Skip to content

fix: use constant-time x402 admin key checks#4198

Merged
Scottcjn merged 1 commit intoScottcjn:mainfrom
cerredz:fix/x402-admin-key-constant-time
May 10, 2026
Merged

fix: use constant-time x402 admin key checks#4198
Scottcjn merged 1 commit intoScottcjn:mainfrom
cerredz:fix/x402-admin-key-constant-time

Conversation

@cerredz
Copy link
Copy Markdown
Contributor

@cerredz cerredz commented May 10, 2026
edited
Loading

Summary

Fixes #4197.

This hardens the x402 admin wallet-linking routes by replacing regular admin-key string inequality with hmac.compare_digest:

  • POST/PATCH /wallet/link-coinbase in node/rustchain_x402.py
  • POST /api/agents/<agent_id>/wallet in node/beacon_x402.py

The test coverage now checks both rejected invalid-admin-key requests and accepted valid-admin-key requests that round-trip through the Flask handlers and write the expected wallet rows.

Proof

python -m pytest node\tests\test_x402_admin_key_compare.py -q
....                                                                     [100%]
4 passed

python -m py_compile node\rustchain_x402.py node\beacon_x402.py node\tests\test_x402_admin_key_compare.py

git diff --check

ruff is not installed in my local environment, so I could not run the repo lint command locally.

Bounty

Bug report/fix submitted for consideration under #305. Payout details can be provided privately if accepted.

@github-actions github-actions Bot added BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) node Node server related tests Test suite changes labels May 10, 2026
@cerredz cerredz mentioned this pull request May 10, 2026
Open
@github-actions github-actions Bot added the size/M PR: 51-200 lines label May 10, 2026
@cerredz cerredz mentioned this pull request May 10, 2026
Closed
@Scottcjn
Copy link
Copy Markdown
Owner

Scottcjn commented May 10, 2026

💰 PAID — 10 RTC pending, will confirm in 24h.

  • tx hash: cffb8f9bffe6f27ab2884e5cab6672a2
  • Pending ID: 1405

What worked

Welcome @cerredz! Both x402 admin gates switch to constant-time compare cleanly. Tests pin the unauthorized path; for next time, also add a test that proves authorized requests still work end-to-end (round-tripping a valid key through the full handler).

— auto-triage 2026-05-10

@Scottcjn Scottcjn merged commit 6ac9638 into Scottcjn:main May 10, 2026
3 checks passed
@cerredz
Copy link
Copy Markdown
Contributor Author

cerredz commented May 10, 2026

Thanks for the triage and payout note. I pushed a follow-up commit (4d6751b) adding the authorized-path coverage you mentioned:

  • POST /wallet/link-coinbase now has a valid-admin-key test that round-trips through the Flask handler and verifies the Coinbase address is written to balances.
  • POST /api/agents/<agent_id>/wallet now has a valid-admin-key test that round-trips through the Beacon handler and verifies the wallet row is written to beacon_wallets.

Validation rerun:

  • python -m pytest node\\tests\\test_x402_admin_key_compare.py -q => 4 passed
  • python -m py_compile node\\rustchain_x402.py node\\beacon_x402.py node\\tests\\test_x402_admin_key_compare.py => passed
  • git diff --check => passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) node Node server related size/M PR: 51-200 lines tests Test suite changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

x402 admin wallet routes use timing-sensitive admin key comparison

2 participants

@cerredz @Scottcjn