Skip to content

Error messages leak internal details to clients #19

Description

@a6b8

Classification

  • Security hardening

Problem

e.message is returned directly to clients in several methods. Internal details such as RPC endpoints, contract state, and stack traces are exposed.

Affected Files

  • src/v2/exact/evm/ServerExact.mjs lines 488, 534, 597, 600, 605

Expected vs Actual

  • Expected: Generic error codes returned to clients, full details only in server logs
  • Actual: Raw exception messages reach the client

Recommendation

Sanitize error messages. Return generic codes (SETTLEMENT_FAILED, SIMULATION_FAILED), log details server-side only.

Severity

MEDIUM

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity vulnerability or hardening

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions