--- issue: 113 title: "Scanner/backend: RPC response bodies read without size limit — OOM risk" severity: medium domain: Scanner labels: [security, scanner, oom] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Scanner/backend: RPC response bodies read without size limit — OOM risk **Severity:** medium **Domain:** Scanner **Labels:** security, scanner, oom ## Description NB-42 applied a `LimitReader` as a mechanical guard with a default cap, but the exact byte limit per endpoint was not decided. Choosing the wrong cap (too small) breaks legitimate large responses; too large offers little protection. A malicious RPC node can still exhaust memory if the cap is too generous. ## Options 1. Wrap `resp.Body` in `io.LimitReader(resp.Body, maxBytes)` with a generous per-endpoint cap (applied as NB-42). 2. Use `http.MaxBytesReader`-style enforcement and error on exceed. 3. Stream-parse JSON with a bounded decoder. ## Recommendation Review the default cap applied by NB-42 against actual maximum RPC response sizes for each chain (EVM batch, Tron page, TON jetton response). Adjust per-endpoint caps and error explicitly when the limit is exceeded rather than silently truncating. ## Affected Files - `scanner/chain.go:96` - `scanner/tron_chain.go:116` - `scanner/ton_chain.go:106` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-72