Bug: OTC bridge cancel/match endpoints lack cryptographic authentication
Severity: HIGH
Description
The OTC bridge API endpoints for order matching and cancellation verify identity by wallet address only, without any cryptographic proof of ownership:
# cancel_order: Only checks if wallet matches
if order["maker_wallet"] != wallet:
return jsonify({"error": "Only the order creator can cancel"}), 403Impact
- Unauthorized cancellation: Wallet addresses are public (visible in order book). Anyone who knows a maker's wallet address can cancel their orders.
- Unauthorized matching: Anyone can match orders as a taker by providing any wallet address.
- Order manipulation: Attackers can cancel competitors' orders to manipulate the order book.
- Wallet validation is minimal: Only requires
len(wallet) > 3 — accepts almost any string.
Suggested Fix
- Ed25519 signature verification — require a signed message proving wallet ownership
- Session-based auth — require login before trading
- Stricter wallet validation — verify RTC or 0x format, not just length > 3
- Order authentication — orders should be bound to a public key, not just a wallet string
Wallet: RTC9d7caca3039130d3b26d41f7343d8f4ef4592360
Bug: OTC bridge cancel/match endpoints lack cryptographic authentication
Severity: HIGH
Description
The OTC bridge API endpoints for order matching and cancellation verify identity by wallet address only, without any cryptographic proof of ownership:
Impact
len(wallet) > 3— accepts almost any string.Suggested Fix
Wallet:
RTC9d7caca3039130d3b26d41f7343d8f4ef4592360