Skip to content

[PR #30] Startup info! block risks future RPC URL leak (follow-on to #76) #84

Closed
Closed
[PR #30] Startup info! block risks future RPC URL leak (follow-on to #76)#84
Labels
layer:rustRust crates (core / scanner / protocols / executor / cli)pr-reviewFindings from PR review processpriority:p1-coreCore MVP scope
@obchain

Description

@obchain
obchain
opened on Apr 22, 2026

PR: #30 (feat/05-clap-cli)
File: crates/charon-cli/src/main.rs
Lines: ~50-58

Problem:

info!(
    chains = config.chain.len(),
    ...
    min_profit_usd = config.bot.min_profit_usd,
    "config loaded"
);

Safe today (counts only). Pattern trains contributors to extend block. Future rpc_url = %config.chain[0].rpc_url or {:?} on any config struct emits bearer tokens to Loki / Grafana Cloud sink (PR #54). Issue #76 flagged Debug-derive risk on ChainConfig; this log site is the runtime vector.

Fix: Add SECURITY comment restricting permitted fields:

// SECURITY: only counts and non-secret scalars here.
// Never log rpc_url, private_key, wallet, or any full struct Debug.

Longer term: introduce ConfigSummary redacting newtype used exclusively for logging.

Metadata

Metadata

Assignees

No one assigned

    Labels

    layer:rustRust crates (core / scanner / protocols / executor / cli)pr-reviewFindings from PR review processpriority:p1-coreCore MVP scope

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions