Skip to content

fix(detectors): disable verification for decommissioned blocknative API#5097

Open
Tanmay9223 wants to merge 2 commits into
trufflesecurity:mainfrom
Tanmay9223:fix-4982-blocknative-logicnodes
Open

fix(detectors): disable verification for decommissioned blocknative API#5097
Tanmay9223 wants to merge 2 commits into
trufflesecurity:mainfrom
Tanmay9223:fix-4982-blocknative-logicnodes

Conversation

@Tanmay9223

@Tanmay9223 Tanmay9223 commented Jul 1, 2026

Copy link
Copy Markdown

Description:

The Blocknative gas estimation API was shut down on June 19, 2026. This PR disables the Blocknative credential verification logic in pkg/detectors/blocknative/blocknative.go since verification against the original issuer is no longer possible.

The original issue suggested migrating to a third-party LogicNodes endpoint as a drop-in replacement, but we explicitly rejected that approach because sending detected secrets to an unaffiliated third party introduces a severe security risk and changes the trust model of the scanner. Therefore, the detector now safely returns unverified (false, nil) for all detected Blocknative keys without making any network requests.

Closes #4982.

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

trufflesecurity#4982)

The Blocknative gas estimation API was shut down on June 19, 2026.
This commit migrates the blocknative credential verification to use
the drop-in replacement API provided by LogicNodes.

- Updated API endpoint from blocknative.com to logicnodes.io
- Updated request method to POST and added JSON payload
- Handled 402 Payment Required as an expected unverified response
@Tanmay9223 Tanmay9223 requested a review from a team July 1, 2026 11:59
@Tanmay9223 Tanmay9223 requested a review from a team as a code owner July 1, 2026 11:59
@CLAassistant

CLAassistant commented Jul 1, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

Comment thread pkg/detectors/blocknative/blocknative.go Outdated
Comment thread pkg/detectors/blocknative/blocknative.go Outdated
Removes the LogicNodes verification endpoint as it is a third-party service.
Since Blocknative API is shut down, verification is marked as unverified (false) to prevent credential leaks.

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Reviewed by Cursor Bugbot for commit 370c19f. Configure here.

Comment thread pkg/detectors/blocknative/blocknative.go
@Tanmay9223 Tanmay9223 changed the title fix(detectors): migrate blocknative gas estimator to logicnodes fix(detectors): disable verification for decommissioned blocknative API Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Blocknative API shutting down June 19, 2026 — drop-in replacement available

2 participants