Files
neuron-tai/.scratch/alpha-hardening/issues/11-c6-wallet-binding-proof.md
D.Popov 68e057209c Add alpha-hardening ADRs and issue plan from pre-release audit.
Lock alpha scope, tracker auth, TOPLOC fraud verification, and deferred multi-tracker money-path work; supersede legacy fraud issues with ADR-0018.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-07-04 23:12:09 +03:00

1.6 KiB
Raw Blame History

Status: ready-for-agent

11 — C6: Wallet binding ownership proof + binding overwrite safety

What to build

POST /v1/wallet/register binds a client Solana wallet to an API key for deposit attribution. Today any Bearer key can bind any wallet string without proving ownership. Prevent hijack and accidental overwrite.

Code refs:

  • packages/tracker/meshnet_tracker/server.py_handle_wallet_register (~26252648)
  • packages/tracker/meshnet_tracker/billing.pybind_wallet (~153+), _wallet_bindings / direct overwrite on apply (~351)

Require signed message from wallet pubkey (ed25519 via cryptography / solders). Reject rebinding without admin or signed release. Use explicit overwrite policy — today ~351 overwrites binding directly; gossip apply must reject conflicting binds instead of silently clobbering.

Test-first

  1. Red: bind wallet A with only API key, no signature — must fail after fix.
  2. Red: wallet already bound to key1; key2 cannot steal without proof.
  3. Green: valid signature binds; deposit watcher credits correct API key.

Acceptance criteria

  • Wallet binding requires cryptographic proof of pubkey ownership
  • One wallet → one API key (or documented admin override)
  • Gossip bind events cannot overwrite existing binding via direct overwrite at ~351
  • Tests with deterministic keypairs (local adapter)

Blocked by

  • 02-a2-unified-auth-boundary.md
  • 03-c5-starting-credit-zero.md