From 68817accdaf9a214857d8af4550d361657641928 Mon Sep 17 00:00:00 2001
From: Mrthang0597 <Thang.tran26811@gmail.com>
Date: Sun, 12 Oct 2025 09:34:45 +0700
Subject: [PATCH 1/4] Add contributor Mrthang0597

---
 _data/contributors/mrthang0597.json | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 _data/contributors/mrthang0597.json

diff --git a/_data/contributors/mrthang0597.json b/_data/contributors/mrthang0597.json
new file mode 100644
index 000000000000..72cbb23ac741
--- /dev/null
+++ b/_data/contributors/mrthang0597.json
@@ -0,0 +1,6 @@
+{
+  "name": "MrThang0597",
+  "github": "Mrthang0597",
+  "contribution": "metadata update or data contribution",
+  "date": "2025-10-12"
+}

From 82fe47e3381cd824ec00130927e09855c2baf8c7 Mon Sep 17 00:00:00 2001
From: Mrthang0597 <Thang.tran26811@gmail.com>
Date: Sun, 12 Oct 2025 09:59:49 +0700
Subject: [PATCH 2/4] Add MegaEth Demo Chain metadata by MrThang0597

---
 _data/chains/megaethdemo.json | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 _data/chains/megaethdemo.json

diff --git a/_data/chains/megaethdemo.json b/_data/chains/megaethdemo.json
new file mode 100644
index 000000000000..58095f90a5f6
--- /dev/null
+++ b/_data/chains/megaethdemo.json
@@ -0,0 +1,28 @@
+{
+  "name": "MegaEth Demo Chain",
+  "chain": "MegaEthDemo",
+  "rpc": ["https://rpc.megaethdemo.net"],
+  "faucets": ["https://faucet.megaethdemo.net"],
+  "nativeCurrency": {
+    "name": "MegaETH",
+    "symbol": "MEGA",
+    "decimals": 18
+  },
+  "infoURL": "https://megaethdemo.net",
+  "shortName": "megaethdemo",
+  "chainId": 99999,
+  "networkId": 99999,
+  "explorers": [
+    {
+      "name": "MegaEth Explorer",
+      "url": "https://explorer.megaethdemo.net",
+      "standard": "EIP3091"
+    }
+  ],
+  "contributors": [
+    {
+      "name": "MrThang0597",
+      "wallet": "0x14aF2F86971E8164bA7afe549C82a65668f7CbEc"
+    }
+  ]
+}

From d3e75b2518ab48ebde289618ab65edd317fd315f Mon Sep 17 00:00:00 2001
From: Mrthang0597 <Thang.tran26811@gmail.com>
Date: Wed, 15 Oct 2025 14:28:45 +0700
Subject: [PATCH 3/4] Add Python security audit script, remove invalid demo
 JSON

---
 _data/chains/megaethdemo.json | 28 ------------
 scripts/security_audit.py     | 86 +++++++++++++++++++++++++++++++++++
 2 files changed, 86 insertions(+), 28 deletions(-)
 delete mode 100644 _data/chains/megaethdemo.json
 create mode 100644 scripts/security_audit.py

diff --git a/_data/chains/megaethdemo.json b/_data/chains/megaethdemo.json
deleted file mode 100644
index 58095f90a5f6..000000000000
--- a/_data/chains/megaethdemo.json
+++ /dev/null
@@ -1,28 +0,0 @@
-{
-  "name": "MegaEth Demo Chain",
-  "chain": "MegaEthDemo",
-  "rpc": ["https://rpc.megaethdemo.net"],
-  "faucets": ["https://faucet.megaethdemo.net"],
-  "nativeCurrency": {
-    "name": "MegaETH",
-    "symbol": "MEGA",
-    "decimals": 18
-  },
-  "infoURL": "https://megaethdemo.net",
-  "shortName": "megaethdemo",
-  "chainId": 99999,
-  "networkId": 99999,
-  "explorers": [
-    {
-      "name": "MegaEth Explorer",
-      "url": "https://explorer.megaethdemo.net",
-      "standard": "EIP3091"
-    }
-  ],
-  "contributors": [
-    {
-      "name": "MrThang0597",
-      "wallet": "0x14aF2F86971E8164bA7afe549C82a65668f7CbEc"
-    }
-  ]
-}
diff --git a/scripts/security_audit.py b/scripts/security_audit.py
new file mode 100644
index 000000000000..40051a57513f
--- /dev/null
+++ b/scripts/security_audit.py
@@ -0,0 +1,86 @@
+import json
+import os
+import glob
+import re
+import requests
+from urllib.parse import urlparse
+
+CHAINS_DIR = "_data/chains"
+WHITELIST_RPC_DOMAINS = ["infura.io", "alchemyapi.io", "ankr.com", "cloudflare-eth.com"]
+
+def is_http_url_insecure(url):
+    return url.startswith("http://")
+
+def domain_from_url(url):
+    try:
+        return urlparse(url).netloc.lower()
+    except Exception:
+        return None
+
+def is_untrusted_domain(url):
+    domain = domain_from_url(url)
+    if domain:
+        return not any(d in domain for d in WHITELIST_RPC_DOMAINS)
+    return True
+
+def is_valid_ipfs(cid):
+    return re.fullmatch(r"[A-Za-z0-9]{46}", cid) is not None
+
+def audit_chain(chain, filename):
+    findings = []
+    cid = chain.get("chainId")
+    name = chain.get("name")
+
+    if cid == 1 and name != "Ethereum Mainnet":
+        findings.append(f"[ERROR] {filename}: ChainId 1 must be Ethereum Mainnet")
+
+    for url in chain.get("rpc", []):
+        if is_http_url_insecure(url):
+            findings.append(f"[ERROR] {filename}: Insecure RPC URL: {url}")
+        if is_untrusted_domain(url):
+            findings.append(f"[WARNING] {filename}: RPC domain not in trusted list: {url}")
+
+    if "explorers" in chain:
+        for exp in chain["explorers"]:
+            url = exp.get("url")
+            if url and is_http_url_insecure(url):
+                findings.append(f"[WARNING] {filename}: Explorer URL not HTTPS: {url}")
+
+    if "icon" in chain:
+        icon_path = f"_data/icons/{chain['icon']}.json"
+        if os.path.exists(icon_path):
+            with open(icon_path, "r", encoding="utf-8") as f:
+                icon_data = json.load(f)
+                for icon_entry in icon_data:
+                    url = icon_entry.get("url", "")
+                    if url.startswith("ipfs://"):
+                        cid = url.replace("ipfs://", "")
+                        if not is_valid_ipfs(cid):
+                            findings.append(f"[ERROR] {filename}: Invalid IPFS CID: {cid}")
+                    elif is_http_url_insecure(url):
+                        findings.append(f"[WARNING] {filename}: Insecure icon URL: {url}")
+        else:
+            findings.append(f"[ERROR] {filename}: Icon metadata not found: {icon_path}")
+
+    return findings
+
+def run_audit():
+    print("🔍 Running metadata security audit...")
+    files = glob.glob(os.path.join(CHAINS_DIR, "*.json"))
+    total_findings = 0
+
+    for filepath in files:
+        with open(filepath, "r", encoding="utf-8") as f:
+            data = json.load(f)
+        findings = audit_chain(data, filepath)
+        for f in findings:
+            print(f)
+        total_findings += len(findings)
+
+    if total_findings == 0:
+        print("✅ No security issues found.")
+    else:
+        print(f"⚠️ Found {total_findings} security issues.")
+
+if __name__ == "__main__":
+    run_audit()

From 4ea9100486cb4aaa2f1d84bf8f8ac54ffffc8be6 Mon Sep 17 00:00:00 2001
From: Mrthang0597 <Thang.tran26811@gmail.com>
Date: Wed, 15 Oct 2025 14:43:31 +0700
Subject: [PATCH 4/4] Add GitHub Actions to run security audit script

---
 .github/workflows/security-audit.yml | 30 ++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 .github/workflows/security-audit.yml

diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml
new file mode 100644
index 000000000000..50411bddf829
--- /dev/null
+++ b/.github/workflows/security-audit.yml
@@ -0,0 +1,30 @@
+name: Security Audit
+
+on:
+  push:
+    paths:
+      - '_data/chains/**'
+      - 'scripts/security_audit.py'
+  pull_request:
+    paths:
+      - '_data/chains/**'
+      - 'scripts/security_audit.py'
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.12'
+
+      - name: Install dependencies
+        run: pip install requests
+
+      - name: Run security audit script
+        run: python scripts/security_audit.py