security: fix faucet rate limiting, backup key permissions, and ECDSA signature exposure

[Copilot]

Three high-severity security issues: faucet API had no rate limiting (token drain vector), staking key backups were world-readable plaintext, and full ECDSA signature components (r, s, v) were published in the README alongside nonce and transaction data.

Faucet nginx rate limiting (faucet/default)

• Added limit_req_zone at 1 req/min per IP with a 10 MB shared zone
• /api/ location now enforces burst=2 nodelay, returns 429 on excess, and caps body size at 1 KB

limit_req_zone $binary_remote_addr zone=faucet_limit:10m rate=1r/m;

location /api/ {
    limit_req zone=faucet_limit burst=2 nodelay;
    limit_req_status 429;
    client_max_body_size 1k;
    proxy_pass http://faucet;
}

Backup script hardening (chains/backup-validator.sh)

• Switched shebang to #!/bin/bash to support set -euo pipefail
• umask 077 + explicit chmod 600 ensure archive is never world-readable
• Filename now includes full timestamp (%Y%m%d-%H%M%S) to prevent same-day overwrites
• Added comment recommending GPG encryption of the resulting archive

ECDSA signature scrub (README.md)

• Replaced the full mainnet transaction object (containing r, s, v, nonce, data, blockHash, gasPrice) with a minimal summary — retaining only hash, blockNumber, from, to, and chainId

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security][High] Faucet abuse vector, unencrypted staking key backups, and ECDSA signature exposure in docs</issue_title>
<issue_description>## Security Findings — High Severity

Three high-severity security issues were identified that are not covered by existing issues (#93, #94, #95, #107).

---

1. Faucet Nginx Config Missing Rate Limiting — Token Drain Vector

File: faucet/default (lines 121–129)

The faucet nginx configuration at faucet.num.network exposes /api/ as a direct proxy to the faucet backend (localhost:8000) with no rate limiting, no request size limits, and no connection limits. An attacker can drain the faucet wallet by making rapid automated requests.

location /api/ {
    proxy_pass http://faucet;
}

Suggested fix: Add rate limiting specific to the faucet API:

limit_req_zone $binary_remote_addr zone=faucet_limit:10m rate=1r/m;

location /api/ {
    limit_req zone=faucet_limit burst=2 nodelay;
    limit_conn_status 429;
    client_max_body_size 1k;
    proxy_pass http://faucet;
}

---

2. Backup Script Creates World-Readable, Unencrypted Staking Key Archive

File: chains/backup-validator.sh (lines 1–11)

The backup script archives ~/.avalanchego/staking/ (containing staker.crt and staker.key) into an unencrypted tar.gz with default umask permissions (potentially world-readable). The staking private key is stored in plaintext.

TARGET_DIR=".avalanchego/staking/"
BACKUP_FILE_NAME="$(hostname).tar.gz"
cd ~
tar czvf ${BACKUP_FILE_NAME} ${TARGET_DIR}

Suggested fix:

#!/bin/sh
set -euo pipefail
TARGET_DIR="$HOME/.avalanchego/staking/"
BACKUP_FILE_NAME="$HOME/$(hostname)-staking-$(date +%Y%m%d).tar.gz"
umask 077
tar czf "$BACKUP_FILE_NAME" -C "$HOME" ".avalanchego/staking/"
chmod 600 "$BACKUP_FILE_NAME"
echo "Backup created: $BACKUP_FILE_NAME (permissions: 600)"
# Consider encrypting with: gpg --symmetric --cipher-algo AES256 "$BACKUP_FILE_NAME"

---

3. Full ECDSA Signature Components (r, s, v) for Admin Wallet Exposed in Documentation

File: README.md (lines 629–648)

The README contains a full transaction object from the mainnet admin wallet (0x8Cba0477d89394E6d8aD658E11d52113A2DA4Ab2) including ECDSA signature components r, s, and v, along with nonce, gas price, and data payload. Publishing these values alongside the nonce and transaction parameters provides a complete set of ECDSA signature data that could theoretically assist in private key recovery if combined with any implementation weakness (e.g., nonce reuse).

r: '0x01e0c663a55757e12237f001811cab7a610c3ebfeba99ac9f0e29cbe4f4bd5ed',
s: '0x38b126e31bb8ee608e45554956c9a6eefb091961755283f9dff69964c2512f41',
v: 21049,

Suggested fix: Remove the full transaction object. Replace with a summary or link to a block explorer.

---

Generated by Health Monitor with Omni</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security][High] Faucet abuse vector, unencrypted staking key backups, and ECDSA signature exposure in docs #111

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.