PR: #29 (feat/04-toml-config-loader)
File: crates/charon-core/src/config.rs, line 42 (ChainConfig); also FlashLoanConfig / ProtocolConfig indirectly
ChainConfig derives Debug, and Config top-level also derives Debug. Config loader substitutes ${BNB_WS_URL} from env; in production ops use providers like QuickNode / Alchemy / Blast where URL embeds the API key path (e.g., wss://bsc.quicknode.com/<uuid>/). Any tracing::debug!("{:?}", cfg), panic with config in the payload, or error message printing the loaded Config leaks the key.
Impact: Secret exfil through logs. Grafana / Loki pipelines (PR #50, #54) will ingest and retain the leaked URL.
Fix:
- Wrap sensitive fields in
secrecy::SecretString (crate: secrecy = "0.10"). Default Debug for SecretString prints [REDACTED].
- Or manual
impl Debug for ChainConfig that prints ws_url: "<redacted>".
- Apply same treatment to any field holding URL / key / mnemonic.
Audit Cargo.lock after fix — secrecy brings zeroize which also scrubs memory on drop.
PR: #29 (feat/04-toml-config-loader)
File: crates/charon-core/src/config.rs, line 42 (ChainConfig); also FlashLoanConfig / ProtocolConfig indirectly
ChainConfigderivesDebug, andConfigtop-level also derives Debug. Config loader substitutes${BNB_WS_URL}from env; in production ops use providers like QuickNode / Alchemy / Blast where URL embeds the API key path (e.g.,wss://bsc.quicknode.com/<uuid>/). Anytracing::debug!("{:?}", cfg), panic with config in the payload, or error message printing the loaded Config leaks the key.Impact: Secret exfil through logs. Grafana / Loki pipelines (PR #50, #54) will ingest and retain the leaked URL.
Fix:
secrecy::SecretString(crate:secrecy = "0.10"). Default Debug forSecretStringprints[REDACTED].impl Debug for ChainConfigthat printsws_url: "<redacted>".Audit Cargo.lock after fix —
secrecybringszeroizewhich also scrubs memory on drop.