Commits (2)
  • Max's avatar
    fix an exploit · d3ed1071
    Max authored
    with the way the query works, members mentioned multiple times will only receive the money once (database side), but with the way the cache update works, members will receive the money multiple times (cache side)
    This leads to a discrepancy as users will have more money in cache than in the database, which - more or less - can bypass the has_money() check
  • Jens Reidel's avatar
    Merge branch 'patch-1' into 'v4' · e30aa4f7
    Jens Reidel authored
    fix an exploit
    See merge request !620
......@@ -901,6 +901,7 @@ class Guild(commands.Cog):
if not members:
return await ctx.send(_("You can't distribute money to nobody."))
members = set(members) # removes dupes
# int() rounds down as to not go over the money limit
# we need to update the amount after rounding down too to avoid losing money
for_each = int(amount / len(members))