Please do not open a public issue for security problems.
- Preferred: open a private report via GitHub → Security → Report a vulnerability (Private Vulnerability Reporting).
- Or email maple19out@gmail.com with details and, if possible, steps to reproduce.
You'll get an acknowledgement as soon as practical. Since this is a solo-maintained project, please allow reasonable time for a fix before any public disclosure.
transfer-lens reads from Solana RPC/gRPC endpoints and writes to Postgres; it holds no funds and signs no transactions. The most relevant concerns are:
- Credential handling — RPC/gRPC tokens and the Postgres URL live in
.env/config/indexer.toml(both gitignored) orINDEXER__*env vars. Never commit real credentials. The config'sDebugimpls mask URLs and tokens to avoid leaking them in logs. - SQL safety — the configurable schema name is validated to
[A-Za-z0-9_]+and identifier-quoted; all row writes are parameterized. Reports of injection vectors are welcome.
The project is pre-1.0; only the latest main is supported. Fixes land on
main rather than being backported.