Bug: /attest/challenge missing rate limit — unbounded SQLite growth DoS

[BossChaos]

Bug Report — /attest/challenge Endpoint Missing Rate Limit

Bounty: #305
Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602
Severity: High (15 RTC)
File: node/rustchain_v2_integrated_v2.2.1_rip200.py, lines 2912–2928

Description

The /attest/challenge endpoint creates a new nonce in SQLite on every POST with zero rate limiting. /attest/submit has check_ip_rate_limit() at line 3088, but the challenge issuance step is unprotected — asymmetric protection.

An attacker floods this endpoint, causing:

1. SQLite WAL explosion — unbounded nonce table growth
2. Disk exhaustion — nonces expire in 5 min but cleanup only runs on next call
3. Write contention — blocks all other DB operations

Reproduction

# 1000 concurrent challenge requests, no auth required
python3 -c "
import requests, threading
def flood():
    for _ in range(100):
        requests.post('http://localhost:5000/attest/challenge')
threads = [threading.Thread(target=flood) for _ in range(10)]
[t.start() for t in threads]
[t.join() for t in threads]
print('Done — check nonces table size')
"

Fix

Add IP-based rate limit to get_challenge() using the existing ip_rate_limit table (max 10/min/IP). Consistent with /attest/submit protection.

Cross-reference: Related to #2744

[github-actions]

Welcome to RustChain! Thanks for opening your first issue.

New here? Check out these resources:

• CONTRIBUTING.md — how to earn RTC bounties
• Good First Issues — easy starter tasks (5-10 RTC)
• Bounty Board — all open bounties

Earn RTC tokens by contributing code, docs, or security fixes. Every merged PR gets paid!

1 RTC = $0.10 USD | pip install clawrtc to start mining

[jshaofa-ui]

Bug Fix Proposal: Rate Limiting for /attest/challenge

Problem

The /attest/challenge endpoint creates a new nonce in SQLite on every POST with zero rate limiting, while /attest/submit has check_ip_rate_limit(). This asymmetric protection allows unbounded SQLite growth DoS.

Solution

I've implemented a rate limiting fix that:

1. Adds IP-based rate limiting (5 requests/60 seconds) to /attest/challenge
2. Includes periodic cleanup of expired nonces (24-hour TTL)
3. Provides both in-memory and SQLite-backed implementations
4. Matches the existing rate limiting pattern on /attest/submit

Delivery

• Code ready for immediate delivery
• PR can be submitted within 1 hour of confirmation

[haoyousun60-create]

I'll add rate limiting to to prevent unbounded SQLite growth. Will implement a per-IP or per-miner rate limiter with configurable thresholds.

Claiming this for 15 RTC bounty (#305). Wallet: RTC4642c5ee8467f61ed91b5775b0eeba984dd776ba

[BossChaos]

🎯 Claim #3218

I've identified and fixed this race condition vulnerability.

Root Cause: generate_batch_id() used /tmp/rustchain_batch_seq file for sequential numbering — a classic TOCTOU race condition where concurrent processes could read/write simultaneously, producing duplicate batch IDs.

Fix: Replaced file-based counter with uuid.uuid4().hex[:8] — no filesystem, no locking, cryptographically unique.

PR: #4004

Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602