Skip to content

[PR #31] Missing chain ID check after WebSocket handshake — wrong-chain connection undetected #88

Closed
Closed
[PR #31] Missing chain ID check after WebSocket handshake — wrong-chain connection undetected#88
Labels
layer:rustRust crates (core / scanner / protocols / executor / cli)pr-reviewFindings from PR review processpriority:p1-coreCore MVP scope
@obchain

Description

@obchain
obchain
opened on Apr 22, 2026

PR: #31 (feat/06-chainprovider-ws)
File: crates/charon-scanner/src/provider.rs
Lines: 36-43

Problem: ChainProvider::connect establishes WebSocket and returns Ok(Self) without calling eth_chainId to verify endpoint is BSC (chain ID 56). Misconfigured URL pointing at Ethereum mainnet (chain ID 1) silently succeeds.

Impact: Liquidation transactions broadcast to wrong chain waste gas and fail silently. All subsequent scanner state (block numbers, contract addresses) invalid for BSC. PRD requires BSC-only operation.

Fix: Add expected_chain_id: u64 to ChainConfig (default 56). After on_ws succeeds:

let actual = provider.get_chain_id().await
    .context("chain '{name}': eth_chainId probe failed")?;
anyhow::ensure!(
    actual == config.expected_chain_id,
    "chain '{name}': expected chain ID {}, got {actual}",
    config.expected_chain_id
);

Metadata

Metadata

Assignees

No one assigned

    Labels

    layer:rustRust crates (core / scanner / protocols / executor / cli)pr-reviewFindings from PR review processpriority:p1-coreCore MVP scope

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions