repositories
loading repo index
repositories
loading repo index
repository
loading code, commits, and activity
public Clawd ADK gateway launch mirror
stars
latest
clone command
git clone gitlawb://did:key:z6Mkq5mY...iFZ5/my-project-publ...git clone gitlawb://did:key:z6Mkq5mY.../my-project-publ...2fa351d6docs: add automaton and perps launch sources16d ago| #1 | --- |
| #2 | name: pump-security |
| #3 | description: "Defense-in-depth security across Rust, TypeScript, and Bash for the Pump SDK — cryptographic key handling, memory zeroization, secure file I/O, input validation, privilege management, dependency auditing, and a 60+ item security checklist." |
| #4 | metadata: |
| #5 | openclaw: |
| #6 | homepage: https://github.com/nirholas/pump-fun-sdk |
| #7 | --- |
| #8 | |
| #9 | # Security Practices — Cryptographic Safety, Memory Zeroization & Hardened I/O |
| #10 | |
| #11 | Defense-in-depth security across Rust, TypeScript, and Bash: key handling, memory zeroization, secure file I/O, input validation, privilege management, and dependency auditing. |
| #12 | |
| #13 | ## Memory Zeroization |
| #14 | |
| #15 | ### Rust |
| #16 | ```rust |
| #17 | use zeroize::Zeroize; |
| #18 | |
| #19 | struct SecureBytes(Vec<u8>); |
| #20 | |
| #21 | impl Drop for SecureBytes { |
| #22 | fn drop(&mut self) { |
| #23 | self.0.zeroize(); |
| #24 | } |
| #25 | } |
| #26 | ``` |
| #27 | |
| #28 | ### TypeScript |
| #29 | ```typescript |
| #30 | try { |
| #31 | // ... use secretKey |
| #32 | } finally { |
| #33 | secretKey.fill(0); |
| #34 | // Best-effort: GC may have copied the buffer |
| #35 | } |
| #36 | ``` |
| #37 | |
| #38 | ### Shell |
| #39 | ```bash |
| #40 | shred -u "$keypair_file" 2>/dev/null || rm -P "$keypair_file" |
| #41 | ``` |
| #42 | |
| #43 | ## RNG Quality |
| #44 | |
| #45 | | Language | Source | Verification | |
| #46 | |----------|--------|-------------| |
| #47 | | Rust | `OsRng` | Verify via `solana-sdk` internals | |
| #48 | | TypeScript | `crypto.getRandomValues` | Node.js built-in CSPRNG | |
| #49 | | Shell | `solana-keygen` | Delegates to Rust `OsRng` | |
| #50 | |
| #51 | ## Keypair Integrity Verification |
| #52 | |
| #53 | 1. Re-derive public key from secret key |
| #54 | 2. Compare derived key with stored public key |
| #55 | 3. Sign a test message with the keypair |
| #56 | 4. Verify the signature with the public key |
| #57 | 5. Validate Base58 encoding roundtrip |
| #58 | |
| #59 | ## Secure File I/O |
| #60 | |
| #61 | - Set permissions to `0o600` before writing content (race-free on Unix) |
| #62 | - Use `O_CREAT | O_EXCL` to prevent overwrites |
| #63 | - Write to temp file + atomic rename for crash safety |
| #64 | - Never write secret keys to stdout unless explicitly requested |
| #65 | |
| #66 | ## Input Validation |
| #67 | |
| #68 | | Input | Validation | |
| #69 | |-------|-----------| |
| #70 | | Base58 address | Regex: `^[1-9A-HJ-NP-Za-km-z]{32,44}$` | |
| #71 | | File paths | Reject `..`, prevent traversal | |
| #72 | | Tool inputs | Zod schemas in MCP server | |
| #73 | | Shell arguments | Quoted variables, no eval | |
| #74 | |
| #75 | ## Security Checklist Summary (60+ items) |
| #76 | |
| #77 | Key categories: |
| #78 | - Cryptographic library allowlist |
| #79 | - Memory zeroization in all code paths |
| #80 | - File permission enforcement |
| #81 | - Input validation and sanitization |
| #82 | - Error message information leakage prevention |
| #83 | - Dependency auditing (`cargo audit`, `npm audit`) |
| #84 | - No network calls during key generation |
| #85 | - Secret key never in logs, error messages, or telemetry |
| #86 | |
| #87 | ## Attack Vectors to Test |
| #88 | |
| #89 | | Vector | Defense | |
| #90 | |--------|---------| |
| #91 | | Weak RNG | Only CSPRNG (OsRng / crypto.getRandomValues) | |
| #92 | | Memory dump | Zeroize on drop/finally | |
| #93 | | File permission leak | 0o600 enforcement | |
| #94 | | Path traversal | Input validation | |
| #95 | | Shell injection | Quoted variables, no eval | |
| #96 | | Dependency supply chain | cargo audit, npm audit | |
| #97 | |
| #98 | ## Patterns to Follow |
| #99 | |
| #100 | - Always use approved crypto libraries: `solana-sdk`, `@solana/web3.js`, `solana-keygen` |
| #101 | - Zeroize key material in all code paths (success, error, early return) |
| #102 | - Set file permissions before writing content |
| #103 | - Validate all inputs at the boundary (CLI args, API inputs, file paths) |
| #104 | - Never log or display secret keys |
| #105 | - Run dependency audits in CI |
| #106 | |
| #107 | ## Common Pitfalls |
| #108 | |
| #109 | - JavaScript `fill(0)` is best-effort — GC may relocate buffers |
| #110 | - Rust `String` types may leave copies in memory — use `Vec<u8>` with `Zeroize` |
| #111 | - `chmod` after `write` has a race window — prefer `fchmod` or umask |
| #112 | - Error messages must not include secret key material |
| #113 | - `cargo audit` may miss recently disclosed CVEs — supplement with manual review |
| #114 | |
| #115 |