Skip to content

fix: wallet-based rate limiting to prevent IP-spoofing bypass (SECURITY)#1698

Open
jujujuda wants to merge 1 commit intoScottcjn:mainfrom
jujujuda:main
Open

fix: wallet-based rate limiting to prevent IP-spoofing bypass (SECURITY)#1698
jujujuda wants to merge 1 commit intoScottcjn:mainfrom
jujujuda:main

Conversation

@jujujuda
Copy link

@jujujuda jujujuda commented Mar 20, 2026

Security Fix: Faucet Rate Limit Bypass via X-Forwarded-For Spoofing

Vulnerability Summary

Reported in rustchain-bounties#2246.

The faucet (faucet.py) used IP-based rate limiting only. An attacker who controls or exploits a misconfigured reverse proxy could set arbitrary X-Forwarded-For values, bypassing the IP-based rate limit.

Fix Applied

Primary Defense: Wallet-based rate limiting

  • Added wallet-based rate limit check as the primary defense
  • Even if an attacker rotates IPs, they cannot bypass without rotating wallets

X-Forwarded-For Validation

  • Only trust X-Forwarded-For from localhost when present AND properly formatted
  • Absence of XFF from localhost = potential spoofing attempt

Changes

  • get_client_ip(): Improved XFF validation
  • can_drip_by_wallet(): New — wallet-based rate limit
  • can_drip_by_ip(): Existing IP-based check (secondary)
  • drip() endpoint: Now checks both wallet AND IP limits

Bounty payment wallet

RTC2fe3c33c77666ff76a1cd0999fd4466ee81250ff

@jujujuda
fix: wallet-based rate limiting to prevent IP-spoofing bypass (SECURITY)
6ccdcb0 
Fixes rate limit bypass via X-Forwarded-For header spoofing.

Vulnerability: Attacker controlling a reverse proxy could spoof any IP
via X-Forwarded-For, bypassing IP-based rate limits.

Fix: Add wallet-based rate limiting as primary defense. Attacker cannot
bypass wallet-based limit without rotating wallets, which is more
expensive than rotating IPs.

Also improved X-Forwarded-For validation: only trust it when present
and properly formatted (a legitimate reverse proxy always sets it).

Addresses: rustchain-bounties#2246
@github-actions
Copy link

github-actions bot commented Mar 20, 2026

Welcome to RustChain! Thanks for your first pull request.

Before we review, please make sure:

  • Your PR has a BCOS-L1 or BCOS-L2 label
  • New code files include an SPDX license header
  • You've tested your changes against the live node

Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150)

A maintainer will review your PR soon. Thanks for contributing!

@github-actions github-actions bot added BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) size/M PR: 51-200 lines labels Mar 20, 2026
@Scottcjn
Copy link
Owner

Scottcjn commented Mar 20, 2026

Good security fix — we want to merge this. But it has merge conflicts with main. Could you rebase on main and force-push? We'll merge once conflicts are resolved. Thanks @jujujuda!

@Scottcjn
Copy link
Owner

Scottcjn commented Mar 26, 2026

Review: Request Changes 🔧

Wallet-based rate limiting is the right concept. Two bugs to fix:

  1. Operator precedence (line 38): if first_ip and '.' in first_ip or ':' in first_ip → needs parens: if first_ip and ('.' in first_ip or ':' in first_ip)

  2. IP validation is overcomplicated — replace with ipaddress.ip_address(first_ip) from stdlib.

  3. Missing tests — add at least: wallet rate limit, IP rate limit, XFF spoofing from non-localhost.

Fix these = 20 RTC. @jujujuda

@Scottcjn
Copy link
Owner

Scottcjn commented Mar 26, 2026

Good concept — wallet-based rate limiting addresses a real vulnerability. Two things needed before merge:

  1. Operator precedence bug in get_client_ip(): The or ':' in first_ip on the same line as the if not any() check has precedence issues. Wrap the condition properly.
  2. Merge conflict with main — needs rebase.

Fix those and this is mergeable. 🔒

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) size/M PR: 51-200 lines

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jujujuda @Scottcjn