Refs #50
File: config/default.toml [metrics] block, crates/charon-metrics/src/lib.rs
Problem
Default bind address is 0.0.0.0:9091, listening on all interfaces. On a Hetzner CX22 (or any cloud VPS) without an explicit firewall rule, the /metrics endpoint is reachable from the public internet from the first cargo run. Hetzner default firewall is permissive on outbound, only blocks inbound on a curated list.
Impact
Every public scrape exposes:
- Per-trade profit histogram (revenue intel)
- Queue depth (capacity intel)
- Liquidatable position count (alpha leak)
- Simulation pass/fail rate
- git_sha (CVE applicability surface)
- Drop-stage breakdown (which gate filters most — exploitable)
Direct competitive intelligence leak to MEV competitors. Equivalent to publishing your strategy logs.
Fix
Change default in config/default.toml to:
[metrics]
enabled = true
bind = "127.0.0.1:9091"
Document in README that operators must use a reverse proxy with auth (or compose-internal network) for remote scrape. Reject 0.0.0.0 binding unless explicit allow_public_bind = true flag set.
Refs #50
File: config/default.toml [metrics] block, crates/charon-metrics/src/lib.rs
Problem
Default bind address is 0.0.0.0:9091, listening on all interfaces. On a Hetzner CX22 (or any cloud VPS) without an explicit firewall rule, the /metrics endpoint is reachable from the public internet from the first
cargo run. Hetzner default firewall is permissive on outbound, only blocks inbound on a curated list.Impact
Every public scrape exposes:
Direct competitive intelligence leak to MEV competitors. Equivalent to publishing your strategy logs.
Fix
Change default in config/default.toml to:
Document in README that operators must use a reverse proxy with auth (or compose-internal network) for remote scrape. Reject 0.0.0.0 binding unless explicit allow_public_bind = true flag set.