Refs #44
File: crates/charon-core/src/config.rs (ChainConfig)
Problem
BSC private RPC URLs from bloxroute, blocknative, and GetBlock embed API keys in the URL path (e.g. https://bsc.bloxroute.com/api-key=abcd1234). ChainConfig derives Debug. Any tracing::debug!("{:?}", config) prints the full URL with the embedded key. Same class as p0 bugs already filed against PRs #30 and #31 for ws_url/http_url.
Impact
Hot-wallet private RPC API key leaks into log sinks, file logs, remote collectors. Attacker with log access can drain quota or impersonate the bot's submission identity.
Fix
Change ChainConfig.private_rpc_url to Optionsecrecy::SecretString. Implement Debug manually with redaction. Verify all tracing call sites do not call expose_secret() in log macros.
Refs #44
File: crates/charon-core/src/config.rs (ChainConfig)
Problem
BSC private RPC URLs from bloxroute, blocknative, and GetBlock embed API keys in the URL path (e.g. https://bsc.bloxroute.com/api-key=abcd1234). ChainConfig derives Debug. Any tracing::debug!("{:?}", config) prints the full URL with the embedded key. Same class as p0 bugs already filed against PRs #30 and #31 for ws_url/http_url.
Impact
Hot-wallet private RPC API key leaks into log sinks, file logs, remote collectors. Attacker with log access can drain quota or impersonate the bot's submission identity.
Fix
Change ChainConfig.private_rpc_url to Optionsecrecy::SecretString. Implement Debug manually with redaction. Verify all tracing call sites do not call expose_secret() in log macros.