Remove SideShift privateKey from env config#6024
Open
j0ntz wants to merge 1 commit into
Open
Conversation
The SideShift affiliate account was compromised. SideShift confirmed the swap integration works identically without the privateKey, so stop validating and injecting it (it was sent as the x-sideshift-secret header). Account rotation to a new affiliateId is handled operationally.
Contributor
Author
📸 Test evidenceagent proof 1214800712844381 01 app running new bundle
agent proof 1214800712844381 02 sideshift swap configured
Captured by the agent's in-app test run (build-and-test). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CHANGELOG
Does this branch warrant an entry to the CHANGELOG?
Dependencies
noneDescription
SideShift hack followup. The SideShift affiliate account was compromised, so we
stop sending the affiliate secret. This removes the
privateKeyfield that wasadded to
SIDESHIFT_INITin env config by #5369. The SideShift swap pluginsends that value as the
x-sideshift-secretheader; with the field gone theheader is omitted. SideShift confirmed the integration works identically without
it (the
affiliateIdquery param is what tracks affiliate commission). Rotatingto a new affiliate account/
affiliateIdand removing the secret from theproduction env are handled operationally, outside this repo.
Asana: https://app.asana.com/0/1215088146871429/1214800712844381
Verification.
tsc --noEmitandverify-repo(eslint + jest) pass.sideshiftcore plugininitializes (the modified
SIDESHIFT_INITcleaner validates at startup) andthe in-app SideShift swap path (BTC -> AVAX) is reachable. See screenshots.
x-sideshift-secretheader):GET https://sideshift.ai/api/v2/pair/btc-bitcoin/eth-ethereumreturns HTTP 200 with a valid rate, confirming SideShift accepts header-less
requests. Driving the on-chain swap to settlement was skipped (real funds plus
debug-build keypad instability); the change is behavior-neutral.
Requirements
If you have made any visual changes to the GUI. Make sure you have:
Note
Low Risk
Narrow config/schema change aligned with a security incident; swap behavior is intended to be unchanged aside from omitting the secret header.
Overview
Removes the compromised SideShift affiliate secret from app configuration after the affiliate account was compromised.
SIDESHIFT_INITinenvConfig.tsno longer accepts aprivateKeyfield—only optionalaffiliateIdremains. That value was passed into the SideShift swap plugin as thex-sideshift-secretheader; without it, requests omit the header whileaffiliateIdstill tracks commissions, per SideShift. The unreleased CHANGELOG entry documents the behavior change.Reviewed by Cursor Bugbot for commit e09cc5d. Bugbot is set up for automated code reviews on this repo. Configure here.