Security: remove debug APIs from public archive nodes; document precompile admin risks

SECURITY.md

@@ -0,0 +1,48 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it responsibly by opening a [GitHub Security Advisory](https://github.com/numbersprotocol/numbers-network/security/advisories/new) rather than a public issue.
+
+---
+
+## Known Security Considerations
+
+### 1. Single Admin Address for Precompile Configurations
+
+**Risk: Critical**
+
+The genesis configurations (`chains/mainnet/genesis.json`, `chains/testnet/genesis.json`, `chains/devnet/genesis.json`) currently use a **single EOA (externally owned account)** as the admin address for all three critical precompile configurations simultaneously:
+
+- `contractDeployerAllowListConfig` — controls which addresses may deploy contracts
+- `contractNativeMinterConfig` — controls native token minting
+- `feeManagerConfig` — controls gas fee parameters
+
+**Impact:** A single compromised private key grants the ability to mint unlimited native tokens (catastrophic inflation), manipulate gas fees (DoS or economic manipulation), and control contract deployment (censorship).
+
+**Recommended Remediation (for new deployments):**
+
+1. Deploy a **multisig wallet** (e.g., [Gnosis Safe](https://safe.global/)) and use its address as the admin for each precompile. Require M-of-N signers for any admin action.
+2. Use **separate admin addresses** for each precompile to limit the blast radius in case of key compromise.
+3. Deploy a **timelock contract** wrapping the admin address so that critical operations have a mandatory delay, allowing time for intervention if a key is compromised.
+
+**For existing deployments:** Rotate the precompile admin addresses via an upgrade transaction from the current admin to a new multisig address, then renounce the original EOA admin role.
+
+---
+
+### 2. Debug and Internal APIs on Archive Nodes
+
+**Risk: High**
+
+Exposing `debug-tracer`, `internal-eth`, `internal-blockchain`, `internal-transaction`, and `internal-tx-pool` APIs on publicly accessible nodes can leak sensitive internal node state, enable denial-of-service via expensive trace calls, and expose transaction pool contents.
+
+This has been **remediated** in this repository by removing these APIs from the archive node `eth-apis` lists:
+- `avalanchego/configs/chains/2PDRxzc6jMbZSTLb3sufkVszgQc2jtDnYZGtDTAAfom1CTwPsE/config.json` (mainnet archive)
+- `avalanchego/configs/chains/2oo5UvYgFQikM7KBsMXFQE3RQv3xAFFc8JY2GEBNBF1tp4JaeZ/config.json` (testnet archive)
+
+**Operational Guidance:**
+
+- If debug/internal APIs are required for operational purposes (e.g., tracing transactions for debugging), host a **dedicated internal node** with these APIs enabled and place it **behind a firewall or VPN**, not exposed to the public internet.
+- **Never** expose debug APIs through a public-facing reverse proxy (e.g., Nginx).
+- Bind `--http-host` to `127.0.0.1` (localhost) instead of `0.0.0.0` unless you explicitly intend to expose the RPC to all network interfaces.
+- If public RPC access is required, use a reverse proxy with **rate limiting and authentication** for any sensitive endpoints.

avalanchego/configs/README.md

@@ -30,12 +30,26 @@ The C-Chain configuration enables pruning to optimize storage usage:
 - Full historical data retention
 - Pruning disabled for complete blockchain history
 - Supports historical queries and provenance lookups
+- Exposes only `eth`, `eth-filter`, `net`, and `web3` APIs
 
 **Validator Nodes** (`config-validator.json`):
 - Pruning enabled for optimal storage
 - Maintains recent state for validation
 - Reduced disk space requirements
 
+## Security Recommendations
+
+### API Exposure
+- **Do NOT** add `debug-tracer`, `internal-eth`, `internal-blockchain`, `internal-transaction`, or `internal-tx-pool` to the `eth-apis` list in publicly accessible node configurations. These APIs expose sensitive internal node state and tracing capabilities.
+- If debug/internal APIs are required for operational purposes, restrict their use to nodes that are **not** exposed to the public internet (e.g., behind a firewall or VPN).
+- When running AvalancheGo, bind `--http-host` to `127.0.0.1` instead of `0.0.0.0` to prevent unintended public exposure of the RPC endpoint. Only expose via a reverse proxy with appropriate access controls.
+
+### Precompile Admin Addresses
+- Avoid using a single EOA (externally owned account) as the admin for multiple precompiles (`contractDeployerAllowListConfig`, `contractNativeMinterConfig`, `feeManagerConfig`). A single compromised key would grant full control over token minting, fee management, and contract deployment simultaneously.
+- Use a **multisig wallet** (e.g., Gnosis Safe) as the admin address for each precompile.
+- Use **separate admin addresses** for each precompile to limit blast radius in case of key compromise.
+- Consider adding a **timelock contract** for critical admin operations to allow time for intervention in case of compromise.
+
 ## Usage
 
 Copy the appropriate configuration files to your AvalancheGo installation:

avalanchego/configs/chains/2PDRxzc6jMbZSTLb3sufkVszgQc2jtDnYZGtDTAAfom1CTwPsE/config.json

@@ -5,11 +5,6 @@
         "eth",
         "eth-filter",
         "net",
-        "web3",
-        "internal-eth",
-        "internal-blockchain",
-        "internal-transaction",
-	"internal-tx-pool",
-        "debug-tracer"
+        "web3"
     ]
 }

avalanchego/configs/chains/2oo5UvYgFQikM7KBsMXFQE3RQv3xAFFc8JY2GEBNBF1tp4JaeZ/config.json

@@ -3,13 +3,8 @@
     "pruning-enabled": false,
     "eth-apis": [
         "eth",
-	"eth-filter",
-	"net",
-	"web3",
-	"internal-eth",
-	"internal-blockchain",
-	"internal-transaction",
-	"internal-tx-pool",
-	"debug-tracer"
+        "eth-filter",
+        "net",
+        "web3"
     ]
 }