-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible Configuration Issue on Alchemy/Infura Endpoints #135
Comments
@james-a-morris thanks for raising this!
That this doesn't really protect against an attacker, right? Couldn't they just overload the endpoint from nodejs with custom headers? Going a step further, can't they replicate any request the frontend makes, so any sort of secret would also be exposed, right? I think a good long term solution is probably to have server that sits between the frontend and infura that's protected by Cloudflare or a similar DOS protection service. That server could do a lot of the aggregate computation needed by the UI, while leaving simple user-specific queries, like balances, to be done by the wallet's provider. However, that has some tradeoffs:
Thoughts? |
Hi, Matt! Thanks for this detailed response. These are great points, 100%. I agree that this would not solve the case where an entity utilizes Node with custom-headers. An alternate vulnerability: at the current moment, a user/company/product can locate these endpoints and use them in a separate dApp with a similar configuration to Across (having client-code directly interact with Infura). Any web traffic that this dApp gets will effectively share a usage quota with Across. Adding a whitelist would mitigate this entirely because the "Origin" header is a forbidden header name on most mainstream browsers. -- Regarding your points on the long-term health of Across' (front/back)end, I agree wholeheartedly that a wrapper API could simplify the process and lock-down any endpoints with rate-limits, CSRF, CORS whitelisting, etc. At the same time, I also think using Alchemy/Infura directly on the client-side is also a valid approach which I've seen multiple times within various projects. I suppose the reason for why I wanted to raise this issue is two-fold:
|
I'm going to close this issue. I believe this is resolved 🙂 |
cc'ing @pxrl for visibility. |
Issue Statement
The issue I found has to do with the configuration of the production Alchemy/Infura endpoints on https://across.to/. Specifically, the domain whitelisting is not enabled to prevent external websites from querying Infura/Alchemy data via production endpoints.
Possible Vulnerability
These public endpoints could be used on a different website at Across/UMA's expense. And, if the API requests exceed Across' monthly quota, it could mean a denial of service (API endpoints returning failed responses) or a surcharge in additional fees.
Evidence
I've run several tests on a jsFiddle and deployed one test site to Netlify to query a randomly chosen production API endpoint against various origins. As a control, I created a free Infura endpoint and applied whitelisting for across.to (for prod) and for *.vercel.app to cover the preview deployments.
In all the environments I've tested, the production endpoint returns a valid value and the free Infura endpoint returns a 403 "Forbidden" error.
A successful call of an in-production Infura Endpoint being fetched from a different host outside of the prod/preview environment (account.to and *.vercel.app)
A failed call of the test Infura Endpoint (endpoint now disabled) with whitelisting set for prod/preview environments (across.to & *.vercel.app)
Possible Solutions
I would recommend applying domain whitelisting on Infura/Alchemy for across.to and *.vercel.app in the Infura configuration panel.
For the ETH endpoints on Infura,
The text was updated successfully, but these errors were encountered: