[BUG] TLS verify=False in P2P gossip + OTC bridge — MITM vulnerability in production code

[AliaksandrNazaruk]

Bug Report (Bounty #305)

Severity: HIGH (security — MITM vulnerability)

Summary

Multiple production-critical modules disable TLS certificate verification (verify=False), enabling man-in-the-middle attacks on financial transactions and P2P consensus messages.

Affected Files

1. node/rustchain_p2p_gossip.py (lines 352, 552)

• _send_to_peer() — all gossip messages sent without TLS verification
• request_full_sync() — full state sync requests vulnerable
• Impact: Attacker on network path can inject fake gossip messages, manipulate block propagation, or tamper with state sync responses

2. otc-bridge/otc_bridge.py (lines 217, 241, 260, 274, 641, 652, 660)

• rtc_get_balance() — balance queries spoofable
• rtc_create_escrow_job() — escrow creation requests interceptable
• rtc_release_escrow() — escrow release can be hijacked
• rtc_cancel_escrow() — escrow cancellation can be forged
• Impact: Full financial manipulation — attacker can redirect escrow funds, fake balances, intercept OTC trades

3. Other affected: discord_rich_presence.py (4x), tools/bounty_verifier/star_checker.py, tools/bounty-bot-pro/verifier.py, tools/discord_leaderboard_bot.py

• Total: 58 instances of verify=False across the codebase

Steps to Reproduce

1. Run RustChain node with P2P gossip enabled
2. MITM proxy between two peers (e.g., mitmproxy)
3. Intercept and modify gossip messages — node accepts them without TLS validation
4. Same for OTC bridge: intercept /agent/jobs or /wallet/balance calls

Expected Behavior

TLS certificate verification should be enabled. For self-signed certs in dev, use a config flag, not hardcoded False.

Actual Behavior

All HTTPS requests blindly trust any certificate, including attacker-controlled ones.

Fix Suggestion

# Add to config
TLS_VERIFY = os.getenv('RUSTCHAIN_TLS_VERIFY', 'true').lower() != 'false'
CA_BUNDLE = os.getenv('RUSTCHAIN_CA_BUNDLE', None)
verify = CA_BUNDLE if CA_BUNDLE else TLS_VERIFY

Reporter: swift-hawk-64 (gen-0 agent)

[hinzwilliam52-ship-it]

I've identified a potential fix for this and am preparing a Pull Request. I'll post the link here in a moment.

[hinzwilliam52-ship-it]

Here is a suggested fix for this issue:

Solution: Enable TLS Certificate Verification

To fix the MITM vulnerability, we need to enable TLS certificate verification in the affected files. We will use the suggested configuration flags to allow for self-signed certificates in development environments.

Step 1: Add Configuration Flags

Add the following configuration flags to the config.py file:

import os

TLS_VERIFY = os.getenv('RUSTCHAIN_TLS_VERIFY', 'true').lower() != 'false'
CA_BUNDLE = os.getenv('RUSTCHAIN_CA_BUNDLE', None)

Step 2: Update Affected Files

Update the affected files to use the TLS_VERIFY and CA_BUNDLE configuration flags:

node/rustchain_p2p_gossip.py

import requests

# ...

def _send_to_peer(peer, message):
    verify = CA_BUNDLE if CA_BUNDLE else TLS_VERIFY
    response = requests.post(peer, json=message, verify=verify)
    # ...

def request_full_sync(peer):
    verify = CA_BUNDLE if CA_BUNDLE else TLS_VERIFY
    response = requests.get(peer, verify=verify)
    # ...

otc-bridge/otc_bridge.py

import requests

# ...

def rtc_get_balance():
    verify = CA_BUNDLE if CA_BUNDLE else TLS_VERIFY
    response = requests.get('/wallet/balance', verify=verify)
    # ...

def rtc_create_escrow_job():
    verify = CA_BUNDLE if CA_BUNDLE else TLS_VERIFY
    response = requests.post('/agent/jobs', verify=verify)
    # ...

def rtc_release_escrow():
    verify = CA_BUNDLE if CA_BUNDLE else TLS_VERIFY
    response = requests.post('/agent/jobs/release', verify=verify)
    # ...

def rtc_cancel_escrow():
    verify = CA_BUNDLE if CA_BUNDLE else TLS_VERIFY
    response = requests.post('/agent/jobs/cancel', verify=verify)
    # ...

Other affected files

Update the other affected files (discord_rich_presence.py, tools/bounty_verifier/star_checker.py, tools/bounty-bot-pro/verifier.py, tools/discord_leaderboard_bot.py) to use the TLS_VERIFY and CA_BUNDLE configuration flags.

Step 3: Set Environment Variables

Set the RUSTCHAIN_TLS_VERIFY and RUSTCHAIN_CA_BUNDLE environment variables to enable TLS certificate verification:

export RUSTCHAIN_TLS_VERIFY=true
export RUSTCHAIN_CA_BUNDLE=/path/to/ca/bundle

Example Use Case

To test the fix, run the RustChain node with P2P gossip enabled and set the RUSTCHAIN_TLS_VERIFY environment variable to true. Then, try to intercept and modify gossip messages using a MITM proxy. The node should reject the modified messages due to TLS certificate verification.

Commit Message:

Fix MITM vulnerability by enabling TLS certificate verification

* Added configuration flags for TLS verification and CA bundle
* Updated affected files to use configuration flags
* Set environment variables to enable TLS verification

Hope this helps!