verticalcoin · DerUntote · Jun 16, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-06-16 - Prevent sensitive information leakage via RPC error messages
+**Vulnerability:** The TipBot passes unhandled internal RPC errors (`err.message`) back to Discord users via `message.reply(err.message)`. This can lead to sensitive information leakage since error messages from backend daemons can expose details like system paths, configuration arguments, and inner architecture, depending on the error type and RPC implementation.
+**Learning:** Returning unhandled or verbose back-end error messages directly to front-end clients violates the security principle of secure failure (failing securely without exposing info on error). Instead of leaking internal details, generic error responses should be provided while the actual error is logged securely on the backend.
+**Prevention:** Always provide generic user-facing error messages ("An error occurred.") while logging `err` via `console.error` for the developers. Also make sure to append proper `.catch()` handlers when manipulating Discord messages.
diff --git a/bot/bot.js b/bot/bot.js
@@ -12,25 +12,27 @@ config = config.get('bot');
 var aliases;
 // check if any aliases are defined
 try {
-  var time = moment()
-    .tz('America/Los_Angeles')
-    .format('MM-DD-YYYY hh:mm a');
+  var time = moment().tz('America/Los_Angeles').format('MM-DD-YYYY hh:mm a');
   aliases = require('./alias.json');
-  console.log('[' + time + ' PST][' + pm2Name + '] ' + Object.keys(aliases).length + ' aliases Loaded!');
+  console.log(
+    '[' +
+      time +
+      ' PST][' +
+      pm2Name +
+      '] ' +
+      Object.keys(aliases).length +
+      ' aliases Loaded!',
+  );
 } catch (e) {
-  var time = moment()
-    .tz('America/Los_Angeles')
-    .format('MM-DD-YYYY hh:mm a');
+  var time = moment().tz('America/Los_Angeles').format('MM-DD-YYYY hh:mm a');
   console.log('[' + time + ' PST][' + pm2Name + '] No aliases defined');
 }
 var commands = {};
 
 var bot = new Discord.Client();
 
-bot.on('ready', function() {
-  var time = moment()
-    .tz('America/Los_Angeles')
-    .format('MM-DD-YYYY hh:mm a');
+bot.on('ready', function () {
+  var time = moment().tz('America/Los_Angeles').format('MM-DD-YYYY hh:mm a');
   console.log(
     '[' +
       time +
@@ -40,21 +42,19 @@ bot.on('ready', function() {
       bot.user.username +
       'Logged in! Serving in ' +
       bot.guilds.size + // ⚡ Bolt: O(1) property lookup vs O(N) array creation
-      ' servers'
+      ' servers',
+  );
+  bot.channels.get(logChannel).send(
+    '[' +
+      time +
+      ' PST][' +
+      pm2Name +
+      '] ' +
+      bot.user.username +
+      'Logged in! Serving in ' +
+      bot.guilds.size + // ⚡ Bolt: O(1) property lookup vs O(N) array creation
+      ' servers',
   );
-  bot.channels
-    .get(logChannel)
-    .send(
-      '[' +
-        time +
-        ' PST][' +
-        pm2Name +
-        '] ' +
-        bot.user.username +
-        'Logged in! Serving in ' +
-        bot.guilds.size + // ⚡ Bolt: O(1) property lookup vs O(N) array creation
-        ' servers'
-    );
   require('./plugins.js').init();
   console.log(
     '[' +
@@ -63,7 +63,7 @@ bot.on('ready', function() {
       pm2Name +
       '] type ' +
       config.prefix +
-      'tiphelp in Discord for a commands list.'
+      'tiphelp in Discord for a commands list.',
   );
   bot.channels
     .get(logChannel)
@@ -74,10 +74,19 @@ bot.on('ready', function() {
         pm2Name +
         '] type ' +
         config.prefix +
-        'tiphelp in Discord for a commands list.'
+        'tiphelp in Discord for a commands list.',
     );
   bot.user.setActivity(config.prefix + 'Intialized!');
-  var text = ['tiprvn', 'tipdoge', 'tiplbc', 'tipufo', 'tipproton', 'tippxc', 'tipftc', 'tiphelp'];
+  var text = [
+    'tiprvn',
+    'tipdoge',
+    'tiplbc',
+    'tipufo',
+    'tipproton',
+    'tippxc',
+    'tipftc',
+    'tiphelp',
+  ];
   var counter = 0;
   setInterval(change, 10000);
 
@@ -90,40 +99,32 @@ bot.on('ready', function() {
   }
 });
 
-process.on('uncaughtException', err => {
-  var time = moment()
-    .tz('America/Los_Angeles')
-    .format('MM-DD-YYYY hh:mm a');
+process.on('uncaughtException', (err) => {
+  var time = moment().tz('America/Los_Angeles').format('MM-DD-YYYY hh:mm a');
   console.log('[' + time + ' PST][' + pm2Name + '] uncaughtException: ' + err);
   bot.channels
     .get(logChannel)
     .send('[' + time + ' PST][' + pm2Name + '] uncaughtException: ' + err);
   process.exit(1); //exit node.js with an error
 });
 
-process.on('unhandledRejection', err => {
-  var time = moment()
-    .tz('America/Los_Angeles')
-    .format('MM-DD-YYYY hh:mm a');
+process.on('unhandledRejection', (err) => {
+  var time = moment().tz('America/Los_Angeles').format('MM-DD-YYYY hh:mm a');
   console.log('[' + time + ' PST][' + pm2Name + '] unhandledRejection: ' + err);
   bot.channels
     .get(logChannel)
     .send('[' + time + ' PST][' + pm2Name + '] unhandledRejection: ' + err);
   process.exit(1); //exit node.js with an error
 });
 
-bot.on('disconnected', function() {
-  var time = moment()
-    .tz('America/Los_Angeles')
-    .format('MM-DD-YYYY hh:mm a');
+bot.on('disconnected', function () {
+  var time = moment().tz('America/Los_Angeles').format('MM-DD-YYYY hh:mm a');
   console.log('[' + time + ' PST][' + pm2Name + '] Disconnected!');
   process.exit(1); //exit node.js with an error
 });
 
-bot.on('error', function(error) {
-  var time = moment()
-    .tz('America/Los_Angeles')
-    .format('MM-DD-YYYY hh:mm a');
+bot.on('error', function (error) {
+  var time = moment().tz('America/Los_Angeles').format('MM-DD-YYYY hh:mm a');
   console.log('[' + time + ' PST][' + pm2Name + '] error: ' + error);
   process.exit(1); //exit node.js with an error
 });
@@ -139,29 +140,29 @@ function checkMessageForCommand(msg, isEdit) {
     ) {
       msg.author
         .send('Please set your Discord Presence to Online to talk to the bot!')
-        .catch(function(error) {
+        .catch(function (error) {
           msg.channel
             .send(
               msg.author +
-                ', Please enable Direct Messages from server members to communicate fully with our bot, it is located in the user setting area under Privacy & Safety tab, select the option allow direct messages from server members'
+                ', Please enable Direct Messages from server members to communicate fully with our bot, it is located in the user setting area under Privacy & Safety tab, select the option allow direct messages from server members',
             )
             .then(
               msg.channel.send(
-                'Please set your Discord Presence to Online to talk to the Bot!'
-              )
+                'Please set your Discord Presence to Online to talk to the Bot!',
+              ),
             );
           return;
         });
     }
     var cmdTxt = msg.content.split(' ')[0].substring(config.prefix.length);
     var suffix = msg.content.substring(
-      cmdTxt.length + config.prefix.length + 1
+      cmdTxt.length + config.prefix.length + 1,
     ); //add one for the ! and one for the space
     if (msg.isMentioned(bot.user)) {
       try {
         cmdTxt = msg.content.split(' ')[1];
         suffix = msg.content.substring(
-          bot.user.mention().length + cmdTxt.length + config.prefix.length + 1
+          bot.user.mention().length + cmdTxt.length + config.prefix.length + 1,
         );
       } catch (e) {
         //no command
@@ -182,7 +183,7 @@ function checkMessageForCommand(msg, isEdit) {
           msg.content +
           ' from ' +
           msg.author.username +
-          ' as command'
+          ' as command',
       );
       try {
         cmd.process(bot, msg, suffix, isEdit);
@@ -214,37 +215,33 @@ function checkMessageForCommand(msg, isEdit) {
   }
 }
 
-bot.on('message', msg => checkMessageForCommand(msg, false));
+bot.on('message', (msg) => checkMessageForCommand(msg, false));
 
-exports.addCommand = function(commandName, commandObject) {
+exports.addCommand = function (commandName, commandObject) {
   try {
     commands[commandName] = commandObject;
   } catch (err) {
-    var time = moment()
-      .tz('America/Los_Angeles')
-      .format('MM-DD-YYYY hh:mm a');
+    var time = moment().tz('America/Los_Angeles').format('MM-DD-YYYY hh:mm a');
     console.log('[' + time + ' PST][' + pm2Name + '] Error addCommand: ' + err);
     bot.channels
       .get(logChannel)
       .send('[' + time + ' PST][' + pm2Name + '] Error addCommand: ' + err);
   }
 };
-exports.addCustomFunc = function(customFunc) {
+exports.addCustomFunc = function (customFunc) {
   try {
     customFunc(bot);
   } catch (err) {
-    var time = moment()
-      .tz('America/Los_Angeles')
-      .format('MM-DD-YYYY hh:mm a');
+    var time = moment().tz('America/Los_Angeles').format('MM-DD-YYYY hh:mm a');
     console.log(
-      '[' + time + ' PST][' + pm2Name + '] Error addCustomFunc: ' + err
+      '[' + time + ' PST][' + pm2Name + '] Error addCustomFunc: ' + err,
     );
     bot.channels
       .get(logChannel)
       .send('[' + time + ' PST][' + pm2Name + '] Error addCustomFunc: ' + err);
   }
 };
-exports.commandCount = function() {
+exports.commandCount = function () {
   return Object.keys(commands).length;
 };
 

diff --git a/bot/modules/bot-uptime.js b/bot/modules/bot-uptime.js
@@ -6,20 +6,20 @@ exports.commands = ['uptime'];
 exports.uptime = {
   usage: '',
   description: 'gets Uptime for Bot',
-  process: function(bot, msg, suffix) {
+  process: function (bot, msg, suffix) {
     if (suffix != pm2Name) {
       return;
     }
     msg.channel.send(
       'i have been Online for ' +
-      Math.round(bot.uptime / (1000 * 60 * 60 * 24)) +
-      ' days, ' +
-      Math.round(bot.uptime / (1000 * 60 * 60)) +
-      ' hours, ' +
-      Math.round(bot.uptime / (1000 * 60)) % 60 +
-      ' minutes, and ' +
-      Math.round(bot.uptime / 1000) % 60 +
-      ' seconds'
+        Math.round(bot.uptime / (1000 * 60 * 60 * 24)) +
+        ' days, ' +
+        Math.round(bot.uptime / (1000 * 60 * 60)) +
+        ' hours, ' +
+        (Math.round(bot.uptime / (1000 * 60)) % 60) +
+        ' minutes, and ' +
+        (Math.round(bot.uptime / 1000) % 60) +
+        ' seconds',
     );
-  }
+  },
 };
diff --git a/bot/modules/dogeTipper.js b/bot/modules/dogeTipper.js
@@ -158,7 +158,11 @@ function doWithdraw(message, tipper, words, helpmsg) {
       }
       doge.sendFrom(tipper, address, Number(amount), function (err, txId) {
         if (err) {
-          message.reply(err.message).then((message) => message.delete(10000));
+          console.error(err);
+          message
+            .reply('An error occurred.')
+            .then((m) => m.delete(10000).catch(() => {}))
+            .catch(() => {});
         } else {
           message.channel.send({
             embed: {
@@ -263,7 +267,11 @@ function doTip(bot, message, tipper, words, helpmsg) {
 function sendDOGE(bot, message, tipper, recipient, amount, privacyFlag) {
   getAddress(recipient.toString(), function (err, address) {
     if (err) {
-      message.reply(err.message).then((message) => message.delete(10000));
+      console.error(err);
+      message
+        .reply('An error occurred.')
+        .then((m) => m.delete(10000).catch(() => {}))
+        .catch(() => {});
     } else {
       doge.sendFrom(
         tipper,
@@ -274,7 +282,11 @@ function sendDOGE(bot, message, tipper, recipient, amount, privacyFlag) {
         null,
         function (err, txId) {
           if (err) {
-            message.reply(err.message).then((message) => message.delete(10000));
+            console.error(err);
+            message
+              .reply('An error occurred.')
+              .then((m) => m.delete(10000).catch(() => {}))
+              .catch(() => {});
           } else {
             if (privacyFlag) {
               let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search;

diff --git a/bot/modules/exampleTipper.js b/bot/modules/exampleTipper.js
@@ -143,7 +143,8 @@ function doWithdraw(message, tipper, words, helpmsg) {
       }
       ltc.sendFrom(tipper, address, Number(amount), function(err, txId) {
         if (err) {
-          message.reply(err.message).then(message => message.delete(10000));
+          console.error(err);
+          message.reply('An error occurred.').then((m) => m.delete(10000).catch(() => {})).catch(() => {});
         } else {
         message.channel.send({embed:{
         title: '**:outbox_tray::money_with_wings::moneybag:Litecoin (LTC) Transaction Completed!:moneybag::money_with_wings::outbox_tray:**',
@@ -228,11 +229,13 @@ function doTip(bot, message, tipper, words, helpmsg) {
 function sendLTC(bot, message, tipper, recipient, amount, privacyFlag) {
   getAddress(recipient.toString(), function(err, address) {
     if (err) {
-      message.reply(err.message).then(message => message.delete(10000));
+      console.error(err);
+          message.reply('An error occurred.').then((m) => m.delete(10000).catch(() => {})).catch(() => {});
     } else {
           ltc.sendFrom(tipper, address, Number(amount), 1, null, null, function(err, txId) {
               if (err) {
-                message.reply(err.message).then(message => message.delete(10000));
+                console.error(err);
+          message.reply('An error occurred.').then((m) => m.delete(10000).catch(() => {})).catch(() => {});
               } else {
                 if (privacyFlag) {
                   let userProfile = message.guild.members.get(recipient) // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search;

diff --git a/bot/modules/ftcTipper.js b/bot/modules/ftcTipper.js
@@ -158,7 +158,11 @@ function doWithdraw(message, tipper, words, helpmsg) {
       }
       ftc.sendFrom(tipper, address, Number(amount), function (err, txId) {
         if (err) {
-          message.reply(err.message).then((message) => message.delete(10000));
+          console.error(err);
+          message
+            .reply('An error occurred.')
+            .then((m) => m.delete(10000).catch(() => {}))
+            .catch(() => {});
         } else {
           message.channel.send({
             embed: {
@@ -263,7 +267,11 @@ function doTip(bot, message, tipper, words, helpmsg) {
 function sendFTC(bot, message, tipper, recipient, amount, privacyFlag) {
   getAddress(recipient.toString(), function (err, address) {
     if (err) {
-      message.reply(err.message).then((message) => message.delete(10000));
+      console.error(err);
+      message
+        .reply('An error occurred.')
+        .then((m) => m.delete(10000).catch(() => {}))
+        .catch(() => {});
     } else {
       ftc.sendFrom(
         tipper,
@@ -274,7 +282,11 @@ function sendFTC(bot, message, tipper, recipient, amount, privacyFlag) {
         null,
         function (err, txId) {
           if (err) {
-            message.reply(err.message).then((message) => message.delete(10000));
+            console.error(err);
+            message
+              .reply('An error occurred.')
+              .then((m) => m.delete(10000).catch(() => {}))
+              .catch(() => {});
           } else {
             if (privacyFlag) {
               let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search;