diff --git a/third_party/phpcommon b/third_party/phpcommon
index 571b6c46..daad845e 160000
--- a/third_party/phpcommon
+++ b/third_party/phpcommon
@@ -1 +1 @@
-Subproject commit 571b6c46137597d3bede13989e284130a070bea0
+Subproject commit daad845e894ca033c4fdd31c9c6f39e1e4040f02
diff --git a/webapp/controller/BaseAuthedController.class.php b/webapp/controller/BaseAuthedController.class.php
index 97dd4def..e95fa366 100644
--- a/webapp/controller/BaseAuthedController.class.php
+++ b/webapp/controller/BaseAuthedController.class.php
@@ -33,6 +33,18 @@ class BaseAuthedController extends BaseController {
     private $sessionId = '';
     private $mysqlConn = null;
 
+    private function isWhiteList()
+    {
+        $whiteList = array(
+            '0x875835829e95fe87e53a2dfcfd9860a735b70754',
+            '0x11299400d87f24e79af8cb8cc5661792bea45300',
+            '0x898a887fa574dd0297f202d66d5a65787acc1316',
+            '0x9b703a5a094df5b1ba4f3dec15810f7c708e31fa',
+            '0xef59f6cc4d190a0ae576c46d4583e92b61174340'
+        );
+        return in_array(myself()->_getOpenId(), $whiteList);
+    }
+
     public function _handlePre()
     {
         $this->accountId = getReqVal('account_id', '');
@@ -59,6 +71,14 @@ class BaseAuthedController extends BaseController {
                 die();
             }
         }
+        if (SERVER_ENV == _ONLINE) {
+            if (phpcommon\cmpVersion(getReqVal('_version', ''), '0.2.0') > 0) {
+                if (!$this->isWhiteList() || myself()->_getChannel() != BC_CHANNEL) {
+                    phpcommon\sendError(1002, '');
+                    die();
+                }
+            }
+        }
     }
 
     protected function updateSession($accountId, $sessionId)
diff --git a/webapp/controller/BlockChainController.class.php b/webapp/controller/BlockChainController.class.php
index 8eb22252..709e4ffe 100644
--- a/webapp/controller/BlockChainController.class.php
+++ b/webapp/controller/BlockChainController.class.php
@@ -860,6 +860,12 @@ class BlockChainController extends BaseAuthedController {
                     $itemDb['item_uniid'],
                     $itemDb['item_id']
                 );
+                Bag::decItemByUnIid($itemDb['item_uniid'], $num);
+                TransactionPrefee::add($transId, array(
+                    'item_uniid' => $itemDb['item_uniid'],
+                    'item_id' => $itemDb['item_id'],
+                    'item_num' => $num,
+                ));
                 myself()->_rspData(array(
                     'trans_id' => $transId,
                     'params' => $rspObj['params']
@@ -909,6 +915,12 @@ class BlockChainController extends BaseAuthedController {
                     $itemDb['item_uniid'],
                     $itemId
                 );
+                Bag::decItemByUnIid($itemDb['item_uniid'], $num);
+                TransactionPrefee::add($transId, array(
+                    'item_uniid' => $itemDb['item_uniid'],
+                    'item_id' => $itemDb['item_id'],
+                    'item_num' => $num,
+                ));
                 myself()->_rspData(array(
                     'trans_id' => $transId,
                     'params' => $rspObj['params']
diff --git a/webapp/models/TransactionPrefee.php b/webapp/models/TransactionPrefee.php
index ef87a44c..04d9fa0c 100644
--- a/webapp/models/TransactionPrefee.php
+++ b/webapp/models/TransactionPrefee.php
@@ -17,7 +17,7 @@ class TransactionPrefee extends BaseModel
                 'trans_id' => $transId,
                 'target_token_id' => isset($param['token_id']) ? $param['token_id']:0,
                 'target_token_type' => isset($param['token_type']) ? $param['token_type']:0,
-//                'item_uniid' => $transId,
+                'item_uniid' => isset($param['item_uniid']) ? $param['item_uniid'] : 0,
                 'item_id' => $param['item_id'],
                 'item_num' => $param['item_num'],
                 'done' => 0,
@@ -26,4 +26,4 @@ class TransactionPrefee extends BaseModel
             )
         );
     }
-}
\ No newline at end of file
+}