part in an auction.
First, let's create a vehicle for auction.
Click on the Vehicle
asset registry, and then click on the Create Asset
button to create a new instance of a vehicle that can be auctioned.
The JSON representation of the Vehicle should be:
{
"$class": "org.acme.vehicle.auction.Vehicle",
"vin": "CAR_001",
"owner": "a.owner@example.com"
}
Substitute a.owner@example.com
for the id of the participant you created above. Congratulations you are now the owner of the vehicle CAR_001
!
The VehicleListing
asset is used to list vehicles that are available for auction.
Click on the click on the VehicleListing
asset registry, and then click on the Create Asset
icon to create a new instance of a vehicle listing.
The JSON representation of the VehicleListing
should be:
{
"$class": "org.acme.vehicle.auction.VehicleListing",
"listingId": "LISTING_001",
"reservePrice": 4000,
"description": "Ford Mustang",
"state": "FOR_SALE",
"vehicle": "CAR_001"
}
Congratulations, you've just listed your Ford Mustang for auction, with a reserve price of $4000!
Hyperledger Composer does not yet support inviting participants via a URL
An auction with one person is not much fun, so you need to either invite people to use Hyperledger Composer to create their own participants and identities, or you can do it for them. To make it easy for participants that you've created to join the business network (auction) when an identity is issued a personalised URL is generated that you can send to allow participants to join the business network in a single click.
You can send this text via email or Slack to give people an easy mechanism to launch Hyperledger Composer and join your business network.
As soon as a VehicleListing
has been created (and is in the FOR_SALE
state) participants can submit Offer
transactions to bid on a vehicle listing.
Click on the Submit Transaction button to submit a new transaction for processing by the business network.
The JSON payload should be:
{
"$class": "org.acme.vehicle.auction.Offer",
"bidPrice": 250.00,
"listing": "LISTING_001",
"user": "a.bidder@example.com"
}
Substitute the id of the participant submitting the transaction for a.bidder@example.com
and set the bid price as high as you'd like to bid. Remember the vehicle will only be sold if the reserve price is met and it will go to the highest bidder!
The Offer
transaction is processed by the makeOffer
function described above.
To end the auction someone has to submit a CloseBidding
transaction for the listing.
Click on the Submit Transaction button to submit a new transaction for processing by the business network.
The JSON payload should be:
{
"$class": "org.acme.vehicle.auction.CloseBidding",
"listing": "LISTING_001"
}
This simply indicates that the auction for LISTING_001
is now closed, triggering the closeBidding
function that was described above.
To see if the Vehicle was sold you need to click on the Vehicle
asset registry and then check the owner of CAR_001. If the reserve price was met you should see that the owner of the vehicle has been modified.
If you check the state of the VehicleListing is should either be SOLD
or RESERVE_NOT_MET
.
If you click on the 'User' asset registry you can check the balance of each User. You should see that the balance of the buyer has been debited by the amount they bid, whilst the balance of the seller has been credited.
Not yet supported in Hyperledger Composer
You can inspect the blocks and transaction created by Hyperledger during the course of the auction using the Hyperledger Explorer. Details TBD.
To reset the auction you need to edit the VehicleListing to reset its state to FOR_SALE
. Simply click on the VehicleListing
registry and then click the pencil icon to update the VehicleListing back to its original state.
The JSON representation of the VehicleListing
should be:
{
"$class": "org.acme.vehicle.auction.VehicleListing",
"listingId": "LISTING_001",
"reservePrice": 4000,
"description": "Ford Mustang",
"state": "FOR_SALE",
"vehicle": "CAR_001"
}
FAQs
Car Auction Business Network
The npm package carauction-network receives a total of 22 weekly downloads. As such, carauction-network popularity was classified as not popular.
We found that carauction-network demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.