Security: remove debug APIs from public archive nodes; document precompile admin risks

[Copilot]

Two critical security issues: debug/internal RPC APIs exposed on publicly accessible archive nodes, and a single EOA controlling all three precompile admin roles simultaneously.

Debug API Exposure (remediated)

Removed debug-tracer, internal-eth, internal-blockchain, internal-transaction, and internal-tx-pool from eth-apis in both mainnet and testnet archive node configs. These enable expensive trace operations and leak internal node state on publicly reachable endpoints.

Before → After (config.json for both chain IDs):

// Before
"eth-apis": ["eth", "eth-filter", "net", "web3",
  "internal-eth", "internal-blockchain", "internal-transaction",
  "internal-tx-pool", "debug-tracer"]

// After
"eth-apis": ["eth", "eth-filter", "net", "web3"]

Single EOA Precompile Admin Risk (documented)

The genesis files for mainnet/testnet/devnet use one address as admin for contractDeployerAllowListConfig, contractNativeMinterConfig, and feeManagerConfig simultaneously — one compromised key = unlimited minting + fee manipulation + deployment censorship. Since genesis files reflect deployed on-chain state, remediation requires an on-chain admin rotation to a multisig.

Documentation

• SECURITY.md (new): Formal write-up of both findings with risk ratings, impact, and remediation steps — multisig wallet per precompile, separate admin addresses, timelock contract for existing deployments.
• avalanchego/configs/README.md: Added Security Recommendations section covering API exposure (--http-host=127.0.0.1, no debug APIs on public nodes) and precompile admin address hardening guidance.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security][Critical] Single admin address controls all precompile privileges; debug APIs exposed publicly</issue_title>
<issue_description>## Summary

Two critical security findings that together represent a significant risk to the Numbers Network:

1. Single Admin Address Controls All Precompile Privileges

A single Ethereum address serves as the sole admin for three critical precompile configurations simultaneously: contractDeployerAllowListConfig, contractNativeMinterConfig, and feeManagerConfig.

Impact: One compromised private key grants the ability to:

• Mint unlimited native tokens (catastrophic inflation)
• Manipulate gas fees (DoS or economic manipulation)
• Control contract deployment (censorship)

Files affected:

• chains/mainnet/genesis.json (lines 28-42) — admin: 0x8cba0477d89394e6d8ad658e11d52113a2da4ab2
• chains/testnet/genesis*.json, genesis/genesis*.json — admin: 0x63B7076FC0A914Af543C2e5c201df6C29FCC18c5
• chains/devnet/genesis.json (lines 26-42)

Suggested fix:

• Implement a multi-signature wallet (e.g., Gnosis Safe) as the admin address
• Separate admin addresses for different precompiles
• Add a timelock contract for critical operations

2. Debug and Internal APIs Exposed on Archive Nodes

Both mainnet and testnet archive node configurations expose debug-tracer, internal-eth, internal-blockchain, internal-transaction, and internal-tx-pool APIs. Combined with --http-host=0.0.0.0 and --http-allowed-hosts="*" flags documented in README, these debug endpoints are potentially reachable from the open internet.

Files affected:

• avalanchego/configs/chains/2PDRxzc6jMbZSTLb3sufkVszgQc2jtDnYZGtDTAAfom1CTwPsE/config.json (lines 4-14)
• avalanchego/configs/chains/2oo5UvYgFQikM7KBsMXFQE3RQv3xAFFc8JY2GEBNBF1tp4JaeZ/config.json (lines 4-14)

Suggested fix:

• Restrict debug APIs to nodes behind a firewall or VPN
• Do NOT expose through the public Nginx reverse proxy
• Implement rate limiting and authentication if public debug access is required
• Bind --http-host to 127.0.0.1 instead of 0.0.0.0

🤖 Generated with Claude Code</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security][Critical] Single admin address controls all precompile privileges; debug APIs exposed publicly #93

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.