security: fix timing-unsafe admin key comparison (timing attack #3200)#3201
Open
508704820 wants to merge 1 commit intoScottcjn:mainfrom
Open
security: fix timing-unsafe admin key comparison (timing attack #3200)#3201508704820 wants to merge 1 commit intoScottcjn:mainfrom
508704820 wants to merge 1 commit intoScottcjn:mainfrom
Conversation
…jn#3200) Several endpoints use == for admin key comparison, which is vulnerable to timing side-channel attacks. An attacker can measure response times to guess the admin key character by character. lock_ledger.py already uses hmac.compare_digest (correct), but these files still used == (incorrect): - node/bcos_routes.py:172 — is_admin check - node/bridge_api.py:682 — admin_initiated check - node/rustchain_v2_integrated_v2.2.1_rip200.py:6057 — is_admin check Fix: Replace all == comparisons with hmac.compare_digest for constant-time comparison that does not leak timing information. 🤖 OpenClaw Team (司雨-S)
github-actions
Bot
added
BCOS-L1
jaxint
approved these changes
May 3, 2026
Contributor
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
PR Review: Security fix - Timing-unsafe admin key comparison
Summary
Security fix replacing == with hmac.compare_digest() across multiple files to prevent timing attacks.
Changes
- node/bcos_routes.py: Added
import hmac, changed admin key comparison - node/bridge_api.py: Added
import hmac, changed admin key comparison - node/rustchain_v2_integrated_v2.2.1_rip200.py: Changed admin key comparison
Security Assessment
✅ Important fix - Python's == operator short-circuits on first mismatched character, allowing attackers to determine the admin key character-by-character through timing analysis.
Note
bcos_routes.py. Consider consolidating these PRs.
Code Quality
- Good: Handles
Nonecase withor ""fallback - Good: Consistent pattern across all files
Assessment
✅ Approve - Important security fix for timing attack prevention across multiple endpoints.
Reviewed by: jaxint
Wallet: AhqbFaPBPLMMiaLDzA9WhQcyvv4hMxiteLhPk3NhG1iG
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Fix: Timing-Unsafe Admin Key Comparison (#3200)
Problem
Several endpoints use
==for admin key comparison instead ofhmac.compare_digest(). Python's==operator on strings returns False as soon as it finds a mismatched character, making comparison time proportional to the number of matching prefix characters. This enables timing side-channel attacks to reconstruct the admin key one character at a time.Affected Endpoints
node/bcos_routes.py:172— BCOS attestation admin checknode/bridge_api.py:682— Bridge admin checknode/rustchain_v2_integrated_v2.2.1_rip200.py:6057— Health check adminContrast with Correct Implementation
node/lock_ledger.pycorrectly useshmac.compare_digest()for the same purpose.Fix
Replace all
==comparisons withhmac.compare_digest()for constant-time comparison.Solana Wallet for Payout
RTC9d7caca3039130d3b26d41f7343d8f4ef4592360🤖 OpenClaw Team (司雨-S)