You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A CRITICAL severity vulnerability has been identified in the frontend application that exposes users' raw private keys to the browser console and application logs. Additionally, a High-severity logic flaw was found in the Admin API that lacks cryptographic validation.
🚨 Critical Findings
1. Plaintext Private Key Leak (CWE-532)
Severity: CRITICAL (CVSS 9.0-10.0) Location:frontend/src/solanaRPC.ts (Line 483) Vulnerability Type: Information Exposure Through Log Files
Description:
The sendToken method explicitly logs the user's plaintext private key to console.log when a key length validation error occurs. This allows malicious browser extensions, third-party logging scripts (Sentry, LogRocket), or local attackers to harvest full wallet credentials.
2. Admin API Parameter Tampering (Insecure Direct Object Reference)
Severity: HIGH Location: frontend/src/pages/Admin/CryptoPayment/WithdrawForm/Index.tsx
**Description: ** The adminWithdrawCrypto function sends a POST request containing only the walletAddress to the backend. It does not appear to include a signed message or cryptographic binding between the admin session and the destination address, potentially allowing authorized admins (or hijacked sessions) to drain platform funds to arbitrary addresses without 2FA/Signature verification.
🧠 Impact Assessment
Private Key Leak
** Risk:** CRITICAL
Total compromise of user funds.
Permanent loss of assets for any user triggering this error state.
Compliance violation (GDPR/CCPA) regarding handling of sensitive secrets.
Admin API
** Risk: ** HIGH
Potential for unauthorized platform treasury drainage.
Lack of non-repudiation (server cannot prove who authorized the withdrawal).
📷 Evidence & PoC
Reproduction Script (tests/poc_key_leak.ts): I have created and verified a Jest test script that mocks the Web3Auth provider to return an invalid key length.
** Result:** The test confirms that the application outputs console.log("privatekey", "12345") to standard output.
✅ Recommended Fixes
** For Finding 1 (Key Leak):**
Action: Remove the console.log statement immediately.
Status: FIXED (See PR below).
** For Finding 2 (Admin API):**
Action: Implement server-side signature verification or require a TOTP code in the request body for all withdrawals.
🛠 Remediation Steps
Merge the Pull Request linked below to stop the active leak.
Rotate any developer/test wallets that may have been used in production environments where logs are persisted.
Audit all other console.log statements in the frontend/ directory for sensitive data.
📄 Bug Bounty Submission Details
Submitted by: @TobieTom
Submission Date: December 19, 2025
Related PR: #395 (Fix implemented and verified)
Repository: AIxBlock-2023/aixblock-ai-dev-platform-public
Expected Reward Tier:
Private Key Leak: CRITICAL severity - $750 + Tokens
Admin API Flaw: HIGH severity - Bonus/Multiplier
🔗 Additional Resources
[CWE-532: Insertion of Sensitive Information into Log File](https://cwe.mitre.org/data/definitions/532.html)
[OWASP Top 10: Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
🔍 Vulnerability Description
A CRITICAL severity vulnerability has been identified in the frontend application that exposes users' raw private keys to the browser console and application logs. Additionally, a High-severity logic flaw was found in the Admin API that lacks cryptographic validation.
🚨 Critical Findings
1. Plaintext Private Key Leak (CWE-532)
Severity: CRITICAL (CVSS 9.0-10.0)
Location:
frontend/src/solanaRPC.ts(Line 483)Vulnerability Type: Information Exposure Through Log Files
Description:
The
sendTokenmethod explicitly logs the user's plaintext private key toconsole.logwhen a key length validation error occurs. This allows malicious browser extensions, third-party logging scripts (Sentry, LogRocket), or local attackers to harvest full wallet credentials.Affected Code:
2. Admin API Parameter Tampering (Insecure Direct Object Reference)
Severity: HIGH Location: frontend/src/pages/Admin/CryptoPayment/WithdrawForm/Index.tsx
**Description: ** The adminWithdrawCrypto function sends a POST request containing only the walletAddress to the backend. It does not appear to include a signed message or cryptographic binding between the admin session and the destination address, potentially allowing authorized admins (or hijacked sessions) to drain platform funds to arbitrary addresses without 2FA/Signature verification.
🧠 Impact Assessment
Private Key Leak
** Risk:** CRITICAL
Admin API
📷 Evidence & PoC
Reproduction Script (tests/poc_key_leak.ts): I have created and verified a Jest test script that mocks the Web3Auth provider to return an invalid key length.
✅ Recommended Fixes
** For Finding 1 (Key Leak):**
** For Finding 2 (Admin API):**
🛠 Remediation Steps
📄 Bug Bounty Submission Details
Submitted by: @TobieTom
Submission Date: December 19, 2025
Related PR: #395 (Fix implemented and verified)
Repository: AIxBlock-2023/aixblock-ai-dev-platform-public
Expected Reward Tier:
🔗 Additional Resources
Beta Was this translation helpful? Give feedback.
All reactions