Problem
The `POST /api/v1/bounties` endpoint accepts requests without any authentication. Anyone can create a bounty with any poster address:
curl -X POST https://agents.datafund.io/api/v1/bounties \
-H "Content-Type: application/json" \
-d '{
"poster": "0x0000000000000000000000000000000000000001",
"title": "Fake bounty",
"rewardAmount": "1000000000000000000000",
"rewardToken": "ETH"
}'
# Response: 200 OK - bounty createdNo verification that:
- The poster address is controlled by the requester
- Any funds are actually available
- The request is from a legitimate user
Security Risks
- Spam - Flood the bounties page with fake listings
- Impersonation - Create bounties appearing to be from known addresses
- Market manipulation - Create fake demand signals
- Phishing - Lure sellers with fake high-value bounties
Expected Behavior
Bounty creation should require:
- Wallet signature proving ownership of poster address
- OR API key authentication tied to verified wallet
- Rate limiting per IP/wallet as additional protection
Suggested Implementation
Option A: Wallet signature
// Request includes signed message
{
"poster": "0x...",
"signature": "0x...", // Sign: "Create bounty: {title} for {amount}"
"title": "...",
...
}
// Server verifies signature matches poster addressOption B: API key auth
curl -X POST .../bounties \
-H "Authorization: Bearer {api_key}" \
-d '...'Option C: Rate limiting (minimum)
- 1 bounty per IP per hour
- Require email verification
- CAPTCHA for web submissions
Acceptance Criteria
Problem
The `POST /api/v1/bounties` endpoint accepts requests without any authentication. Anyone can create a bounty with any poster address:
No verification that:
Security Risks
Expected Behavior
Bounty creation should require:
Suggested Implementation
Option A: Wallet signature
Option B: API key auth
Option C: Rate limiting (minimum)
Acceptance Criteria