Refs #44
File: crates/charon-executor/src/submit.rs, crates/charon-core/src/config.rs
Problem
When BSC_PRIVATE_RPC_URL is unset, callers fall back to ChainConfig.http_url (public BSC RPC). The submitter then broadcasts every signed liquidation transaction to the public mempool. Competing MEV bots observe pending transactions and race-submit or sandwich them. The private RPC submitter exists precisely to prevent this. A missing env var must be a hard startup failure, not silent degradation.
Impact
Every liquidation broadcast in misconfigured deployments is publicly visible before inclusion. Liquidation revenue is lost to faster competitors. The PR's fallback inverts the safety contract.
Fix
In Config validation, if private_rpc_url is None for a chain that has a liquidator deployed, fail at startup with a typed ConfigError. Provide an explicit opt-in flag like allow_public_mempool: bool (default false) for testnet/dev only.
Refs #44
File: crates/charon-executor/src/submit.rs, crates/charon-core/src/config.rs
Problem
When BSC_PRIVATE_RPC_URL is unset, callers fall back to ChainConfig.http_url (public BSC RPC). The submitter then broadcasts every signed liquidation transaction to the public mempool. Competing MEV bots observe pending transactions and race-submit or sandwich them. The private RPC submitter exists precisely to prevent this. A missing env var must be a hard startup failure, not silent degradation.
Impact
Every liquidation broadcast in misconfigured deployments is publicly visible before inclusion. Liquidation revenue is lost to faster competitors. The PR's fallback inverts the safety contract.
Fix
In Config validation, if private_rpc_url is None for a chain that has a liquidator deployed, fail at startup with a typed ConfigError. Provide an explicit opt-in flag like
allow_public_mempool: bool(default false) for testnet/dev only.