Guides
Log inRegister interest
Start typing to search…

Security Notices

Low Risk

API Key Exposure

This section addresses the security considerations related to the exposure of API keys in widget deployments and native integrations. Due to the nature of these deployments, the API key (referred to as the "Yield.xyz API key") is accessible to anyone interacting with the widget or a frontend that interacts directly with the Yield.xyz API. This entry outlines the associated risks, potential exploit scenarios, and actions to mitigate these risks.

Risk Overview

Unauthorized API Usage The API key can be extracted by anyone with access to the widget, allowing them to use the API without authorization. This could result in unintended charges for the API key owner.

Impact: Financial costs may be incurred by the key owner due to unauthorized usage. However, any rewards or benefits from API usage would still be directed to the key owner.

API Rate Limit Exhaustion An attacker could monitor the rate limits associated with the API key and intentionally send requests to exhaust these limits.

Impact: Legitimate users may experience service disruptions if the API rate limit (e.g., 500 requests per minute) is exceeded.

Phishing Vector The API key could be used by an attacker to craft requests that trick users into performing unintended actions, such as confirming a malicious transaction.

Impact: Although direct financial exploitation is unlikely, this scenario presents a potential phishing risk.

Mitigation Strategies

  • Proxy Server: Set up a proxy server that securely stores the API key and authorizes requests based on additional authentication mechanisms. This can limit unauthorized access and control the rate of requests.
  • Rate Limit Monitoring: Yield.xyz actively monitors the usage of your API key to detect and respond to any unusual activity, such as spikes in request volume that could indicate an attack.
  • Certificate Pinning: Contact Yield.xyz for assistance in implementing certificate pinning to enhance security.
  • Origin Validation: Yield.xyz can implement origin validation to restrict the use of the API key to its intended deployment environment. Note that this measure can be bypassed if requests are made from non-browser environments. Contact Yield.xyz for assistance.

Conclusion

While the exposure of the API key presents some risks, these can be managed through careful assessment and the implementation of appropriate security measures. Clients should review these risks and strategies to ensure that their widget deployments remain secure and functional.

This notice is part of our ongoing commitment to transparency and security. Please refer to this section regularly for updates and additional guidance on protecting your deployments.

Updated about 7 hours ago