From 552cb25a0b3bb2792d799f7eaff471edffe59080 Mon Sep 17 00:00:00 2001 From: Mischa0x Date: Sun, 19 Apr 2026 18:27:06 +0000 Subject: [PATCH 1/2] security: strip server-only env vars from next.config.js env block MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `env:` block in next.config.js inlines every listed value into the client-side JS bundle at build time. Server-only values have no business there — they were being exposed to every visitor's browser the moment a Vercel env set them. Removed (referenced only by pages/api/* or scripts, which read process.env at runtime and do not require inlining): BOT_PRIVATE_KEY pages/api/vcxTrader.ts TEST_BOT_PRIVATE_KEY pages/bots/compoundRewards.tsx, pages/bots/allocation.tsx (also client-read — see TODO below) DUNE_API_KEY pages/api/circulatingSupply.ts, totalSupply.ts DISCORD_WEBHOOK lib/discord/discordBot.ts FLASHBOTS_RPC_URL pages/api/vcxTrader.ts MAINNET_RPC_URL pages/api/vcxTrader.ts VCX_RECIPIENT pages/api/vcxTrader.ts MIN_AMOUNT pages/api/vcxTrader.ts WATCH_LIST unreferenced ZK_FETCH_APP_ID unreferenced ZK_FETCH_SECRET unreferenced VAULTS_CACHE unreferenced (only in next.config.js) Verified against current deploys: scanned all client chunks from vaultcraft.io and app.vaultcraft.io — none currently contain a private-key-shaped hex, confirming these env vars are not populated in the Vercel project today. This change prevents accidental future exposure the first time someone adds a real value to the Vercel env under one of these names. TODO (separate PRs needed, not fixed here): 1. pages/bots/compoundRewards.tsx:39 and pages/bots/allocation.tsx:314 call `process.env.TEST_BOT_PRIVATE_KEY` from client code. That flow must be rearchitected to POST to an API route that signs server-side. Those pages' signing functionality is currently non-functional on the live deploy (env var unset), so this change does not cause a regression — it removes the exposure path. 2. PINATA_API_SECRET / PINATA_API_KEY / DEBANK_API_KEY are still inlined to the client because client code reads them today. Pinata secrets in particular grant upload privileges billed to the account and should be proxied through an authenticated API route. --- next.config.js | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/next.config.js b/next.config.js index c417e189..9f420673 100644 --- a/next.config.js +++ b/next.config.js @@ -6,26 +6,18 @@ const nextConfig = { images: { domains: ["cdn.furucombo.app", "cryptologos.cc", "forum.vaultcraft.io"], }, + // Next.js inlines vars listed here into the CLIENT-side JS bundle at build + // time. Only keep values that client code legitimately needs. Server-only + // code (API routes, server components) reads process.env directly at + // runtime and does NOT need an entry here. env: { NEXT_PUBLIC_ALCHEMY_API_KEY: process.env.ALCHEMY_API_KEY, PINATA_API_SECRET: process.env.PINATA_API_SECRET, PINATA_API_KEY: process.env.PINATA_API_KEY, IPFS_URL: process.env.IPFS_URL, - DUNE_API_KEY: process.env.DUNE_API_KEY, ENSO_API_KEY: process.env.ENSO_API_KEY, DEFILLAMA_API_KEY: process.env.DEFILLAMA_API_KEY, - VAULTS_CACHE: process.env.VAULTS_CACHE, - DISCORD_WEBHOOK: process.env.DISCORD_WEBHOOK, - FLASHBOTS_RPC_URL: process.env.FLASHBOTS_RPC_URL, - MAINNET_RPC_URL: process.env.MAINNET_RPC_URL, - VCX_RECIPIENT: process.env.VCX_RECIPIENT, - BOT_PRIVATE_KEY: process.env.BOT_PRIVATE_KEY, - MIN_AMOUNT: process.env.MIN_AMOUNT, - WATCH_LIST: process.env.WATCH_LIST, - ZK_FETCH_APP_ID: process.env.ZK_FETCH_APP_ID, - ZK_FETCH_SECRET: process.env.ZK_FETCH_SECRET, DEBANK_API_KEY: process.env.DEBANK_API_KEY, - TEST_BOT_PRIVATE_KEY: process.env.TEST_BOT_PRIVATE_KEY, }, async headers() { return [{ From 17b85601f297764c266d691544841abb1b0abd33 Mon Sep 17 00:00:00 2001 From: Mischa0x Date: Sun, 19 Apr 2026 18:52:35 +0000 Subject: [PATCH 2/2] fix: restore VAULTS_CACHE to env block MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous commit wrongly classified VAULTS_CACHE as unreferenced. It is read by components/common/Page.tsx:509,545 — a client component that fetches a pre-computed vault-data JSON blob on initial load for a faster first paint, falling back to live computation if unset. It is not a secret (a public cache URL that gets fetched from browsers anyway), so inlining it is acceptable. Restoring to preserve the cache performance path. --- next.config.js | 1 + 1 file changed, 1 insertion(+) diff --git a/next.config.js b/next.config.js index 9f420673..3ba7c253 100644 --- a/next.config.js +++ b/next.config.js @@ -18,6 +18,7 @@ const nextConfig = { ENSO_API_KEY: process.env.ENSO_API_KEY, DEFILLAMA_API_KEY: process.env.DEFILLAMA_API_KEY, DEBANK_API_KEY: process.env.DEBANK_API_KEY, + VAULTS_CACHE: process.env.VAULTS_CACHE, }, async headers() { return [{