The current copy that says only "unbooted" stars can be swapped is not correct, the contract and current UI both allow swapping of any star that has not spawned any planets.

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

Hitting this error when swapping star -> WSTR

I'm not 100% sure this is happening, but it doesn't seem like my gas selection makes it into the Metamask stage. This seems to cause the tx to hang.

Getting the following error when connecting to metamask on localhost

Error: Returned values aren't valid, did it run Out of Gas? You might also see this error if you are not using the correct ABI for the contract you are retrieving data from, requesting data from a block number that does not exist, or querying a node which is not fully synced.

I can't seem to interact with the dropdown?

I'm running on:
Chrome Version 95.0.4638.69 (Official Build) (x86_64)
macOS Big Sur 11.5.2

Hello, I wanted to convert my nft urbit ID: Star into a token but the transaction was pending, I checked etherscan and there were others pending before mine. This is the wallet that sends and receives the urbit 0x3E1efDa147EC9309e1e47782EcaFeDe1d04b45E5, it has pending transactions for days. and this contract 0x33EeCbf908478C10614626A9D304bfe18B78DD73, which is the one that is interacted with to convert the urbit into a token, also has pending transactions days ago, a person interacted with that contract by setting the gwei to 3 so the transaction does not happen. This is the transaction https://etherscan.io/tx/0xd006c7f59e4d75f8e31abfa08ba7ecca825d69e516bb536df518a607deb9022f. Is there any way to solve this problem? I can't do anything with my wallet because I have those pending transactions and I understand that if that person's transaction doesn't pass, I can't do anything with mine.

I got kind of confused here that "Ticket" was first and "Ship" was second. Also feel like "Ticket" and "Passphrase" should use like input type=password

Describe the bug
I'm trying to swap 2 wstr for 2 stars, i am being quoted 0.57 ETH as the gas fee. I'm using metamask.

To Reproduce
Steps to reproduce the behavior:

1. have wstr
2. go to star.market
3. attempt to swap wstr for stars
4. see error

Expected behavior
It does not cost $1,200 USD to swap wstr for stars

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: macos
• Browser: chrome
• Version:

Additional context

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'star.market'
2. Click on '101' bubble in orange
3. iPhone 12 max on safari, vertical
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

See the info in the bubble

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: iOS
• Browser safari
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: iPhone 12 Pro Max
• OS: latest

Additional context
Add any other context about the problem here.

https://github.com/urbit/starketplace/blob/1d9e15f78af6dc5c5735b04c3fb2baeaf04b3d92/src/components/About.tsx#L40

Describe the bug
Go to coingecko wstr page, the chart is incorrect, can you fix

The data is correct on dextools

This repo contains a Dune API key.

The Dune API is rate limited like so:

In other words, if you send more than 40 requests using the free API key in this repo, that API will lose access to Dune (as long as you keep sending additional requests.

You can do so by just spamming curl in a loop.

DUNE_API=https://api.dune.com/api/v1/query/2627114/results\?api_key\=tXnalqkWqtOve5b0kOG6dfUNfbQQaJuL
while true; do 
  curl $DUNE_API
done

With exactly the result you'd expect:

{"execution_id":"01HGCBHFDN446HP5MZM3BSS51C","query_id":2627114,"state":"QUERY_STATE_COMPLETED","submitted_at":"2023-11-29T01:36:49.590545Z"
...[one minute later]...
{"error":"too many requests"}
{"error":"too many requests"}
^C%
➜  star.market git:(master)

Sorry to check this using the live site. I happen to know from experience that, after exceeding your access limit, Dune restores API access within a minute or so, so there was nothing to fear. Nevertheless, in retrospect I should've ran star.market locally using my own free Dune API key.

Anyway, the rate limit was also reflected on star.market's live Metrics Bar component:

Everything remains at zero. Within a minute, of course, everything was restored to working order (still, again, apologies for inconsiderately testing this on the live site!).

How to fix

First, you might not even care to fix this. Like I said, it's really very insignificant. If you're okay with the risk of someone DoSing the metrics bar you can just toss this in the "not going to fix" bin.

If you do want to fix it? The wrong solution would be to focus on simply removing the API key from this codebase, but then adding it back in during build/deployment. Why is this bad? Because this code runs on the frontend. If you add the API key to the frontend code, the attacker could just open their requests tab and see the API key parameter passed to Dune.

Okay, so what if you performed the API call on the backend, and then loaded that into the page?

This would prevent the user from seeing the API key, but it would not prevent the DoS attack. The user could just load star.market over 40 times per minute, which would then launch the same number of requests to the Dune API on the backend, thus exceeding the rate limit and leading to the Metrics Bar showing all zero for anyone who visits the site.

To solve this, the backend would have to run a script that makes a request to Dune every few seconds (with the free API, a maximum of every 1.5 seconds, but you could do even less if you wanted) and saves this information in a cache. The backend would then access that cache and feed the data to the Metrics Bar via server-side rendering.

Sounds like a lot of work, but since this project already uses React, SSR is pretty simple using something like Nextjs. Or if you don't want to do all of that, you could just setup an API to query this cache, and access that API via the Metrics Bar.

Or you could just not fix it. Nevertheless, wanted to make you aware of the issue. I hope this was helpful!

PS: Sorry to report this via a public issue instead of via DM or email. However, given the harmlessness, I figured a regular ole issue would suffice.

If I overstepped, please do let me know and I'll be more cautious with future reports. Also, out of curiosity, what is the correct way to report vulnerabilities in this repo, should someone find something more serious in the future?

When attempting to swap a star held in a Metamask wallet, the user is blocked from disconnecting the wallet -- clearing cache does not help. The user is additionally blocked from choosing which Metamask address to use -- it is automatically connected to the last wallet without any way to unbind and select a new one.

Expected behavior
The user should be able to change Metamask wallets, even once connected.

cc @crrncllns

The Gas Estimation API used in Star Market has been deprecated:

https://twitter.com/ETHGasStation/status/1597341610777317376

Here's where it's used in the application:

https://github.com/urbit/star.market/blob/master/src/App.tsx#L57

Bridge had a similar issue, I resolved it in this PR:

urbit/bridge#1084