[MEDIUM] — `parseAcceptedAssets` silently drops malformed entries instead of rejecting the create/update request

[Alqku]

Severity: Medium
Type: Bug
Scope: Campaigns
Labels: bug, good first issue

Description

parseAcceptedAssets (src/campaigns/campaigns.service.ts, lines ~451–470) splits accepted asset strings on : and constructs { assetType: 'credit', code, issuer } only when both code and issuer are present. For inputs like "XLM:", "USDC:", or empty strings, parseAcceptedAssets returns null and the entry is .filter(Boolean)-dropped. If every entry is malformed, the function returns an empty array; the surrounding createCampaign logic then leaves Campaign.acceptedAssets unset, which downstream code treats as "native XLM only" (coerceAcceptedAssets in donations.service.ts).

A creator who types USDC:G...issuer... is fine, but USDC: (typo), USDC (missing issuer), XLM:badissuer (empty issuer) silently produce incorrect acceptance lists with no validation error.

Recommendation

• In the CreateCampaignDto, use a @ValidateNested class with @IsString on both code and issuer, throwing BadRequestException for malformed inputs.
• Validate at the service boundary too: if any input has a colon and the right-hand side is empty (or vice versa), return 400.
• Cover with unit tests for the malformed-input matrix.

---

[ZuLu0890]

I would love work on this issue

[Chigybillionz]

Hello maintainer!!!!! Please 🙏

I would like to work on this issue.

Experience:
I have experience with NestJS, TypeScript, Prisma, DTO validation, class-validator, and API input sanitization. I have worked on enforcing strict validation rules to prevent malformed user input from causing inconsistent application behavior.

Implementation:
I will strengthen accepted asset validation by introducing DTO-level validation for asset code and issuer fields, add service-layer safeguards that return clear "BadRequestException" responses for malformed asset formats, and create comprehensive unit tests covering malformed inputs such as "USDC:", "USDC", ":issuer", "XLM:badissuer", and empty values. This will ensure invalid asset configurations are rejected rather than silently falling back to unintended defaults.

Delivery:
I can complete the implementation, testing, and submit a clean PR within 3–5 hours, ensuring accepted asset handling is robust, secure, and predictable.

GitHub:
https://github.com/chigybillionz

[CodeMayor]

This silently drops malformed asset entries, leaving creators confused when their USDC: typo gets treated as "XLM only." Adding proper validation with clear error messages catches the mistake upfront instead of producing incorrect campaign behavior downstream. ETA: 1–2 days.

[AnnieIj]

I would love to work on this issue. i promise to do my very best, Thanks

[grantfox-oss]

🦊 GrantFox — @CodeMayor has been assigned to this issue as part of the Official Campaign campaign!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #9)
2. Your PR will be reviewed by the OrbitChainLabs maintainers

Good luck! Track your progress on GrantFox.