Severity: Medium
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
Location: https://ecosystem.immutablesoft.org/static/js/main.cc516c53.js
Asset: DApp frontend (ecosystem.immutablesoft.org + titlechain/mediachain)
Hardcoded Infura Project ID Enables Quota Exhaustion and Rate-Limit DoS
Summary
The Infura project ID 6233914717a744d19a2931dfbdd3dddc is embedded
in cleartext inside the production React bundle served at
ecosystem.immutablesoft.org. The key works on both Ethereum mainnet
and Polygon mainnet. Any actor can extract it from the public bundle
and make unlimited JSON-RPC calls against ImmutableSoft's Infura
account, exhausting daily request quotas and causing the DApp to
stop functioning for all legitimate users.
Steps to Reproduce
-
Download the public bundle:
curl -s https://ecosystem.immutablesoft.org/static/js/main.cc516c53.js
-o bundle.js
-
Extract the key:
grep -o 'infura.io/v3/[a-f0-9]+' bundle.js
Output: infura.io/v3/6233914717a744d19a2931dfbdd3dddc
-
Confirm key works on Ethereum mainnet:
curl -s -X POST https://mainnet.infura.io/v3/6233914717a744d19a2931dfbdd3dddc
-H "Content-Type: application/json"
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
Response: {"result":"0x"}
-
Confirm key works on Polygon mainnet:
curl -s -X POST https://polygon-mainnet.infura.io/v3/6233914717a744d19a2931dfbdd3dddc
-H "Content-Type: application/json"
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
Response: {"result":"0x"}
-
An attacker can flood the endpoint with thousands of requests per
second until the daily quota is exhausted, after which the DApp's
node connection fails and users cannot interact with the smart
contracts.
The key is also referenced in the bundle as a fully-formed URL:
"https://polygon-mainnet.infura.io/v3/6233914717a744d19a2931dfbdd3dddc"
Impact
Quota exhaustion: any anonymous attacker can drain ImmutableSoft's
Infura daily request allowance, causing the DApp to display connection
errors and blocking all user interactions (purchases, entity registration,
license activation) until the quota resets or the key is rotated.
In Infura's paid tiers, high-volume abuse also incurs unexpected billing
charges. The key is permanent in cached/indexed copies of the bundle even
after rotation unless the bundle filename changes.
Fix
- Immediately rotate the exposed Infura project ID in the Infura console.
- Configure Infura's allowlist to restrict the key to the specific origin
domain (ecosystem.immutablesoft.org) so it cannot be used from
arbitrary hosts — this limits abuse even if the key is extracted again.
- For production, proxy JSON-RPC calls through a backend server that
holds the key server-side, rather than embedding it in the client bundle.
- As a belt-and-suspenders control, enable Infura rate-limiting per IP
on the project settings.
Note
The DApp bug bounty explicitly excludes Dapp bugs from the smart contract
bounty rewards, but the ImmutableEcosystem bug bounty page states
"please report them if you find them." Reporting per that request.
The key also appears in the titlechain.immutablesoft.org and
mediachain.immutablesoft.org subdomains which serve the same bundle.
Severity: Medium
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
Location: https://ecosystem.immutablesoft.org/static/js/main.cc516c53.js
Asset: DApp frontend (ecosystem.immutablesoft.org + titlechain/mediachain)
Hardcoded Infura Project ID Enables Quota Exhaustion and Rate-Limit DoS
Summary
The Infura project ID 6233914717a744d19a2931dfbdd3dddc is embedded
in cleartext inside the production React bundle served at
ecosystem.immutablesoft.org. The key works on both Ethereum mainnet
and Polygon mainnet. Any actor can extract it from the public bundle
and make unlimited JSON-RPC calls against ImmutableSoft's Infura
account, exhausting daily request quotas and causing the DApp to
stop functioning for all legitimate users.
Steps to Reproduce
Download the public bundle:
curl -s https://ecosystem.immutablesoft.org/static/js/main.cc516c53.js
-o bundle.js
Extract the key:
grep -o 'infura.io/v3/[a-f0-9]+' bundle.js
Output: infura.io/v3/6233914717a744d19a2931dfbdd3dddc
Confirm key works on Ethereum mainnet:
curl -s -X POST https://mainnet.infura.io/v3/6233914717a744d19a2931dfbdd3dddc
-H "Content-Type: application/json"
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
Response: {"result":"0x"}
Confirm key works on Polygon mainnet:
curl -s -X POST https://polygon-mainnet.infura.io/v3/6233914717a744d19a2931dfbdd3dddc
-H "Content-Type: application/json"
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
Response: {"result":"0x"}
An attacker can flood the endpoint with thousands of requests per
second until the daily quota is exhausted, after which the DApp's
node connection fails and users cannot interact with the smart
contracts.
The key is also referenced in the bundle as a fully-formed URL:
"https://polygon-mainnet.infura.io/v3/6233914717a744d19a2931dfbdd3dddc"
Impact
Quota exhaustion: any anonymous attacker can drain ImmutableSoft's
Infura daily request allowance, causing the DApp to display connection
errors and blocking all user interactions (purchases, entity registration,
license activation) until the quota resets or the key is rotated.
In Infura's paid tiers, high-volume abuse also incurs unexpected billing
charges. The key is permanent in cached/indexed copies of the bundle even
after rotation unless the bundle filename changes.
Fix
domain (ecosystem.immutablesoft.org) so it cannot be used from
arbitrary hosts — this limits abuse even if the key is extracted again.
holds the key server-side, rather than embedding it in the client bundle.
on the project settings.
Note
The DApp bug bounty explicitly excludes Dapp bugs from the smart contract
bounty rewards, but the ImmutableEcosystem bug bounty page states
"please report them if you find them." Reporting per that request.
The key also appears in the titlechain.immutablesoft.org and
mediachain.immutablesoft.org subdomains which serve the same bundle.