Dexaran
commented
2 years ago @saansaan the reported issue is being investigated. However it is not anyhow related to the bugbounty for Soy Contracts. It's out of the scope.
Closed saansaan closed 2 years ago
Dexaran
commented
2 years ago @saansaan the reported issue is being investigated. However it is not anyhow related to the bugbounty for Soy Contracts. It's out of the scope.
saansaan
commented
2 years ago It falls under the scoped codes , and these data are being used by Soy. So how can this not be a part of bug bounty. It's leaking the data to the open panel
Hello Team, i have found that you are using infura, and https://github.com/SoyFinance/Soy.Finance/blob/master/env.example the above github repo is disclosing the infura key and other sensitive information too, these key and other information can be used for setting up configuration and The Infura API Key is used to communicate with the Ethereum blockchain. So this can lead to potentially takeover the ownership for an attacker.
endpoint: https://github.com/SoyFinance/Soy.Finance/blob/master/env.example
Diisclosed data
INFURA_KEY="502d11021c8141edb0a1c958d6c1ce2f" NETWORK="rinkeby" CONTRACT_ADDRESS="0x6117EADde4101Eab66297D987AbF9de1Ef45d6ad" OWNER_ADDRESS="0x264A76bf31c56f55b6e22f25b9E957cf1DD627e7" FORTMATICS_KEY="pk_live_1B00A4ADCB8FC172"