CRITICAL SECURITY: API Keys and Tokens Exposed in Repository

[Br1tBreaker]

Security Vulnerability Report

We discovered multiple instances of exposed API keys and tokens in your repository that require immediate attention.

Critical Findings:

1. Exposed API Tokens in Certification Scripts

   • Location: certora/scripts/ directory
   • Files: verifyGovernor.sh, verifyAll.sh, and others
   • Exposure: Multiple tokens in format token=REDACTED

2. Smart Contract Storage Slot Exposure

   • Location: contracts/GSN/bouncers/GSNBouncerERC20Fee.sol
   • Risk: Internal contract storage mechanisms exposed

3. Test Credentials in Public Repository

   • Location: Multiple test files in test/ directory
   • Risk: Potentially valid credentials accessible publicly

Recommended Actions:

1. Immediately rotate all exposed API tokens
2. Review and secure certification infrastructure
3. Implement secret scanning in CI/CD pipeline
4. Consider using tools like gitleaks to prevent future exposures

Additional Information:

If this disclosure helps improve your security posture, we accept donations for continued security research services:

• USDT (TRC20): TP3anZUa1pWmMcpF7C7CRZyVbUjjkVjakj
• BTC: 0x447b1d1e2e75a4ecc21483e3616b2d4660cad8be

For immediate remediation of these critical issues, please prioritize rotating all exposed credentials.