chore: disable debug RPC namespace#390
Merged
HenryMBaldwin merged 1 commit intoJun 8, 2026
Merged
Conversation
Contributor
|
Disables the entire debug RPC namespace for privacy/security in Seismic nodes. Phase 1
LGTM otherwise. Disabling debug methods is a solid security measure for a privacy-focused client — these methods expose detailed execution traces, account state enumeration, and transaction replay capabilities that could compromise confidential transaction privacy. |
matthias-wright
changed the base branch from
seismic
to
veridise-audit-april-2026
HenryMBaldwin
merged commit eb57ddf
into
veridise-audit-april-2026
12 of 13 checks passed
samlaf
added a commit
that referenced
this pull request
Jun 16, 2026
… 1207) (#407) Trace-serving endpoints expose execution metadata — gas usage, revert paths, call-tree shape, touched addresses — that is a side channel on Seismic's private state even after payload sanitization strips calldata, return data, memory, stack, and storage diffs. We agree with the audit recommendation to disable tracing entirely rather than rely on sanitization alone. Prior state: debug_* was already removed wholesale at RPC startup (#390), and payload sanitizers were wired into every debug/trace handler (#354), with the sanitizer logic centralized in seismic-revm-inspectors. The gap the finding identifies is real — the trace_* namespace remained registrable, and ots_* (Otterscan) wraps the same tracing internals (ots_traceTransaction returned unsanitized call-tree data until #405). This removes the two remaining trace-serving namespaces at RPC startup, in one loop alongside debug_*, regardless of the operator's --http.api selection (so an explicit `--http.api trace,ots` cannot re-expose them): - trace_*: parity-style tracing; also honors a caller-supplied `from` without the sanitization eth_call applies - ots_*: Otterscan endpoints Defense in depth, should tracing ever be re-enabled: the payload sanitizers in crates/rpc/rpc/src/{debug,trace}.rs and the ots_* handler sanitization (#405, Veridise 1085) stay in place. The intent is that any future re-enablement serves only sanitized traces; fully unsanitized traces are meant only for local dev nodes (sanvil), where there is no private state to protect. If tracing is ever reintroduced, we will treat all returned metadata as sensitive and audit the sanitizers from first principles, including applying the same `from`-sanitization that eth_call uses. Add an e2e regression test that launches a node with all namespaces configured and asserts debug_*/trace_*/ots_* methods return method-not-found while eth_blockNumber still works; this also backfills coverage for the earlier debug_* removal, which shipped without a test. Also disable IPC on e2e test node launches (shared test_rpc_server_args helper): tests talk to nodes over local HTTP only, and the default IPC endpoint is a global /tmp socket that sandboxed environments forbid binding.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.