copper-tone-tech/mev-beta
1
0
Fork 0
Code Issues Pull Requests 7 Actions Packages Projects Releases Wiki Activity
Files
0e39b0795bde7bc596b355aa4b6864b6192dbe71
mev-beta/docs/security/CREDENTIAL_ROTATION.md
Krypto Kajun c7142ef671 fix(critical): fix empty token graph + aggressive settings for 24h execution 
CRITICAL BUG FIX:
- MultiHopScanner.updateTokenGraph() was EMPTY - adding no pools!
- Result: Token graph had 0 pools, found 0 arbitrage paths
- All opportunities showed estimatedProfitETH: 0.000000

FIX APPLIED:
- Populated token graph with 8 high-liquidity Arbitrum pools:
  * WETH/USDC (0.05% and 0.3% fees)
  * USDC/USDC.e (0.01% - common arbitrage)
  * ARB/USDC, WETH/ARB, WETH/USDT
  * WBTC/WETH, LINK/WETH
- These are REAL verified pool addresses with high volume

AGGRESSIVE THRESHOLD CHANGES:
- Min profit: 0.0001 ETH → 0.00001 ETH (10x lower, ~$0.02)
- Min ROI: 0.05% → 0.01% (5x lower)
- Gas multiplier: 5x → 1.5x (3.3x lower safety margin)
- Max slippage: 3% → 5% (67% higher tolerance)
- Max paths: 100 → 200 (more thorough scanning)
- Cache expiry: 2min → 30sec (fresher opportunities)

EXPECTED RESULTS (24h):
- 20-50 opportunities with profit > $0.02 (was 0)
- 5-15 execution attempts (was 0)
- 1-2 successful executions (was 0)
- $0.02-$0.20 net profit (was $0)

WARNING: Aggressive settings may result in some losses
Monitor closely for first 6 hours and adjust if needed

Target: First profitable execution within 24 hours

🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-29 04:18:27 -05:00

264 lines
6.6 KiB
Markdown
Raw Blame History

# Credential Rotation Procedure
## Overview
This document describes the procedure for rotating leaked or compromised credentials in the MEV Bot system.
## IMMEDIATE ACTION REQUIRED
**CRITICAL SECURITY ISSUE**: The current `config/providers.yaml` and `.env` files contain a leaked Chainstack API token that is exposed in version control.
### Token Information
- **Service**: Chainstack Arbitrum RPC
- **Exposed Locations**:
- config/providers.yaml (lines 46, 54)
- .env (lines 5-7)
- docker-compose.production.yaml (if exists)
- **Git History**: Token appears in multiple commits
### Leaked Token (MUST BE ROTATED IMMEDIATELY)
```
53c30e7a941160679fdcc396c894fc57
```
## Step 1: Rotate Chainstack Credentials
### 1.1 Generate New API Token
1. Log in to Chainstack dashboard: https://console.chainstack.com
2. Navigate to your Arbitrum node
3. Click "Access and Credentials"
4. Generate new API endpoint (this will create a new token)
5. Copy the new endpoint URLs (HTTP and WebSocket)
### 1.2 Update Local Configuration
1. Copy template file:
```bash
cp config/providers.yaml.template config/providers.yaml
cp .env.example .env
```
2. Edit `config/providers.yaml`:
```yaml
providers:
- ws_endpoint: wss://arbitrum-mainnet.core.chainstack.com/YOUR_NEW_TOKEN
- http_endpoint: https://arbitrum-mainnet.core.chainstack.com/YOUR_NEW_TOKEN
```
3. Edit `.env`:
```bash
ARBITRUM_RPC_ENDPOINT=https://arbitrum-mainnet.core.chainstack.com/YOUR_NEW_TOKEN
ARBITRUM_WS_ENDPOINT=wss://arbitrum-mainnet.core.chainstack.com/YOUR_NEW_TOKEN
```
### 1.3 Revoke Old Token
1. In Chainstack dashboard, delete or disable the old endpoint
2. Verify old token no longer works:
```bash
curl https://arbitrum-mainnet.core.chainstack.com/53c30e7a941160679fdcc396c894fc57 \
-X POST \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
```
Expected result: 401 Unauthorized or connection refused
## Step 2: Clean Git History
**WARNING**: This operation rewrites git history and affects all collaborators.
### Option A: BFG Repo-Cleaner (Recommended)
```bash
# Install BFG Repo-Cleaner
brew install bfg # macOS
# or download from: https://rtyley.github.io/bfg-repo-cleaner/
# Clone a fresh copy of the repo
cd ..
git clone --mirror git@github.com:your-org/mev-beta.git mev-beta-clean.git
cd mev-beta-clean.git
# Replace leaked token in all history
echo '53c30e7a941160679fdcc396c894fc57' > ../token-to-remove.txt
bfg --replace-text ../token-to-remove.txt
# Clean up and force push
git reflog expire --expire=now --all
git gc --prune=now --aggressive
# Force push (WARNING: Coordinate with team first!)
git push --force
```
### Option B: git filter-repo
```bash
# Install git-filter-repo
pip3 install git-filter-repo
# Clone fresh copy
cd ..
git clone git@github.com:your-org/mev-beta.git mev-beta-clean
cd mev-beta-clean
# Create replacement file
cat > replacements.txt << 'EOF'
53c30e7a941160679fdcc396c894fc57==>YOUR_NEW_TOKEN
wss://arbitrum-mainnet.core.chainstack.com/53c30e7a941160679fdcc396c894fc57==>wss://arbitrum-mainnet.core.chainstack.com/YOUR_NEW_TOKEN
https://arbitrum-mainnet.core.chainstack.com/53c30e7a941160679fdcc396c894fc57==>https://arbitrum-mainnet.core.chainstack.com/YOUR_NEW_TOKEN
EOF
# Run filter
git filter-repo --replace-text replacements.txt
# Force push
git push --force --all
```
### Option C: New Repository (If history can't be cleaned)
If the repository is small or history is not critical:
```bash
# Create new repo without history
cd /path/to/mev-beta
rm -rf .git
git init
git add .
git commit -m "Initial commit with cleaned credentials"
# Push to new remote
git remote add origin git@github.com:your-org/mev-beta-new.git
git push -u origin main
```
## Step 3: Update .gitignore
Already completed in Phase 1 fixes. Verify:
```bash
cat .gitignore | grep -E "(providers.yaml|.env|.salt)"
```
Expected output:
```
config/providers.yaml
.env
.env.local
.env.production
.env.staging
keystore/.salt
```
## Step 4: Verify Security
### 4.1 Check No Credentials in Git
```bash
# Search for any remaining tokens
git log -p | grep "53c30e7a941160679fdcc396c894fc57"
# Should return nothing after history cleaning
# Search for API patterns
git log -p | grep -E "chainstack\.com/[a-f0-9]{32}"
# Should only show template placeholders
```
### 4.2 Test New Credentials
```bash
# Test RPC endpoint
curl $ARBITRUM_RPC_ENDPOINT \
-X POST \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Should return current block number
# Test WebSocket endpoint
wscat -c $ARBITRUM_WS_ENDPOINT
> {"jsonrpc":"2.0","id":1,"method":"eth_blockNumber","params":[]}
```
### 4.3 Verify Bot Starts Successfully
```bash
# Load new credentials
source .env
# Test build
make build
# Test startup (30 second timeout)
timeout 30 ./mev-bot start
```
## Step 5: Notify Team
Send notification to all team members:
```
SECURITY ALERT: Credential Rotation Required
We have rotated the Chainstack API credentials due to a leak in version control.
ACTION REQUIRED:
1. Pull latest changes: git pull --force
2. Copy configuration templates:
- cp config/providers.yaml.template config/providers.yaml
- cp .env.example .env
3. Request new credentials from [lead developer]
4. Update your local .env and providers.yaml files
5. DO NOT commit .env or providers.yaml files
6. Verify .gitignore excludes these files
Timeline: Complete by [DATE]
Contact: [SECURITY CONTACT]
```
## Step 6: Implement Monitoring
Add monitoring for credential usage:
```bash
# Chainstack dashboard - check for unusual activity
# Look for:
# - Requests from unknown IPs
# - Spike in request volume
# - Failed authentication attempts
# Set up alerts for:
# - RPC rate limit errors
# - Authentication failures
# - Unusual geographic access patterns
```
## Prevention Checklist
- [x] Created .env.example template
- [x] Created providers.yaml.template template
- [x] Updated .gitignore to exclude sensitive files
- [x] Added validation for missing config files
- [ ] Rotate Chainstack credentials
- [ ] Clean git history
- [ ] Test new credentials
- [ ] Notify team members
- [ ] Set up credential monitoring
- [ ] Schedule next credential rotation (90 days)
## Future Improvements
1. **Secret Management Service**: Migrate to HashiCorp Vault or AWS Secrets Manager
2. **Automated Rotation**: Implement automated credential rotation
3. **Pre-commit Hooks**: Add git hooks to prevent credential commits
4. **Secret Scanning**: Set up GitHub secret scanning
5. **Audit Logging**: Log all credential access attempts
## Contact
For questions or issues with credential rotation:
- Security Team: security@yourcompany.com
- On-call: +1-xxx-xxx-xxxx
- Slack: #security-incidents
Reference in New Issue View Git Blame Copy Permalink