Skip to content

Security: zhangzhongnan928/mcp-blockchain-server

Security

docs/security.md

Security Considerations

This document outlines the security considerations for the MCP Blockchain Server & DApp system.

Core Security Principles

  1. Private Key Isolation: Private keys never leave the user's wallet
  2. Transaction Verification: Clear UI for reviewing transaction details
  3. API Authentication: Secure API key management
  4. Rate Limiting: Prevent abuse
  5. Input Validation: Sanitize all inputs
  6. Audit Logging: Track all operations
  7. HTTPS Only: Secure communications
  8. Content Security Policy: Prevent XSS
  9. Regular Security Audits: Establish process

Private Key Management

The most critical security aspect of this system is that private keys never leave the user's wallet. This is achieved through the following mechanisms:

  1. Transactions are prepared by the MCP Server without requiring private keys
  2. Users review and sign transactions using their own wallets
  3. Only signed transactions are submitted to the blockchain
  4. The MCP Server never has access to private keys

Transaction Signing Flow

The transaction signing flow is designed to ensure that users have full control over their transactions:

  1. AI assistant requests a transaction through the MCP Server
  2. MCP Server prepares an unsigned transaction with a UUID
  3. MCP Server returns a URL for the user to review the transaction
  4. User opens the URL in their browser
  5. Web DApp prompts the user to connect their wallet
  6. Web DApp displays transaction details for review
  7. User approves and signs the transaction with their wallet
  8. Web DApp submits the signed transaction to the blockchain

API Security

Authentication

API authentication is implemented using JWT tokens. API keys are used to obtain JWT tokens, which are then used for subsequent API calls.

Rate Limiting

API rate limiting is implemented to prevent abuse. Rate limits are applied based on API key.

Input Validation

All API inputs are validated and sanitized to prevent injection attacks.

Web Security

HTTPS

All communications are secured using HTTPS.

Content Security Policy

A Content Security Policy is implemented to prevent XSS attacks.

CORS

CORS is configured to restrict access to the API from unauthorized origins.

Audit Logging

All operations are logged for audit purposes. Logs include:

  • API requests and responses
  • Transaction preparation and submission
  • User actions
  • Authentication events

Regular Security Audits

A process for regular security audits is established. This includes:

  • Code reviews
  • Dependency vulnerability scanning
  • Penetration testing
  • Security bug bounty program

Incident Response

An incident response plan is established to handle security incidents. This includes:

  • Incident classification
  • Containment procedures
  • Investigation procedures
  • Communication plan
  • Recovery procedures

Security Recommendations for Users

  1. Always review transaction details carefully before signing
  2. Use a hardware wallet when possible
  3. Keep wallet software up to date
  4. Be cautious of phishing attempts
  5. Do not share API keys or private keys
  6. Enable two-factor authentication where available
  7. Monitor account activity regularly

There aren’t any published security advisories