verticalcoin · DerUntote · Jun 7, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-06-07 - Prevent internal RPC error leakage
+**Vulnerability:** The tipbot leaked internal bitcoind-rpc error messages to users via Discord API `message.reply(err.message)`.
+**Learning:** Returning unhandled or raw errors directly to the user is a security vulnerability, as it might disclose sensitive system information, paths, or connection issues in production. Unhandled promise rejections can also crash the entire process.
+**Prevention:** Always log the `err` object internally with `console.error(err)` and replace the raw message sent to users with a sanitized, generic message such as 'An internal error occurred while processing your request.' Always use `.catch()` on async functions returning a promise like Discord API calls to prevent unhandled rejection crashes.
diff --git a/bot/modules/bot-uptime.js b/bot/modules/bot-uptime.js
@@ -6,20 +6,20 @@ exports.commands = ['uptime'];
 exports.uptime = {
   usage: '',
   description: 'gets Uptime for Bot',
-  process: function(bot, msg, suffix) {
+  process: function (bot, msg, suffix) {
     if (suffix != pm2Name) {
       return;
     }
     msg.channel.send(
       'i have been Online for ' +
-      Math.round(bot.uptime / (1000 * 60 * 60 * 24)) +
-      ' days, ' +
-      Math.round(bot.uptime / (1000 * 60 * 60)) +
-      ' hours, ' +
-      Math.round(bot.uptime / (1000 * 60)) % 60 +
-      ' minutes, and ' +
-      Math.round(bot.uptime / 1000) % 60 +
-      ' seconds'
+        Math.round(bot.uptime / (1000 * 60 * 60 * 24)) +
+        ' days, ' +
+        Math.round(bot.uptime / (1000 * 60 * 60)) +
+        ' hours, ' +
+        (Math.round(bot.uptime / (1000 * 60)) % 60) +
+        ' minutes, and ' +
+        (Math.round(bot.uptime / 1000) % 60) +
+        ' seconds',
     );
-  }
+  },
 };
diff --git a/bot/modules/dogeTipper.js b/bot/modules/dogeTipper.js
@@ -158,7 +158,11 @@ function doWithdraw(message, tipper, words, helpmsg) {
       }
       doge.sendFrom(tipper, address, Number(amount), function (err, txId) {
         if (err) {
-          message.reply(err.message).then((message) => message.delete(10000));
+          console.error(err);
+          message
+            .reply('An internal error occurred while processing your request.')
+            .then((message) => message.delete(10000))
+            .catch(console.error);
         } else {
           message.channel.send({
             embed: {
@@ -263,7 +267,11 @@ function doTip(bot, message, tipper, words, helpmsg) {
 function sendDOGE(bot, message, tipper, recipient, amount, privacyFlag) {
   getAddress(recipient.toString(), function (err, address) {
     if (err) {
-      message.reply(err.message).then((message) => message.delete(10000));
+      console.error(err);
+      message
+        .reply('An internal error occurred while processing your request.')
+        .then((message) => message.delete(10000))
+        .catch(console.error);
     } else {
       doge.sendFrom(
         tipper,
@@ -274,7 +282,13 @@ function sendDOGE(bot, message, tipper, recipient, amount, privacyFlag) {
         null,
         function (err, txId) {
           if (err) {
-            message.reply(err.message).then((message) => message.delete(10000));
+            console.error(err);
+            message
+              .reply(
+                'An internal error occurred while processing your request.',
+              )
+              .then((message) => message.delete(10000))
+              .catch(console.error);
           } else {
             if (privacyFlag) {
               let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search;

diff --git a/bot/modules/exampleTipper.js b/bot/modules/exampleTipper.js
@@ -143,7 +143,8 @@ function doWithdraw(message, tipper, words, helpmsg) {
       }
       ltc.sendFrom(tipper, address, Number(amount), function(err, txId) {
         if (err) {
-          message.reply(err.message).then(message => message.delete(10000));
+          console.error(err);
+          message.reply('An internal error occurred while processing your request.').then(message => message.delete(10000)).catch(console.error);
         } else {
         message.channel.send({embed:{
         title: '**:outbox_tray::money_with_wings::moneybag:Litecoin (LTC) Transaction Completed!:moneybag::money_with_wings::outbox_tray:**',
@@ -228,11 +229,13 @@ function doTip(bot, message, tipper, words, helpmsg) {
 function sendLTC(bot, message, tipper, recipient, amount, privacyFlag) {
   getAddress(recipient.toString(), function(err, address) {
     if (err) {
-      message.reply(err.message).then(message => message.delete(10000));
+      console.error(err);
+      message.reply('An internal error occurred while processing your request.').then(message => message.delete(10000)).catch(console.error);
     } else {
           ltc.sendFrom(tipper, address, Number(amount), 1, null, null, function(err, txId) {
               if (err) {
-                message.reply(err.message).then(message => message.delete(10000));
+                console.error(err);
+                message.reply('An internal error occurred while processing your request.').then(message => message.delete(10000)).catch(console.error);
               } else {
                 if (privacyFlag) {
                   let userProfile = message.guild.members.get(recipient) // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search;

diff --git a/bot/modules/ftcTipper.js b/bot/modules/ftcTipper.js
@@ -158,7 +158,11 @@ function doWithdraw(message, tipper, words, helpmsg) {
       }
       ftc.sendFrom(tipper, address, Number(amount), function (err, txId) {
         if (err) {
-          message.reply(err.message).then((message) => message.delete(10000));
+          console.error(err);
+          message
+            .reply('An internal error occurred while processing your request.')
+            .then((message) => message.delete(10000))
+            .catch(console.error);
         } else {
           message.channel.send({
             embed: {
@@ -263,7 +267,11 @@ function doTip(bot, message, tipper, words, helpmsg) {
 function sendFTC(bot, message, tipper, recipient, amount, privacyFlag) {
   getAddress(recipient.toString(), function (err, address) {
     if (err) {
-      message.reply(err.message).then((message) => message.delete(10000));
+      console.error(err);
+      message
+        .reply('An internal error occurred while processing your request.')
+        .then((message) => message.delete(10000))
+        .catch(console.error);
     } else {
       ftc.sendFrom(
         tipper,
@@ -274,7 +282,13 @@ function sendFTC(bot, message, tipper, recipient, amount, privacyFlag) {
         null,
         function (err, txId) {
           if (err) {
-            message.reply(err.message).then((message) => message.delete(10000));
+            console.error(err);
+            message
+              .reply(
+                'An internal error occurred while processing your request.',
+              )
+              .then((message) => message.delete(10000))
+              .catch(console.error);
           } else {
             if (privacyFlag) {
               let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search;

diff --git a/bot/modules/helpTipper.js b/bot/modules/helpTipper.js
@@ -11,27 +11,41 @@ exports.commands = ['tiphelp'];
 exports.tiphelp = {
   usage: '<subcommand>',
   description: 'This commands has been changed to currency specific commands!',
-  process: function(bot, message) {
+  process: function (bot, message) {
     message.author.send(
-      '__**Ravencoin (RVN) Tipper**__\nTransaction Fees: **' + ravenFee + '**\n    **!tiprvn balance** : get your balance\n    **!tiprvn deposit** : get address for your deposits\n    **!tiprvn withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n    **!tiprvn <@user> <amount>** :mention a user with @ and then the amount to tip them\n    **!tiprvn private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
+      '__**Ravencoin (RVN) Tipper**__\nTransaction Fees: **' +
+        ravenFee +
+        '**\n    **!tiprvn balance** : get your balance\n    **!tiprvn deposit** : get address for your deposits\n    **!tiprvn withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n    **!tiprvn <@user> <amount>** :mention a user with @ and then the amount to tip them\n    **!tiprvn private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
     );
     message.author.send(
-      '__**Dogecoin (DOGE) Tipper**__\nTransaction Fees: **' + dogeFee + '**\n    **!tipdoge balance** : get your balance\n    **!tipdoge deposit** : get address for your deposits\n    **!tipdoge withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n    **!tipdoge <@user> <amount>** :mention a user with @ and then the amount to tip them\n    **!tipdoge private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
+      '__**Dogecoin (DOGE) Tipper**__\nTransaction Fees: **' +
+        dogeFee +
+        '**\n    **!tipdoge balance** : get your balance\n    **!tipdoge deposit** : get address for your deposits\n    **!tipdoge withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n    **!tipdoge <@user> <amount>** :mention a user with @ and then the amount to tip them\n    **!tipdoge private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
     );
     message.author.send(
-      '__**LBRY Credit (LBC) Tipper**__\nTransaction Fees: **' + lbryFee + '**\n    **!tiplbc balance** : get your balance\n    **!tiplbc deposit** : get address for your deposits\n    **!tiplbc withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n    **!tiplbc <@user> <amount>** :mention a user with @ and then the amount to tip them\n    **!tiplbc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
+      '__**LBRY Credit (LBC) Tipper**__\nTransaction Fees: **' +
+        lbryFee +
+        '**\n    **!tiplbc balance** : get your balance\n    **!tiplbc deposit** : get address for your deposits\n    **!tiplbc withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n    **!tiplbc <@user> <amount>** :mention a user with @ and then the amount to tip them\n    **!tiplbc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
     );
     message.author.send(
-      '__**Proton (PROTON) Tipper**__\nTransaction Fees: **' + protonFee + '**\n    **!tipproton balance** : get your balance\n    **!tipproton deposit** : get address for your deposits\n    **!tipproton withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n    **!tipproton <@user> <amount>** :mention a user with @ and then the amount to tip them\n    **!tipproton private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
+      '__**Proton (PROTON) Tipper**__\nTransaction Fees: **' +
+        protonFee +
+        '**\n    **!tipproton balance** : get your balance\n    **!tipproton deposit** : get address for your deposits\n    **!tipproton withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n    **!tipproton <@user> <amount>** :mention a user with @ and then the amount to tip them\n    **!tipproton private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
     );
     message.author.send(
-      '__**Uniform Fiscal Object (UFO) Tipper**__\nTransaction Fees: **' + ufoFee + '**\n    **!tipufo balance** : get your balance\n    **!tipufo deposit** : get address for your deposits\n    **!tipufo withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n    **!tipufo <@user> <amount>** :mention a user with @ and then the amount to tip them\n    **!tipufo private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
+      '__**Uniform Fiscal Object (UFO) Tipper**__\nTransaction Fees: **' +
+        ufoFee +
+        '**\n    **!tipufo balance** : get your balance\n    **!tipufo deposit** : get address for your deposits\n    **!tipufo withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n    **!tipufo <@user> <amount>** :mention a user with @ and then the amount to tip them\n    **!tipufo private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
     );
     message.author.send(
-      '__**Phoenixcoin (PXC) Tipper**__\nTransaction Fees: **' + phoenixFee + '**\n    **!tippxc balance** : get your balance\n    **!tippxc deposit** : get address for your deposits\n    **!tippxc withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n    **!tippxc <@user> <amount>** :mention a user with @ and then the amount to tip them\n    **!tippxc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
+      '__**Phoenixcoin (PXC) Tipper**__\nTransaction Fees: **' +
+        phoenixFee +
+        '**\n    **!tippxc balance** : get your balance\n    **!tippxc deposit** : get address for your deposits\n    **!tippxc withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n    **!tippxc <@user> <amount>** :mention a user with @ and then the amount to tip them\n    **!tippxc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
     );
     message.author.send(
-      '__**Feathercoin (FTC) Tipper**__\nTransaction Fees: **' + featherFee + '**\n    **!tipftc balance** : get your balance\n    **!tipftc deposit** : get address for your deposits\n    **!tipufo withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n    **!tipftc <@user> <amount>** :mention a user with @ and then the amount to tip them\n    **!tipftc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n\n    **<> : Replace with appropriate value.**'
+      '__**Feathercoin (FTC) Tipper**__\nTransaction Fees: **' +
+        featherFee +
+        '**\n    **!tipftc balance** : get your balance\n    **!tipftc deposit** : get address for your deposits\n    **!tipufo withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n    **!tipftc <@user> <amount>** :mention a user with @ and then the amount to tip them\n    **!tipftc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n\n    **<> : Replace with appropriate value.**',
     );
-  }
+  },
 };
diff --git a/bot/modules/lbcTipper.js b/bot/modules/lbcTipper.js
@@ -158,7 +158,11 @@ function doWithdraw(message, tipper, words, helpmsg) {
       }
       lbc.sendFrom(tipper, address, Number(amount), function (err, txId) {
         if (err) {
-          message.reply(err.message).then((message) => message.delete(10000));
+          console.error(err);
+          message
+            .reply('An internal error occurred while processing your request.')
+            .then((message) => message.delete(10000))
+            .catch(console.error);
         } else {
           message.channel.send({
             embed: {
@@ -263,7 +267,11 @@ function doTip(bot, message, tipper, words, helpmsg) {
 function sendLBC(bot, message, tipper, recipient, amount, privacyFlag) {
   getAddress(recipient.toString(), function (err, address) {
     if (err) {
-      message.reply(err.message).then((message) => message.delete(10000));
+      console.error(err);
+      message
+        .reply('An internal error occurred while processing your request.')
+        .then((message) => message.delete(10000))
+        .catch(console.error);
     } else {
       lbc.sendFrom(
         tipper,
@@ -274,7 +282,13 @@ function sendLBC(bot, message, tipper, recipient, amount, privacyFlag) {
         null,
         function (err, txId) {
           if (err) {
-            message.reply(err.message).then((message) => message.delete(10000));
+            console.error(err);
+            message
+              .reply(
+                'An internal error occurred while processing your request.',
+              )
+              .then((message) => message.delete(10000))
+              .catch(console.error);
           } else {
             if (privacyFlag) {
               let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search;

diff --git a/bot/modules/protonTipper.js b/bot/modules/protonTipper.js
@@ -158,7 +158,11 @@ function doWithdraw(message, tipper, words, helpmsg) {
       }
       proton.sendFrom(tipper, address, Number(amount), function (err, txId) {
         if (err) {
-          message.reply(err.message).then((message) => message.delete(10000));
+          console.error(err);
+          message
+            .reply('An internal error occurred while processing your request.')
+            .then((message) => message.delete(10000))
+            .catch(console.error);
         } else {
           message.channel.send({
             embed: {
@@ -263,7 +267,11 @@ function doTip(bot, message, tipper, words, helpmsg) {
 function sendPROTON(bot, message, tipper, recipient, amount, privacyFlag) {
   getAddress(recipient.toString(), function (err, address) {
     if (err) {
-      message.reply(err.message).then((message) => message.delete(10000));
+      console.error(err);
+      message
+        .reply('An internal error occurred while processing your request.')
+        .then((message) => message.delete(10000))
+        .catch(console.error);
     } else {
       proton.sendFrom(
         tipper,
@@ -274,7 +282,13 @@ function sendPROTON(bot, message, tipper, recipient, amount, privacyFlag) {
         null,
         function (err, txId) {
           if (err) {
-            message.reply(err.message).then((message) => message.delete(10000));
+            console.error(err);
+            message
+              .reply(
+                'An internal error occurred while processing your request.',
+              )
+              .then((message) => message.delete(10000))
+              .catch(console.error);
           } else {
             if (privacyFlag) {
               let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search;

diff --git a/bot/modules/pxcTipper.js b/bot/modules/pxcTipper.js
@@ -158,7 +158,11 @@ function doWithdraw(message, tipper, words, helpmsg) {
       }
       pxc.sendFrom(tipper, address, Number(amount), function (err, txId) {
         if (err) {
-          message.reply(err.message).then((message) => message.delete(10000));
+          console.error(err);
+          message
+            .reply('An internal error occurred while processing your request.')
+            .then((message) => message.delete(10000))
+            .catch(console.error);
         } else {
           message.channel.send({
             embed: {
@@ -263,7 +267,11 @@ function doTip(bot, message, tipper, words, helpmsg) {
 function sendPXC(bot, message, tipper, recipient, amount, privacyFlag) {
   getAddress(recipient.toString(), function (err, address) {
     if (err) {
-      message.reply(err.message).then((message) => message.delete(10000));
+      console.error(err);
+      message
+        .reply('An internal error occurred while processing your request.')
+        .then((message) => message.delete(10000))
+        .catch(console.error);
     } else {
       pxc.sendFrom(
         tipper,
@@ -274,7 +282,13 @@ function sendPXC(bot, message, tipper, recipient, amount, privacyFlag) {
         null,
         function (err, txId) {
           if (err) {
-            message.reply(err.message).then((message) => message.delete(10000));
+            console.error(err);
+            message
+              .reply(
+                'An internal error occurred while processing your request.',
+              )
+              .then((message) => message.delete(10000))
+              .catch(console.error);
           } else {
             if (privacyFlag) {
               let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search;