Open extra topbar

Security question

If you are new here, please see some information on how to ask for support. Thank you!

Security question

dashed-slug.net Forums General discussion Security question

This topic contains 1 reply, has 2 voices, and was last updated by  alexg 9 months, 2 weeks ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #5438

    tfontoura
    Participant

    Using a bitcoin full node adapter, I noticed walletnotify and blocknotify are sending info for the API without restrictions, the API takes anything from anyone. What if an attacker sends fake information to the API? Something as a fake TXID (or better, a double-spending TX) and 6 confirmations (6 block numbers) before the real confirmations (while the TX is only in the mempool)? I’ve sent https://(mydomain)/wallets/api3/notify/BTC/wallet/122222222222222222222 from my browser and the result was {"result":"success"}. The same happens with https://(mydomain)/wallets/api3/notify/BTC/block/600000. Wouldn’t it be more secure for those API endpoints having a password, something as querystring with a password? Or am I being too paranoid?

    #5451

    alexg
    Keymaster

    Hello,

    As you saw, the notification API accepts TXIDs from anyone (but not confirmation counts). Then, the plugin queries the wallet about these transactions by their ID. The plugin will only insert a transaction to the DB if it concerns a user on the system and if it is valid according to the wallet. The API endpoint is very simple and secure. It does not need to trust the caller.

    The same is true with blocks but blocks are not currently being used in anything. The hook is available for future use.

    with regards

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.