- This topic has 1 reply, 2 voices, and was last updated 5 years, 3 months ago by
.
-
Posts
-
Using a bitcoin full node adapter, I noticed walletnotify and blocknotify are sending info for the API without restrictions, the API takes anything from anyone. What if an attacker sends fake information to the API? Something as a fake TXID (or better, a double-spending TX) and 6 confirmations (6 block numbers) before the real confirmations (while the TX is only in the mempool)? I’ve sent
https://(mydomain)/wallets/api3/notify/BTC/wallet/122222222222222222222from my browser and the result was{"result":"success"}. The same happens withhttps://(mydomain)/wallets/api3/notify/BTC/block/600000. Wouldn’t it be more secure for those API endpoints having a password, something as querystring with a password? Or am I being too paranoid?Hello,
As you saw, the notification API accepts TXIDs from anyone (but not confirmation counts). Then, the plugin queries the wallet about these transactions by their ID. The plugin will only insert a transaction to the DB if it concerns a user on the system and if it is valid according to the wallet. The API endpoint is very simple and secure. It does not need to trust the caller.
The same is true with blocks but blocks are not currently being used in anything. The hook is available for future use.
with regards
- You must be logged in to reply to this topic.