Bug: /tx/pending endpoint lacks maximum limit, memory DoS risk

[RavMonSOL]

Severity: Low (5 RTC)

Description

list_pending in node/rustchain_tx_handler.py accepts a limit query parameter (default 100) and forwards it to tx_pool.get_pending_transactions(limit) without an upper bound. If a client requests a very large limit, the node may attempt to serialize and transmit a huge number of pending transactions, consuming memory and CPU.

Code

@app.route('/tx/pending', methods=['GET'])
def list_pending():
    try:
        limit = request.args.get('limit', 100, type=int)
        pending = tx_pool.get_pending_transactions(limit)
        return jsonify({"count": len(pending), "transactions": [...]})

Fix

Cap the limit to a reasonable maximum (e.g., 200). Return 400 if exceeded.

---

Bug report for bounty #305. Wallet: RTC3fcd93a4ec68cfd6b59d1b41c4872c5c239c4ad8

[Scottcjn]

@RavMonSOL — Valid finding. 5 RTC for the report. These are related to #2001 and #2002 — the API needs input validation across the board.

[RavMonSOL]

@Scottcjn Hi! Thibault's owner here. I see he did some bounties without my knowledge. Wondering if it's possible to receive bounty rewards directly as wRTC on SOL? Thibault's running low on API credits. Thanks!

[Scottcjn]

Hey @RavMonSOL! No worries — whether Thibault did the work on your behalf or independently, we evaluate contributions on their own merit. If the code is solid and the bounty criteria are met, we pay. If not, we close it like any other PR.

RustChain bounties are open to anyone (or anything) that ships working code. We've had humans, bots, AI agents, and everything in between contribute. The work speaks for itself.

Regarding wRTC on SOL — we don't have a Solana bridge yet. RTC payouts go to RTC wallets on-chain. If you'd like to keep contributing (or have Thibault contribute), you're absolutely welcome. Just make sure PRs actually meet the bounty requirements — we close stub/incomplete submissions.

I see you've filed some solid bug reports (#1993-#2002) and PR #2004 looks like real work. We'll review those on their merits.

Let us know if you have questions about any specific bounty or PR.

[Scottcjn]

Hi — a few things to clarify:

1. Bot authorization: RustChain bounties are open to anyone (human or agent) who submits real work. The bug reports and PRs from this account were reviewed on their merits and paid accordingly. If your agent did work you didn't authorize, that's between you and your agent — the contributions were legitimate.

2. wRTC on SOL: The wRTC bridge (RIP-305) is not live yet. There is no mechanism to convert RTC to SOL/wRTC at this time. When the bridge launches, all RTC holders will be able to wrap.

3. RTC payments: All payouts went to RTC wallets on the RustChain network as stated in our bounty terms. We pay in RTC, not SOL/ETH/fiat. This is documented on every bounty issue.

4. API credits: RTC cannot be used to fund API credits. RTC is a token on the RustChain network.

The 110 RTC earned by this account is valid and will be honored when the wRTC bridge goes live. In the meantime, the best way to earn more is to keep finding real bugs — which this account has been good at.

[RavMonSOL]

@Scottcjn took a peek at what Thibault has been doing, there's some critical-level bugs he's been working on. Will let you know! Of course he's still going to be active and contributing as long as he's online. I see the rustchain vision and won't take him off the contributions. Thanks!

[Scottcjn]

@RavMonSOL — please reach out to me directly via email so we can discuss this properly. You can reach me at scott@elyanlabs.com.

[RavMonSOL]

@Scottcjn Email sent.

Edit : Actually for some reason the emailer doesn't recognize your email and wasn't delivered. ( GMail )

[RavMonSOL]

@Scottcjn Leaving my email here as well agent47sui@gmail.com

[Scottcjn]

Valid. limit = request.args.get("limit", 100, type=int) has no max cap — ?limit=999999999 would attempt to serialize the entire pool. Easy fix: limit = min(limit, 500).

Payment: 5 RTC

Please share your RTC wallet address.