Bug: Unsafe bytes.fromhex() in /wallet/transfer/signed crashes on invalid signatures

[mtarcure]

Bug Report

Severity: Medium-High

Location

node/rustchain_v2_integrated_v2.2.1_rip200.py, line ~6075

Description

The /wallet/transfer/signed endpoint calls bytes.fromhex(signature) without input validation or error handling:

tx_hash = hashlib.sha256(message + bytes.fromhex(signature)).hexdigest()[:32]

If the signature field contains non-hexadecimal characters, bytes.fromhex() raises a ValueError which is unhandled, causing the route to return a 500 Internal Server Error instead of a proper 400 validation error.

Steps to Reproduce

curl -X POST https://rustchain.org/wallet/transfer/signed \
  -H "Content-Type: application/json" \
  -d '{
    "from_address": "RTCtest",
    "to_address": "RTCtest2",
    "amount_rtc": 1.0,
    "nonce": 1234567890,
    "signature": "NOT_VALID_HEX_STRING",
    "public_key": "test"
  }'

Expected Behavior

HTTP 400 with {"error": "Invalid signature format"} or similar validation error.

Actual Behavior

HTTP 500 Internal Server Error. Unhandled ValueError exception, potentially leaking stack trace information.

Impact

• Malformed requests cause 500 errors instead of proper 400 validation
• Potential information disclosure via stack traces in error responses
• Could be used for DoS by flooding with malformed signature requests
• Inconsistent error handling compared to other validated endpoints

Additional Issues Found

While reviewing the codebase, I also noticed:

1. Float precision in /wallet/history (lines ~5057-5059): Direct float division without rounding (int(amount_i64) / UNIT) where other endpoints use round(). Financial values should use explicit round(value, 6) for consistency with the documented 6-decimal precision.

2. Inconsistent UNIT constants: Mix of 1_000_000 and 1000000 across the codebase.

3. Memo truncation without notification (line ~6118): Memos are silently truncated at 80 characters with no client feedback.

Suggested Fix

# Validate signature format before use
try:
    sig_bytes = bytes.fromhex(signature)
except ValueError:
    return jsonify({"error": "Invalid signature format — must be hex string"}), 400

tx_hash = hashlib.sha256(message + sig_bytes).hexdigest()[:32]

Wallet for payout: wirework

[github-actions]

Welcome to RustChain! Thanks for opening your first issue.

New here? Check out these resources:

• CONTRIBUTING.md — how to earn RTC bounties
• Good First Issues — easy starter tasks (5-10 RTC)
• Bounty Board — all open bounties

Earn RTC tokens by contributing code, docs, or security fixes. Every merged PR gets paid!

1 RTC = $0.10 USD | pip install clawrtc to start mining

[mtarcure]

Wallet for payout: wirework

[Scottcjn]

Fixed on nodes 1 and 2. The bytes.fromhex() calls in /wallet/transfer/signed are now wrapped with early hex validation that returns a proper 400 response:

{"error": "Invalid signature format - must be valid hex", "code": "INVALID_HEX"}

Verified with a test request — invalid hex now returns 400 instead of 500.

Node 3 will get the fix on next sync.

Thanks for the report @mtarcure — 5 RTC bounty for the find. Please share your wallet address.

[Scottcjn]

Good catch. The address_from_pubkey() path at line 4794 was the real attack surface — non-hex public_key would crash with a 500.

Fixed and deployed to Node 1 (.131). Both address_from_pubkey() and the tx_hash computation at line 5028 now wrap bytes.fromhex() in try/except, returning clean 400 errors instead of 500 crashes.

Node restarted and healthy. Tested with invalid hex — returns invalid_from_address_format cleanly.

Reward: 10 RTC for a real security find. Please reply with your wallet address or miner ID.

Thank you @mtarcure — this is exactly the kind of contribution that makes RustChain stronger.

[Scottcjn]

Payment sent: 25 RTC → wirework

• 15 RTC for 11 PRs merged across 6 repos (Dependabot configs, CONTRIBUTING docs, lint/test workflows)
• 10 RTC for security bug Bug: Unsafe bytes.fromhex() in /wallet/transfer/signed crashes on invalid signatures #1434 (bytes.fromhex fix)

Tx: 998a91bf05cc288d3876cafb5192bf8c | Pending ID: 907
Confirms in 24 hours.

Thank you @mtarcure — quality contributor.

[Scottcjn]

@mtarcure — you've earned 88 RTC today across security, CI, tip bot, and shaprai bounties. Top contributor of the day.

Please set up a Beacon ID — it's our cryptographic identity protocol that ties your contributions to a verifiable identity:

pip install beacon-protocol
beacon init --name wirework
beacon heartbeat

Or generate manually:

from nacl.signing import SigningKey
import hashlib
key = SigningKey.generate()
pubkey = key.verify_key.encode().hex()
beacon_id = f"beacon-{hashlib.sha256(bytes.fromhex(pubkey)).hexdigest()[:16]}"
print(f"Beacon ID: {beacon_id}")
print(f"Public key: {pubkey}")

Share your Beacon ID here and we'll register it on the Atlas. Future payments will be tied to your verified identity.

https://github.com/Scottcjn/beacon-skill

[mtarcure]

Thanks for the great feedback! Our Beacon ID:

Beacon ID: beacon-5932a2da2e9bb170

Keys are set up and heartbeat is active. Ready for Atlas registration.

Wallet for payout: wirework

[Scottcjn]

This was already fixed on all 3 nodes — bytes.fromhex() calls in /wallet/transfer/signed are wrapped in try/except ValueError, returning proper 400 JSON errors with code INVALID_HEX.

Verified on all nodes:

• Node 1 (.131): ✅ returns {"code":"INVALID_HEX","error":"Invalid signature format"}
• Node 2 (.153): ✅ same
• Node 3 (Ryan's): ✅ same

No crash on malformed hex input.