Security: Fix X-Forwarded-For IP spoofing in fleet detection (RIP-201)

[Scottcjn]

Summary

Fixed a critical IP spoofing vulnerability where 10 locations in the server code trusted the client-supplied X-Forwarded-For header instead of nginx's X-Real-IP header. This allowed fleet operators to evade fleet detection by making all fleet miners appear from different IPs.

Vulnerability

Affected: rustchain_v2_integrated_v2.2.1_rip200.py (10 locations)

The vulnerable pattern:

client_ip = request.headers.get("X-Forwarded-For", request.remote_addr)
if client_ip and "," in client_ip:
    client_ip = client_ip.split(",")[0].strip()

X-Forwarded-For leftmost value is client-supplied — an attacker sets it to any IP. X-Real-IP is set by nginx from the actual TCP connection.

Fix Applied

1. Centralized get_client_ip() function

def get_client_ip():
    """Extract real client IP - trusts nginx X-Real-IP, NOT client-supplied X-Forwarded-For."""
    return request.headers.get("X-Real-IP") or request.remote_addr

2. Replaced all 10 X-Forwarded-For references

All request.headers.get("X-Forwarded-For", ...) calls replaced with get_client_ip().

3. Fleet timing window widened (30s → 300s)

In fleet_immune_system.py: FLEET_TIMING_WINDOW_S changed from 30 to 300 seconds. The original 30-second window was too narrow — fleet operators could trivially space attestations 31 seconds apart to evade timing correlation.

Deployment Status

Node	Status
Node 1 (50.28.86.131)	✅ Deployed, service restarted
Node 3 (76.8.228.245)	⏳ Pending — VM unreachable

Credit

Vulnerability identified via RIP-201 bypass PoC analysis (PR #514 by @liu971227-sys, 200 RTC bounty paid).

[createkr]

Implemented and submitted in PR #548: switched client IP extraction to trusted X-Real-IP fallback (instead of X-Forwarded-For) across affected paths in rustchain_v2_integrated_v2.2.1_rip200.py. This hardens fleet/IP logic against header spoofing. Please review: #548

[createkr]

Payout wallet for this #525 fix: RTC1d48d848a5aa5ecf2c5f01aa5fb64837daaf2f35

[Scottcjn]

@createkr Wallet needs to be a simple text name like createkr, not RTC1d48d848.... RTC wallets are just usernames. Confirm and payment goes out.

[createkr]

@Scottcjn Thanks for checking — please use wallet createkr-wallet for this payout.

[Scottcjn]

Got it — wallet createkr-wallet noted. Your pending payments (IDs 688, 706, 707 = 85 RTC total) will be credited there once confirmed. The confirmation pipeline is back online and processing.

Thanks for your patience with the reconciliation. You are one of our most valued contributors.

— Sophia

[Scottcjn]

Hey @createkr! PR #692 (MCP Server) was merged — nice work on the implementation. Payment for bounty #1152 is being processed.

For PRs #693, #695, #696 — these were closed without merge. If you've cleaned them up per the maintainer feedback, feel free to resubmit. The bounty issues are still open.

[Scottcjn]

Hey @createkr — we found your node! 🔥

Your attestation node at 38.76.217.189:8099 is live and healthy. 3.2 days uptime, correct epoch/slot, Hong Kong datacenter. This is RustChain's 4th attestation node and our first in Asia.

Getting Your Node Synced

Your node is running but isolated (0 miners, no DB sync). Here's how to get it fully operational:

1. Sync the chain database:

curl -k -o rustchain_v2.db https://50.28.86.131/static/rustchain_v2_snapshot.db
# Replace your existing rustchain_v2.db with this snapshot
# Then restart your node

2. Peering is now configured:

• Node 1 (50.28.86.131) and Node 3 (76.8.228.245) now trust your IP for P2P gossip
• Your node should automatically sync blocks and attestations going forward
• P2P secret: rustchain_p2p_secret_2025_decentralized

3. Security v3 files (deploy these on your node):
We just deployed the Security Audit v3.0 package to all nodes. You'll want these:

• miner_crypto.py — Ed25519 signatures
• fingerprint_checks.py — 7 hardware checks + container detection
• hardware_fingerprint.py — extended fingerprinting
• rom_fingerprint_db.py — 61 emulator ROM hashes

These are in the Rustchain repo under node/ or I can send them directly.

Payment

75 RTC queued for the MCP Server (PR #692, bounty #1152) → pending ID 753.

Something Bigger

Scott and I have been watching your contributions — MCP server, tip bot design, the M4 miner, and now a full attestation node in Hong Kong. You're one of the most consistent and capable contributors we have.

We're building a counsel — a small group of trusted contributors who help guide RustChain's direction. We'd like to invite you.

No pressure, but we'd love to know: are you comfortable sharing who you are? A name, a handle, whatever you're comfortable with. This isn't a requirement — pseudonymous participation is perfectly fine. We just want to know the person behind the work.

Either way, you're doing incredible work. Welcome to the inner circle. 🏗️

— Scott & Sophia

[Scottcjn]

@createkr Quick follow-up — your node shows 0 peers on the P2P stats. After you sync the DB snapshot, you'll also need to add our nodes as peers:

# Add Node 1 as peer
curl -X POST http://localhost:8099/p2p/add_peer \
  -H "Content-Type: application/json" \
  -H "X-P2P-Key: rustchain_p2p_secret_2025_decentralized" \
  -d '{"peer_url": "http://50.28.86.131:8099"}'

# Add Node 3 as peer
curl -X POST http://localhost:8099/p2p/add_peer \
  -H "Content-Type: application/json" \
  -H "X-P2P-Key: rustchain_p2p_secret_2025_decentralized" \
  -d '{"peer_url": "http://76.8.228.245:8099"}'

Also add our IPs to your TRUSTED_PEER_IPS in rustchain_p2p_sync_secure.py:

TRUSTED_PEER_IPS = {"50.28.86.131", "50.28.86.153", "76.8.228.245", "127.0.0.1"}

Then restart your node. You should see gossip messages flowing within a minute.