From 84e0413d2945709baaa13bd93e53ea05d26192dd Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 28 Feb 2026 12:17:42 +0000
Subject: [PATCH 1/2] Initial plan


From 04d84af3eb580af2476bc4e1e33768cec450871a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 28 Feb 2026 12:21:14 +0000
Subject: [PATCH 2/2] Security: remove debug APIs from archive node configs;
 add SECURITY.md and update README

Co-authored-by: numbers-official <181934381+numbers-official@users.noreply.github.com>
---
 SECURITY.md                                   | 48 +++++++++++++++++++
 avalanchego/configs/README.md                 | 14 ++++++
 .../config.json                               |  7 +--
 .../config.json                               | 11 ++---
 4 files changed, 66 insertions(+), 14 deletions(-)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..e39460e
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,48 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it responsibly by opening a [GitHub Security Advisory](https://github.com/numbersprotocol/numbers-network/security/advisories/new) rather than a public issue.
+
+---
+
+## Known Security Considerations
+
+### 1. Single Admin Address for Precompile Configurations
+
+**Risk: Critical**
+
+The genesis configurations (`chains/mainnet/genesis.json`, `chains/testnet/genesis.json`, `chains/devnet/genesis.json`) currently use a **single EOA (externally owned account)** as the admin address for all three critical precompile configurations simultaneously:
+
+- `contractDeployerAllowListConfig` — controls which addresses may deploy contracts
+- `contractNativeMinterConfig` — controls native token minting
+- `feeManagerConfig` — controls gas fee parameters
+
+**Impact:** A single compromised private key grants the ability to mint unlimited native tokens (catastrophic inflation), manipulate gas fees (DoS or economic manipulation), and control contract deployment (censorship).
+
+**Recommended Remediation (for new deployments):**
+
+1. Deploy a **multisig wallet** (e.g., [Gnosis Safe](https://safe.global/)) and use its address as the admin for each precompile. Require M-of-N signers for any admin action.
+2. Use **separate admin addresses** for each precompile to limit the blast radius in case of key compromise.
+3. Deploy a **timelock contract** wrapping the admin address so that critical operations have a mandatory delay, allowing time for intervention if a key is compromised.
+
+**For existing deployments:** Rotate the precompile admin addresses via an upgrade transaction from the current admin to a new multisig address, then renounce the original EOA admin role.
+
+---
+
+### 2. Debug and Internal APIs on Archive Nodes
+
+**Risk: High**
+
+Exposing `debug-tracer`, `internal-eth`, `internal-blockchain`, `internal-transaction`, and `internal-tx-pool` APIs on publicly accessible nodes can leak sensitive internal node state, enable denial-of-service via expensive trace calls, and expose transaction pool contents.
+
+This has been **remediated** in this repository by removing these APIs from the archive node `eth-apis` lists:
+- `avalanchego/configs/chains/2PDRxzc6jMbZSTLb3sufkVszgQc2jtDnYZGtDTAAfom1CTwPsE/config.json` (mainnet archive)
+- `avalanchego/configs/chains/2oo5UvYgFQikM7KBsMXFQE3RQv3xAFFc8JY2GEBNBF1tp4JaeZ/config.json` (testnet archive)
+
+**Operational Guidance:**
+
+- If debug/internal APIs are required for operational purposes (e.g., tracing transactions for debugging), host a **dedicated internal node** with these APIs enabled and place it **behind a firewall or VPN**, not exposed to the public internet.
+- **Never** expose debug APIs through a public-facing reverse proxy (e.g., Nginx).
+- Bind `--http-host` to `127.0.0.1` (localhost) instead of `0.0.0.0` unless you explicitly intend to expose the RPC to all network interfaces.
+- If public RPC access is required, use a reverse proxy with **rate limiting and authentication** for any sensitive endpoints.
diff --git a/avalanchego/configs/README.md b/avalanchego/configs/README.md
index 411fe3e..d44401a 100644
--- a/avalanchego/configs/README.md
+++ b/avalanchego/configs/README.md
@@ -30,12 +30,26 @@ The C-Chain configuration enables pruning to optimize storage usage:
 - Full historical data retention
 - Pruning disabled for complete blockchain history
 - Supports historical queries and provenance lookups
+- Exposes only `eth`, `eth-filter`, `net`, and `web3` APIs
 
 **Validator Nodes** (`config-validator.json`):
 - Pruning enabled for optimal storage
 - Maintains recent state for validation
 - Reduced disk space requirements
 
+## Security Recommendations
+
+### API Exposure
+- **Do NOT** add `debug-tracer`, `internal-eth`, `internal-blockchain`, `internal-transaction`, or `internal-tx-pool` to the `eth-apis` list in publicly accessible node configurations. These APIs expose sensitive internal node state and tracing capabilities.
+- If debug/internal APIs are required for operational purposes, restrict their use to nodes that are **not** exposed to the public internet (e.g., behind a firewall or VPN).
+- When running AvalancheGo, bind `--http-host` to `127.0.0.1` instead of `0.0.0.0` to prevent unintended public exposure of the RPC endpoint. Only expose via a reverse proxy with appropriate access controls.
+
+### Precompile Admin Addresses
+- Avoid using a single EOA (externally owned account) as the admin for multiple precompiles (`contractDeployerAllowListConfig`, `contractNativeMinterConfig`, `feeManagerConfig`). A single compromised key would grant full control over token minting, fee management, and contract deployment simultaneously.
+- Use a **multisig wallet** (e.g., Gnosis Safe) as the admin address for each precompile.
+- Use **separate admin addresses** for each precompile to limit blast radius in case of key compromise.
+- Consider adding a **timelock contract** for critical admin operations to allow time for intervention in case of compromise.
+
 ## Usage
 
 Copy the appropriate configuration files to your AvalancheGo installation:
diff --git a/avalanchego/configs/chains/2PDRxzc6jMbZSTLb3sufkVszgQc2jtDnYZGtDTAAfom1CTwPsE/config.json b/avalanchego/configs/chains/2PDRxzc6jMbZSTLb3sufkVszgQc2jtDnYZGtDTAAfom1CTwPsE/config.json
index 029f07c..87ceae5 100644
--- a/avalanchego/configs/chains/2PDRxzc6jMbZSTLb3sufkVszgQc2jtDnYZGtDTAAfom1CTwPsE/config.json
+++ b/avalanchego/configs/chains/2PDRxzc6jMbZSTLb3sufkVszgQc2jtDnYZGtDTAAfom1CTwPsE/config.json
@@ -5,11 +5,6 @@
         "eth",
         "eth-filter",
         "net",
-        "web3",
-        "internal-eth",
-        "internal-blockchain",
-        "internal-transaction",
-	"internal-tx-pool",
-        "debug-tracer"
+        "web3"
     ]
 }
diff --git a/avalanchego/configs/chains/2oo5UvYgFQikM7KBsMXFQE3RQv3xAFFc8JY2GEBNBF1tp4JaeZ/config.json b/avalanchego/configs/chains/2oo5UvYgFQikM7KBsMXFQE3RQv3xAFFc8JY2GEBNBF1tp4JaeZ/config.json
index 7fe8927..1149645 100644
--- a/avalanchego/configs/chains/2oo5UvYgFQikM7KBsMXFQE3RQv3xAFFc8JY2GEBNBF1tp4JaeZ/config.json
+++ b/avalanchego/configs/chains/2oo5UvYgFQikM7KBsMXFQE3RQv3xAFFc8JY2GEBNBF1tp4JaeZ/config.json
@@ -3,13 +3,8 @@
     "pruning-enabled": false,
     "eth-apis": [
         "eth",
-	"eth-filter",
-	"net",
-	"web3",
-	"internal-eth",
-	"internal-blockchain",
-	"internal-transaction",
-	"internal-tx-pool",
-	"debug-tracer"
+        "eth-filter",
+        "net",
+        "web3"
     ]
 }