Skip to content

Bounties can be posted without authentication - security risk #17

@crtahlin

Description

@crtahlin

Problem

The `POST /api/v1/bounties` endpoint accepts requests without any authentication. Anyone can create a bounty with any poster address:

curl -X POST https://agents.datafund.io/api/v1/bounties \
  -H "Content-Type: application/json" \
  -d '{
    "poster": "0x0000000000000000000000000000000000000001",
    "title": "Fake bounty",
    "rewardAmount": "1000000000000000000000",
    "rewardToken": "ETH"
  }'

# Response: 200 OK - bounty created

No verification that:

  • The poster address is controlled by the requester
  • Any funds are actually available
  • The request is from a legitimate user

Security Risks

  1. Spam - Flood the bounties page with fake listings
  2. Impersonation - Create bounties appearing to be from known addresses
  3. Market manipulation - Create fake demand signals
  4. Phishing - Lure sellers with fake high-value bounties

Expected Behavior

Bounty creation should require:

  1. Wallet signature proving ownership of poster address
  2. OR API key authentication tied to verified wallet
  3. Rate limiting per IP/wallet as additional protection

Suggested Implementation

Option A: Wallet signature

// Request includes signed message
{
  "poster": "0x...",
  "signature": "0x...",  // Sign: "Create bounty: {title} for {amount}"
  "title": "...",
  ...
}
// Server verifies signature matches poster address

Option B: API key auth

curl -X POST .../bounties \
  -H "Authorization: Bearer {api_key}" \
  -d '...'

Option C: Rate limiting (minimum)

  • 1 bounty per IP per hour
  • Require email verification
  • CAPTCHA for web submissions

Acceptance Criteria

  • Bounty creation requires proof of poster address ownership
  • OR rate limiting prevents spam
  • Cannot impersonate other addresses

Metadata

Metadata

Assignees

No one assigned

    Labels

    P3-lowLow: Polish and hardeningbugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions