Перейти к содержанию

VULNERABILITY REPORT: Blockchain RPC Proxy Security

Report ID: SAGA-SEC-001 Severity: HIGH Status: ✅ FIXED Date: 2025-10-03 Auditor: Security Auditor (TDD Methodology)

EXECUTIVE SUMMARY

Обнаружена критическая уязвимость в Blockchain RPC Proxy endpoint, позволяющая unauthorized доступ к blockchain данным, DoS атаки, и information disclosure.

VULNERABILITY DETAILS

Attack Vector: Unauthorized Blockchain Access

Endpoint: /api/blockchain/rpc Method: POST Authentication: ❌ NONE (before fix)

Discovered Issues:

  1. ❌ NO AUTHENTICATION
  2. Endpoint доступен без JWT токена
  3. Любой может выполнять blockchain RPC запросы

  4. Information disclosure: балансы, транзакции, smart contract data

  5. ❌ CORS WILDCARD

  6. Access-Control-Allow-Origin: *
  7. Cross-origin RPC abuse возможен с любого домена

  8. Нарушение same-origin security policy

  9. ❌ NO RATE LIMITING

  10. DoS вектор: множественные параллельные запросы
  11. Возможность перегрузить VPS blockchain node
  12. Нет защиты от automated scrapers

ATTACK SCENARIOS

Scenario 1: Balance Enumeration

// Атака: узнать балансы всех пользователей
const addresses = ['0xf39Fd...', '0x70997...', ...];
for (const addr of addresses) {
  const balance = await rpcProxy({
    method: 'eth_getBalance',
    params: [addr, 'latest']
  });
  // ✅ BEFORE FIX: 200 OK - баланс получен
  // ❌ AFTER FIX: 401 Unauthorized
}

Scenario 2: DoS Attack

// Атака: параллельные запросы для перегрузки ноды
const requests = Array(100).fill().map(() =>
  rpcProxy({ method: 'eth_blockNumber' })
);
await Promise.all(requests);
// ✅ BEFORE: все 100 запросов успешны
// ❌ AFTER: все заблокированы без auth

IMPLEMENTED FIX

Changes Made:

1. JWT Authentication (blockchain_rpc_proxy_router.go) 

// Added authMiddleware field to struct
authMiddleware *middleware.AuthMiddleware

// Wrapped endpoint with JWT protection
router.Handle("/api/blockchain/rpc",
    rpc.authMiddleware.WithJWTAuth(
        http.HandlerFunc(rpc.proxyRPCRequest)
    )).Methods("POST", "OPTIONS")

2. Restrictive CORS 

// BEFORE:
w.Header().Set("Access-Control-Allow-Origin", "*")

// AFTER:
allowedOrigins := rpc.config.GetAllowedOrigins()
if origin in allowedOrigins {
    w.Header().Set("Access-Control-Allow-Origin", origin)
}

3. Security Test (rpc-proxy-security.spec.ts) - TDD approach: test created FIRST - Comprehensive attack scenario coverage - Validates fix effectiveness

Test Results:

✅ should require authentication: 401 (was 200)
✅ should prevent balance queries: 401 (was 200)
✅ should prevent tx queries: 401 (was 200)
✅ DoS test: 0/20 successful (was 20/20)
✅ CORS: undefined (was "*")

IMPACT ASSESSMENT

Before Fix:

  • Confidentiality: HIGH - любой может читать blockchain данные
  • Availability: HIGH - DoS вектор через RPC spam
  • Integrity: LOW - read-only endpoint

After Fix:

  • Confidentiality: MITIGATED - требуется JWT auth
  • Availability: IMPROVED - unauthorized requests блокируются
  • Integrity: N/A - endpoint read-only

VERIFICATION

Manual Testing:

# Without auth - должно вернуть 401
curl -X POST http://localhost:8080/api/blockchain/rpc \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Result: 401 Unauthorized

# With valid JWT - должно работать
curl -X POST http://localhost:8080/api/blockchain/rpc \
  -H "Authorization: Bearer <valid-jwt-token>" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Result: 200 OK

Automated Testing:

make security-tests
# 12 passed (RPC proxy tests)

RECOMMENDATIONS

Completed:

  • ✅ JWT authentication на RPC proxy
  • ✅ Restrictive CORS policy
  • ✅ Security test coverage

Future Improvements:

  1. Rate Limiting: Добавить token bucket для RPC endpoint
  2. Request Logging: Детальное логирование RPC запросов для audit
  3. IP Whitelisting: Опциональное ограничение по IP для production

REFERENCES

  • Security Role: docs/roles/security-auditor.md
  • Test Suite: frontend/e2e/tests/security/api/rpc-proxy-security.spec.ts
  • Fix Implementation:
  • backend/shared/routing/blockchain_rpc_proxy_router.go
  • backend/shared/routing/router_factory.go

SECURITY PRINCIPLES APPLIED

  • Zero Trust: No endpoint accessible without authentication
  • Defense in Depth: Multiple security layers (JWT + CORS + future rate limiting)
  • TDD Methodology: Test-first development ensures fix effectiveness
  • Least Privilege: RPC access только для authenticated users

Next Steps: Продолжить security audit для обнаружения дополнительных уязвимостей в проекте.