security: cross-chain airdrop eligibility uses hardcoded mock balances

[createkr]

Cross-chain airdrop chain adapters return hardcoded mock balances — eligibility checks bypassed

Summary

The SolanaAdapter and BaseAdapter in cross-chain-airdrop/src/chain_adapter.rs return hardcoded constant values from get_balance() and get_wallet_age(), ignoring the wallet address parameter entirely. This means every wallet that passes address format validation is treated as having sufficient balance and age to be eligible for an airdrop claim.

The code contains commented-out RPC call skeletons but the live implementations are:

// SolanaAdapter
async fn get_balance(&self, _address: &str) -> Result<u64> {
    Ok(200_000_000) // 0.2 SOL mock — always passes 0.1 SOL minimum
}
async fn get_wallet_age(&self, _address: &str) -> Result<u64> {
    Ok(10 * 24 * 60 * 60) // 10 days mock — always passes 7-day minimum
}

// BaseAdapter
async fn get_balance(&self, _address: &str) -> Result<u64> {
    Ok(20_000_000_000_000_000) // 0.02 ETH mock — always passes 0.01 ETH minimum
}
async fn get_wallet_age(&self, _address: &str) -> Result<u64> {
    Ok(14 * 24 * 60 * 60) // 14 days mock — always passes 7-day minimum
}

Affected Code

• File: cross-chain-airdrop/src/chain_adapter.rs
• Methods: SolanaAdapter::get_balance(), SolanaAdapter::get_wallet_age(), BaseAdapter::get_balance(), BaseAdapter::get_wallet_age()
• Call path: ChainAdapter::verify_wallet() → get_balance() + get_wallet_age() → WalletVerification { meets_minimum_balance: true, meets_age_requirement: true }

Impact

Any syntactically valid wallet address (passing validate_address()) is treated as eligible regardless of actual on-chain balance or age. The VerificationPipeline::check_eligibility() and process_claim() flows will report any wallet as meeting balance and age requirements.

The Python server implementation (node/airdrop_v2.py) makes real RPC calls and is not affected by this specific issue. However, the Rust crate is independently usable as both a library and CLI (airdrop-cli), and its verification is entirely mocked.

Reproduction

1. Run cargo run -- verify-address --chain solana --address 7xKXtg2CW87d97TXJSDpbD5jBkheTqA83TZRuJosgAsU
2. Observe: "Balance: 0.200000000 SOL", "Wallet age: 10 days", "Meets minimum balance: true"
3. Run with any other valid Solana address — same result
4. Run with any valid Base address (e.g. 0x1234567890123456789012345678901234567890) — same result: "Balance: 0.020000000000000000 ETH", "Wallet age: 14 days"

No actual RPC calls are made. The balance and age values are hardcoded constants.

Distinction from Dedup-on-Restart Issue

This is a separate vulnerability from the previously addressed dedup-on-restart issue (ClaimStore persistence). That issue was about duplicate prevention state being lost after restart. This issue is about eligibility verification being entirely fake — the wallet balance and age checks never execute against real chain data. They are orthogonal: one defeats deduplication, the other defeats eligibility verification.

Fix

Replace the hardcoded mock returns with actual JSON-RPC calls using the existing reqwest dependency (already in Cargo.toml):

• Solana balance: POST to RPC URL with {"method": "getBalance", "params": [address]}, parse result.value
• Base balance: POST to RPC URL with {"method": "eth_getBalance", "params": [address, "latest"]}, parse hex result
• Wallet age: Return 0 as a conservative default (age determination requires historical transaction data via getSignaturesForAddress / Basescan, which is significantly more complex). This means wallets fail the age gate unless the policy level disables it — safer than returning a mock that always passes.

Files Changed

• cross-chain-airdrop/src/chain_adapter.rs — replaced 4 mock methods with real RPC calls (Solana/Base balance) + conservative age defaults

Tests

• 6 new unit tests using mockito HTTP mocking:
  • test_solana_get_balance_from_rpc — verifies correct parsing of Solana RPC response
  • test_solana_get_balance_zero_on_missing — verifies zero balance on empty account
  • test_solana_get_wallet_age_returns_zero — verifies conservative age default
  • test_base_get_balance_from_rpc — verifies correct parsing of eth_getBalance hex response
  • test_base_get_balance_zero_on_empty — verifies zero balance on empty account
  • test_base_get_wallet_age_returns_zero — verifies conservative age default
• All 49 tests pass with --features sqlite-store (33 unit + 3 CLI + 12 integration + 1 doc-test)
• All 46 tests pass without the feature (backward compatible)

Compatibility

• Behavioral change: Wallets with zero or low balance will now correctly fail eligibility checks (previously all wallets passed). This is the intended behavior.
• Wallet age gate: Now returns 0 (conservative). Wallets will fail the age requirement unless the policy minimum is set to 0. This is safer than the previous mock that always passed.
• No API breakage: All public signatures unchanged. ChainAdapter trait interface identical.
• No new dependencies: Uses existing reqwest (already required for GitHub verification and bridge client).

[createkr]

Fix PR opened: #2128. This patch replaces the hardcoded mock balance checks in the cross-chain airdrop adapters with real JSON-RPC balance lookups and conservative age defaults. Validation in the local working tree: 46 tests passed without sqlite-store and 49 passed with sqlite-store enabled. In a fresh submission clone, the base test suite passed, but the sqlite-store feature test could not run because that feature only exists after the separately submitted dedup-persistence changes are present. Payout wallet: RTC1d48d848a5aa5ecf2c5f01aa5fb64837daaf2f35

[Scottcjn]

Fixed via #2128.