copper-tone-tech/mev-beta
1
0
Fork 0
Code Issues Pull Requests 7 Actions Packages Projects Releases Wiki Activity
Files
f600ec26ffc70e1af782d745ec4740997167802e
mev-beta/docs/security/CREDENTIAL_ROTATION.md
Krypto Kajun c7142ef671 fix(critical): fix empty token graph + aggressive settings for 24h execution 
CRITICAL BUG FIX:
- MultiHopScanner.updateTokenGraph() was EMPTY - adding no pools!
- Result: Token graph had 0 pools, found 0 arbitrage paths
- All opportunities showed estimatedProfitETH: 0.000000

FIX APPLIED:
- Populated token graph with 8 high-liquidity Arbitrum pools:
  * WETH/USDC (0.05% and 0.3% fees)
  * USDC/USDC.e (0.01% - common arbitrage)
  * ARB/USDC, WETH/ARB, WETH/USDT
  * WBTC/WETH, LINK/WETH
- These are REAL verified pool addresses with high volume

AGGRESSIVE THRESHOLD CHANGES:
- Min profit: 0.0001 ETH → 0.00001 ETH (10x lower, ~$0.02)
- Min ROI: 0.05% → 0.01% (5x lower)
- Gas multiplier: 5x → 1.5x (3.3x lower safety margin)
- Max slippage: 3% → 5% (67% higher tolerance)
- Max paths: 100 → 200 (more thorough scanning)
- Cache expiry: 2min → 30sec (fresher opportunities)

EXPECTED RESULTS (24h):
- 20-50 opportunities with profit > $0.02 (was 0)
- 5-15 execution attempts (was 0)
- 1-2 successful executions (was 0)
- $0.02-$0.20 net profit (was $0)

WARNING: Aggressive settings may result in some losses
Monitor closely for first 6 hours and adjust if needed

Target: First profitable execution within 24 hours

🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-29 04:18:27 -05:00

6.6 KiB
Raw Blame History

Credential Rotation Procedure

Overview

This document describes the procedure for rotating leaked or compromised credentials in the MEV Bot system.

IMMEDIATE ACTION REQUIRED

CRITICAL SECURITY ISSUE: The current config/providers.yaml and .env files contain a leaked Chainstack API token that is exposed in version control.

Token Information

  • Service: Chainstack Arbitrum RPC
  • Exposed Locations:
    • config/providers.yaml (lines 46, 54)
    • .env (lines 5-7)
    • docker-compose.production.yaml (if exists)
  • Git History: Token appears in multiple commits

Leaked Token (MUST BE ROTATED IMMEDIATELY)

53c30e7a941160679fdcc396c894fc57

Step 1: Rotate Chainstack Credentials

1.1 Generate New API Token

  1. Log in to Chainstack dashboard: https://console.chainstack.com
  2. Navigate to your Arbitrum node
  3. Click "Access and Credentials"
  4. Generate new API endpoint (this will create a new token)
  5. Copy the new endpoint URLs (HTTP and WebSocket)

1.2 Update Local Configuration

  1. Copy template file:
cp config/providers.yaml.template config/providers.yaml
cp .env.example .env
  1. Edit config/providers.yaml:
providers:
    - ws_endpoint: wss://arbitrum-mainnet.core.chainstack.com/YOUR_NEW_TOKEN
    - http_endpoint: https://arbitrum-mainnet.core.chainstack.com/YOUR_NEW_TOKEN
  1. Edit .env:
ARBITRUM_RPC_ENDPOINT=https://arbitrum-mainnet.core.chainstack.com/YOUR_NEW_TOKEN
ARBITRUM_WS_ENDPOINT=wss://arbitrum-mainnet.core.chainstack.com/YOUR_NEW_TOKEN

1.3 Revoke Old Token

  1. In Chainstack dashboard, delete or disable the old endpoint
  2. Verify old token no longer works:
curl https://arbitrum-mainnet.core.chainstack.com/53c30e7a941160679fdcc396c894fc57 \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

Expected result: 401 Unauthorized or connection refused

Step 2: Clean Git History

WARNING: This operation rewrites git history and affects all collaborators.

Option A: BFG Repo-Cleaner (Recommended)

# Install BFG Repo-Cleaner
brew install bfg  # macOS
# or download from: https://rtyley.github.io/bfg-repo-cleaner/

# Clone a fresh copy of the repo
cd ..
git clone --mirror git@github.com:your-org/mev-beta.git mev-beta-clean.git
cd mev-beta-clean.git

# Replace leaked token in all history
echo '53c30e7a941160679fdcc396c894fc57' > ../token-to-remove.txt
bfg --replace-text ../token-to-remove.txt

# Clean up and force push
git reflog expire --expire=now --all
git gc --prune=now --aggressive

# Force push (WARNING: Coordinate with team first!)
git push --force

Option B: git filter-repo

# Install git-filter-repo
pip3 install git-filter-repo

# Clone fresh copy
cd ..
git clone git@github.com:your-org/mev-beta.git mev-beta-clean
cd mev-beta-clean

# Create replacement file
cat > replacements.txt << 'EOF'
53c30e7a941160679fdcc396c894fc57==>YOUR_NEW_TOKEN
wss://arbitrum-mainnet.core.chainstack.com/53c30e7a941160679fdcc396c894fc57==>wss://arbitrum-mainnet.core.chainstack.com/YOUR_NEW_TOKEN
https://arbitrum-mainnet.core.chainstack.com/53c30e7a941160679fdcc396c894fc57==>https://arbitrum-mainnet.core.chainstack.com/YOUR_NEW_TOKEN
EOF

# Run filter
git filter-repo --replace-text replacements.txt

# Force push
git push --force --all

Option C: New Repository (If history can't be cleaned)

If the repository is small or history is not critical:

# Create new repo without history
cd /path/to/mev-beta
rm -rf .git
git init
git add .
git commit -m "Initial commit with cleaned credentials"

# Push to new remote
git remote add origin git@github.com:your-org/mev-beta-new.git
git push -u origin main

Step 3: Update .gitignore

Already completed in Phase 1 fixes. Verify:

cat .gitignore | grep -E "(providers.yaml|.env|.salt)"

Expected output:

config/providers.yaml
.env
.env.local
.env.production
.env.staging
keystore/.salt

Step 4: Verify Security

4.1 Check No Credentials in Git

# Search for any remaining tokens
git log -p | grep "53c30e7a941160679fdcc396c894fc57"
# Should return nothing after history cleaning

# Search for API patterns
git log -p | grep -E "chainstack\.com/[a-f0-9]{32}"
# Should only show template placeholders

4.2 Test New Credentials

# Test RPC endpoint
curl $ARBITRUM_RPC_ENDPOINT \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Should return current block number

# Test WebSocket endpoint
wscat -c $ARBITRUM_WS_ENDPOINT
> {"jsonrpc":"2.0","id":1,"method":"eth_blockNumber","params":[]}

4.3 Verify Bot Starts Successfully

# Load new credentials
source .env

# Test build
make build

# Test startup (30 second timeout)
timeout 30 ./mev-bot start

Step 5: Notify Team

Send notification to all team members:

SECURITY ALERT: Credential Rotation Required

We have rotated the Chainstack API credentials due to a leak in version control.

ACTION REQUIRED:
1. Pull latest changes: git pull --force
2. Copy configuration templates:
   - cp config/providers.yaml.template config/providers.yaml
   - cp .env.example .env
3. Request new credentials from [lead developer]
4. Update your local .env and providers.yaml files
5. DO NOT commit .env or providers.yaml files
6. Verify .gitignore excludes these files

Timeline: Complete by [DATE]
Contact: [SECURITY CONTACT]

Step 6: Implement Monitoring

Add monitoring for credential usage:

# Chainstack dashboard - check for unusual activity
# Look for:
# - Requests from unknown IPs
# - Spike in request volume
# - Failed authentication attempts

# Set up alerts for:
# - RPC rate limit errors
# - Authentication failures
# - Unusual geographic access patterns

Prevention Checklist

  • Created .env.example template
  • Created providers.yaml.template template
  • Updated .gitignore to exclude sensitive files
  • Added validation for missing config files
  • Rotate Chainstack credentials
  • Clean git history
  • Test new credentials
  • Notify team members
  • Set up credential monitoring
  • Schedule next credential rotation (90 days)

Future Improvements

  1. Secret Management Service: Migrate to HashiCorp Vault or AWS Secrets Manager
  2. Automated Rotation: Implement automated credential rotation
  3. Pre-commit Hooks: Add git hooks to prevent credential commits
  4. Secret Scanning: Set up GitHub secret scanning
  5. Audit Logging: Log all credential access attempts

Contact

For questions or issues with credential rotation:

Reference in New Issue View Git Blame Copy Permalink