I reply to all queries on the forums and via email, once per day, Monday to Friday (not weekends).
If you are new here, please see some information on how to ask for support. Thank you!
-
AnonymousInactive
Using a bitcoin full node adapter, I noticed walletnotify and blocknotify are sending info for the API without restrictions, the API takes anything from anyone. What if an attacker sends fake information to the API? Something as a fake TXID (or better, a double-spending TX) and 6 confirmations (6 block numbers) before the real confirmations (while the TX is only in the mempool)? I’ve sent https://(mydomain)/wallets/api3/notify/BTC/wallet/122222222222222222222
from my browser and the result was {"result":"success"}
. The same happens with https://(mydomain)/wallets/api3/notify/BTC/block/600000
. Wouldn’t it be more secure for those API endpoints having a password, something as querystring with a password? Or am I being too paranoid?
Hello,
As you saw, the notification API accepts TXIDs from anyone (but not confirmation counts). Then, the plugin queries the wallet about these transactions by their ID. The plugin will only insert a transaction to the DB if it concerns a user on the system and if it is valid according to the wallet. The API endpoint is very simple and secure. It does not need to trust the caller.
The same is true with blocks but blocks are not currently being used in anything. The hook is available for future use.
with regards
- You must be logged in to reply to this topic.