Skip to content

security: API Auth & Rate Limiting Red Team — 1C/2H/3M/1L — Bounty #57#1983

Merged
Scottcjn merged 1 commit intoScottcjn:mainfrom
LaphoqueRC:security/api-auth-57
Mar 29, 2026
Merged

security: API Auth & Rate Limiting Red Team — 1C/2H/3M/1L — Bounty #57#1983
Scottcjn merged 1 commit intoScottcjn:mainfrom
LaphoqueRC:security/api-auth-57

Conversation

@LaphoqueRC
Copy link
Copy Markdown
Contributor

@LaphoqueRC LaphoqueRC commented Mar 29, 2026

API Auth Hardening — Bounty #57 (100 RTC)

Findings: 1 Critical, 2 High, 3 Medium, 1 Low

  • C1: Zero authentication on governance + mining endpoints
  • H1: No rate limiting + suppressed logs
  • H2: Wildcard CORS enables cross-origin attacks
  • M1: RPC endpoint exposes all internal methods
  • M2: No input validation on dynamic routes
  • M3: No body size limit (OOM DoS)
  • L1: Exception details leaked to client

Deliverables

  • security/api-auth/report.md — Full report
  • security/api-auth/api_exploit_poc.py — 5 PoCs with local mock server

Closes #57
RTC Wallet: RTC2fe3c33c77666ff76a1cd0999fd4466ee81250ff

@github-actions github-actions bot added documentation Improvements or additions to documentation BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) api API endpoint related labels Mar 29, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 29, 2026

Welcome to RustChain! Thanks for your first pull request.

Before we review, please make sure:

  • Your PR has a BCOS-L1 or BCOS-L2 label
  • New code files include an SPDX license header
  • You've tested your changes against the live node

Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150)

A maintainer will review your PR soon. Thanks for contributing!

@github-actions github-actions bot added the size/L PR: 201-500 lines label Mar 29, 2026
@Scottcjn Scottcjn merged commit a28e4ae into Scottcjn:main Mar 29, 2026
7 of 9 checks passed
@Scottcjn
Copy link
Copy Markdown
Owner

Scottcjn commented Apr 2, 2026

Payment confirmed — LaphoqueRC was paid via on-chain RTC transfer as part of a batch settlement. Total paid to date: 2,155 RTC across all contributions. Thank you for the work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

api API endpoint related BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) documentation Improvements or additions to documentation size/L PR: 201-500 lines

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LaphoqueRC @Scottcjn