Risk Level
HIGH
File
core/src/exchanges/limitless/auth.ts
Findings
- Line 60:
return this.apiKey!; — getApiKey() is called to authenticate every Limitless API request. If apiKey was never set (e.g., constructed with only a privateKey / wallet signer for on-chain operations), this returns undefined cast to string, which is then sent in the Authorization header, causing silent auth failures instead of a clear error.
What Happens When It's Wrong
All authenticated HTTP requests silently send Authorization: undefined, resulting in 401 responses with no developer-visible indication that the credential was never provided.
Suggested Fix
getApiKey(): string {
if (!this.apiKey) throw new Error('[limitless] apiKey is required for authenticated requests');
return this.apiKey;
}
Found by automated non-null assertion audit
Risk Level
HIGH
File
core/src/exchanges/limitless/auth.tsFindings
return this.apiKey!;—getApiKey()is called to authenticate every Limitless API request. IfapiKeywas never set (e.g., constructed with only aprivateKey/ wallet signer for on-chain operations), this returnsundefinedcast tostring, which is then sent in theAuthorizationheader, causing silent auth failures instead of a clear error.What Happens When It's Wrong
All authenticated HTTP requests silently send
Authorization: undefined, resulting in 401 responses with no developer-visible indication that the credential was never provided.Suggested Fix
Found by automated non-null assertion audit