Risk Level
HIGH
File
core/src/exchanges/kalshi/auth.ts
Findings
- Line 60:
let privateKey = this.credentials.privateKey!; — privateKey is used to sign every authenticated request via crypto.createSign. If the user constructs KalshiExchange without providing a private key (e.g., for read-only use) and then calls a trading endpoint, this assertion crashes before the signing even begins.
What Happens When It's Wrong
TypeError: Cannot read properties of undefined (reading 'includes')
(from line 63: if (privateKey.includes('\\n'))) — an opaque crash with no indication that the credential was missing.
Suggested Fix
Validate at construction or at the start of the signing method:
if (!this.credentials.privateKey) {
throw new Error('[kalshi] privateKey is required for authenticated requests');
}
let privateKey = this.credentials.privateKey;
Found by automated non-null assertion audit
Risk Level
HIGH
File
core/src/exchanges/kalshi/auth.tsFindings
let privateKey = this.credentials.privateKey!;—privateKeyis used to sign every authenticated request viacrypto.createSign. If the user constructsKalshiExchangewithout providing a private key (e.g., for read-only use) and then calls a trading endpoint, this assertion crashes before the signing even begins.What Happens When It's Wrong
(from line 63:
if (privateKey.includes('\\n'))) — an opaque crash with no indication that the credential was missing.Suggested Fix
Validate at construction or at the start of the signing method:
Found by automated non-null assertion audit