permaweb · charmful0x · Mar 12, 2026 · Mar 12, 2026 · Mar 14, 2026 · Mar 16, 2026
diff --git a/src/dev_token.erl b/src/dev_token.erl
@@ -94,7 +94,7 @@ balance(Base, Req, Opts) ->
             hb_ao:set(Req, <<"subject">>, Account, Opts),
             Opts
         ),
-    Balances =
+    Balance =
         hb_ao:resolve_many(
             [
                 NormBase,
@@ -107,11 +107,15 @@ balance(Base, Req, Opts) ->
         debug_token,
         {balance_after_mint_normalization,
             {account, Account},
-            {balances, Balances}
+            {balance, Balance}
         },
         Opts
     ),
-    {ok, Balances}.
+    case Balance of
+        {ok, Balance} -> {ok, Balance};
+        {error, not_found} -> {ok, 0};
+        {error, Reason} -> {error, Reason}
+    end.
 
 transfer(Base, Assignment, Opts) ->
     maybe
@@ -144,8 +148,9 @@ transfer(Base, Assignment, Opts) ->
             Opts
         ),
         % Sanity check the transfer request.
-        true ?= (is_integer(SenderBalance) and is_integer(RecipientBalance))
-            orelse {error, <<"Invalid balance types.">>},
+        true ?= (is_integer(SenderBalance) and is_integer(RecipientBalance)
+                and (SenderBalance >= 0) and (RecipientBalance >= 0))
+            orelse {error, <<"Invalid balance values.">>},
         true ?= (is_integer(Quantity) and (Quantity >= 0))
             orelse {error, <<"Quantity must be a non-negative integer.">>},
         true ?= (SenderBalance >= Quantity) 
@@ -185,7 +190,7 @@ transfer(Base, Assignment, Opts) ->
                 },
                 Opts
             ),
-            {ok, send_error(Base, Assignment, Reason, Opts)}
+            send_error(Base, Assignment, Reason, Opts)
     end.
 
 transfer_notices(From, Recipient, Quantity, Req, Opts) ->
@@ -227,14 +232,15 @@ normalize_mint(Base, Assignment, Opts) ->
 is_supported_mint_action(Action) ->
     lists:member(Action, ?MINT_ACTIONS).
 
-%% @doc Verify if the action is a supported path on the mint device interdface,
-%% and if so, switch to the mint device and run it.
+%% @doc Verify if the action is a supported path on the mint device interface,
+%% and if so, switch to the mint device and run it. Unsupported actions fall through
+%% send_error/4 codepath.
 action_as_mint_device(Action, Base, Req, Opts) ->
     case is_supported_mint_action(Action) of
         true -> as_mint_device(Action, Base, Req, Opts);
         false ->
             ?event(error, {unsupported_token_action, Action}, Opts),
-            {ok, Base}
+            send_error(Base, Req, <<"unsupported action: " /binary, Action>>, Opts)
     end.
 
 %% @doc Run a given `path' on the mint device.
@@ -285,36 +291,50 @@ enforce_set_authority(Base, Req, Opts) ->
 
 %%% Helper functions.
 
-%% @doc Validate address format for security
+%% @doc Validate address format for security. the validation
+%% allows binary addresses up to 128 bytes and prevent invalid
+%% addresses such as dev_trie reserved keys.
 validate_address(Address) when is_binary(Address) ->
     case byte_size(Address) of
         0 -> {error, <<"Recipient address cannot be empty.">>};
+        N when N > 128 -> {error, <<"Recipient address is too long.">>};
         _ ->
-            % Check for path separators (security: prevent path traversal)
-            case binary:match(Address, [<<"/">>, <<"\\">>]) of
-                nomatch -> true; 
-                _ -> 
-                    {
-                        error, 
-                        <<"Recipient address cannot contain path separators.">>
-                    }
+            maybe
+                true ?= (not dev_trie:is_reserved_key(Address))
+                    orelse {error, <<"Recipient address uses a reserved internal key.">>},
+                % Check for path separators (security: prevent path traversal)
+                case binary:match(Address, [<<"/">>, <<"\\">>]) of
+                    nomatch -> true;
+                    _ -> {error, <<"Recipient address cannot contain path separators.">>}
+                end
             end
     end;
 validate_address(_) ->
     {error, <<"Recipient address must be a binary.">>}.
 
+send_error(Base, Assignment, Reason, Opts) when is_atom(Reason) ->
+    send_error(Base, Assignment, atom_to_binary(Reason), Opts);
+send_error(Base, Assignment, Reason, Opts) when not is_binary(Reason) ->
+    send_error(
+        Base,
+        Assignment,
+        iolist_to_binary(io_lib:format("~0p", [Reason])),
+        Opts
+    );
 send_error(Base, Assignment, Reason, Opts) when is_binary(Reason) ->
     case hb_ao:resolve(Assignment, <<"body/from">>, Opts) of
         {error, Error} ->
             ?event(token_short, {skipping_error_report, Error}, Opts),
             {ok, Base};
         {ok, Target} ->
-            dev_process_outbox:send(
-                #{
-                    <<"target">> => Target,       
-                    <<"reason">> => Reason
-                },
-                Base,
-                Opts
-            )
+            {ok,
+                dev_process_outbox:send(
+                    #{
+                        <<"target">> => Target,       
+                        <<"reason">> => Reason
+                    },
+                    Base,
+                    Opts
+                )
+            }
     end.
diff --git a/src/dev_trie.erl b/src/dev_trie.erl
@@ -15,6 +15,7 @@
 %%% 4 children!)
 -module(dev_trie).
 -export([info/0, keys/2, set/3, get/3, get/4]).
+-export([reserved_keys/0, is_reserved_key/1]).
 -include_lib("eunit/include/eunit.hrl").
 -include("include/hb.hrl").
 
@@ -304,6 +305,17 @@ edges(TrieNode, Opts) ->
         Opts
     ),
     hb_maps:keys(Filtered).
+%% @doc Returns a list of the modules's edge labels for trie node.
+reserved_keys() ->
+    [   <<"node-value">>,
+        <<"device">>,
+        <<"commitments">>,
+        <<"priv">>,
+        <<"hashpath">>
+    ].
+%% @doc Checks if the passed Key is a reserved dev_trie trie node label.
+is_reserved_key(Key) ->
+    lists:member(Key, reserved_keys()).
 
 %% @doc Compute the longest common binary prefix of A and B, comparing chunks of
 %% N bits.