Remove SideShift privateKey from env config#6024
Conversation
This comment was marked as outdated.
This comment was marked as outdated.
|
Verification note (testing followup, no code change) Confirmed this change is safe: removing the SideShift Direct SideShift API check from the test host, with and without the old secret header, returned identical results:
The plugin already guards the header with A real in-app SideShift swap could not be driven to the success scene from this test slot because SideShift hard-blocks shift creation from US IPs (createShift:false; the ACCESS_DENIED page lists the United States as a blocked country). This is a US geo-restriction independent of this change, not a regression. The app was built from this branch (with privateKey absent from env.json) and drove a live BTC->ETH swap quote with the confirm slider, so the swap flow itself is functional with the change. |
891310e to
aefe0fc
Compare
Code reviewFound 3 issues:
edge-react-gui/src/envConfig.ts Lines 386 to 390 in aefe0fc
edge-react-gui/src/components/themed/SafeSlider.tsx Lines 122 to 124 in aefe0fc
edge-react-gui/src/envConfig.ts Lines 386 to 390 in aefe0fc 🤖 Generated with Claude Code - If this code review was useful, please react with 👍. Otherwise, react with 👎. |
|
Addressed the review findings above (fixup commit pushed):
|
cf652d5 to
cdd0110
Compare
cdd0110 to
e978949
Compare
The SideShift affiliate account was compromised. SideShift confirmed the swap integration works identically without the privateKey, so stop validating and injecting it (it was sent as the x-sideshift-secret header). Account rotation to a new affiliateId is handled operationally.
e978949 to
0b6014d
Compare



CHANGELOG
Does this branch warrant an entry to the CHANGELOG?
Dependencies
noneDescription
SideShift hack followup. The SideShift affiliate account was compromised, so we
stop sending the affiliate secret. This removes the
privateKeyfield that wasadded to
SIDESHIFT_INITin env config by #5369. The SideShift swap pluginsends that value as the
x-sideshift-secretheader; with the field gone theheader is omitted. SideShift confirmed the integration works identically without
it (the
affiliateIdquery param is what tracks affiliate commission). Rotatingto a new affiliate account/
affiliateIdand removing the secret from theproduction env are handled operationally, outside this repo.
Asana: https://app.asana.com/0/1215088146871429/1214800712844381
Verification.
tsc --noEmitandverify-repo(eslint + jest) pass.My Bitcoin0.00023481 (USD 14.99) to SOLMy Solana0.20594, "Powered by SideShift.ai". Slid to confirm and reached the "Congratulations! Your exchange is being processed!" success scene; the BTC spend is recorded as anExchange: To SOLtransaction. The plugin issued the shift-creation request with nox-sideshift-secretheader and the swap still created and broadcast, confirming the integration works without theprivateKey. See the attached screenshots (quote, success scene, transaction details).confirmSliderThumbtestID was added to the shared confirm slider so the maestro swap flow can drive it (test infrastructure, separate commit).Requirements
If you have made any visual changes to the GUI. Make sure you have:
Note
Medium Risk
Touches live SideShift swap configuration and removes a credential from env parsing; behavior change is intentional and low blast radius if affiliateId-only integration is verified, but swap partner traffic is user-facing.
Overview
After a compromised SideShift affiliate account, this PR stops configuring an affiliate secret in the app.
SIDESHIFT_INITinenvConfigno longer acceptsprivateKey(and drops.withRest), so the swap plugin will not send thex-sideshift-secretheader; affiliate tracking continues viaaffiliateIdonly.Separately,
SafeSlidergains an optionaltestIDprop (defaultconfirmSliderThumb) on the confirm thumb so Maestro can drive send/swap confirm flows; snapshot tests were updated accordingly.Reviewed by Cursor Bugbot for commit 0b6014d. Bugbot is set up for automated code reviews on this repo. Configure here.