diff --git a/Action.js b/Action.js
index f5399e2..f78ff69 100644
--- a/Action.js
+++ b/Action.js
@@ -126,6 +126,7 @@ DAD._initTypeDict = function(typedActionDict) {
 DAD.build = async function (action, keypair) { // Applicable on client. 客户端调用 Action.build，即可新建、并打包成一个完整的子事务，不需要亲自调用 constructor, packMe 等方法。 
   if (action && action.type && keypair && keypair.seckey && keypair.pubkey) {
     let typedAction = new wo[action.type](action)
+    typedAction.actorPubkey = keypair.pubkey
     if (typedAction.validateMe()) {
       await typedAction.packMe(keypair)
       return typedAction
diff --git a/ActionTransfer.js b/ActionTransfer.js
index 47248ff..1b32121 100644
--- a/ActionTransfer.js
+++ b/ActionTransfer.js
@@ -1,4 +1,5 @@
 const Action = require('./Action.js')
+const ticCrypto = require('tic.crypto')
 
 const DAD = module.exports = function ActionTransfer (prop) {
   this._class = this.constructor.name
@@ -12,8 +13,10 @@ MOM.__proto__ = Action.prototype
 
 MOM.validateMe = function () {
   // if (sender && sender.type !== 'multisig' && action.toAddress != action.actorAddress && sender.balance >= action.amount + action.fee){
-  return this.actorAddress && this.toAddress && this.toAddress != this.actorAddress 
-    && this.amount && this.amount > 0 && (this.fee >= wo.Config.MIN_FEE_ActionTransfer || 0)
+  return this.actorAddress && this.actorPubkey && ticCrypto.pubkey2address(this.actorPubkey)=== this.actorAddress // 必须检查发起人地址和公钥是匹配的，否则客户端能够造假
+    && this.toAddress && this.toAddress != this.actorAddress 
+    && this.amount && this.amount > 0 && (this.fee >= 0)
+   
 }
 
 MOM.executableMe = async function() {