[SECURITY ISSUE?] Solscan API Critical Vulnerability. 130+ Days After Report

Bitcoin Forum

September 17, 2025, 03:54:57 PM

Welcome, Guest. Please login or register.

News: Latest Bitcoin Core release: 29.0 [Torrent]

Home

Help

Bitcoin Forum > Economy > Trading Discussion > Scam Accusations > [SECURITY ISSUE?] Solscan API Critical Vulnerability. 130+ Days After Report

Pages: [1]

« previous topic next topic »

Author

Topic: [SECURITY ISSUE?] Solscan API Critical Vulnerability. 130+ Days After Report (Read 327 times)

CryptoXside (OP)

Newbie

Offline

Activity: 7
Merit: 1

[SECURITY ISSUE?] Solscan API Critical Vulnerability. 130+ Days After Report

March 05, 2025, 06:12:35 PM
Last edit: August 16, 2025, 12:53:55 PM by CryptoXside

Merited by TryNinja (1)

On February 8, a report about a vulnerability in Solscan's API, allowing free access to paid data, was sent to their email.

On February 12, they confirmed receiving the report, but over 130 days have passed, and there is still no response.
There has been no public fix or any comments from Solscan.

Is this a standard practice in the industry?
How do major blockchain platforms typically respond to security reports?

➖

📢 The essence of the found critical vulnerability in Solscan API:
• API-key on the free tariff (Level 1), obtained from the personal account of Solscan service allowed to receive
paid analytical data through requests taken from the browser from the site https://solscan.io.
• Paid analytical data obtained by this method were not taken into account by the billing system in the
personal account.
• This method allowed paid analytics to be produced in an automated fashion.

📋 SolscanAPI_BugReport_FullResponsibleDisclosure_Eng.pdf:
https://github.com/CryptoXside/SolscanAPI_CriticalVulnerability_FullResponsibleDisclosure/blob/main/SolscanAPI_BugReport_FullResponsibleDisclosure_GitHub_Eng.pdf

📋 SolscanAPI_BugReport_FullResponsibleDisclosure_Rus.pdf:
https://github.com/CryptoXside/SolscanAPI_CriticalVulnerability_FullResponsibleDisclosure/blob/main/SolscanAPI_BugReport_FullResponsibleDisclosure_GitHub_Rus.pdf

Screenshot of the Twitter post with details:
https://i.postimg.cc/1XdRVs7M/x-1891150967237755071.png

Tweet link:
https://x.com/CryptoXside/status/1891150967237755071
My X proFile:
https://x.com/CryptoXside

➖

[Updated ~ 12.07.2025]

📜 Solscan API Critical Vulnerability (Full Responsible Disclosure)

📖 Research materials 📖
🔐 GitHub: https://github.com/CryptoXside/SolscanAPI_CriticalVulnerability_FullResponsibleDisclosure
🔐 Google Drive: https://drive.google.com/drive/folders/1-cUuSZfOMp3aOxHQfjLOGl5j24DzloM_?usp=sharing
🔐 Proton Drive: https://drive.proton.me/urls/37DXJ2VR8G#p2d1hFtIzsDL
🔐 Mega Drive: https://mega.nz/folder/ZcoQkI7b#r6Z1ZcLcJCAw_CkyGzKqeA

📢 Discussions 📢
📌 GitHub: https://github.com/CryptoXside/SolscanAPI_CriticalVulnerability_FullResponsibleDisclosure/discussions/1
📌 Twitter: https://x.com/CryptoXside/status/1905753506306576854
📌 Bitcointalk: https://bitcointalk.org/index.php?topic=5534327
📌 Mastodon: https://mastodon.social/@CryptoXside/114788782462528640

➖

[Updated ~ 21.07.2025]

📜 Solscan API Critical Vulnerability - Full Responsible Disclosure (report from 03.07.2025):
https://github.com/CryptoXside/SolscanAPI_CriticalVulnerability_FullResponsibleDisclosure

📅 GitHub clone repository (18.07.2025):
🔐 Google Drive: https://drive.google.com/file/d/11hkUEXds_nplPkSn-JCDGpIqWfaIZNfs/view?usp=sharing
🔐 Proton Drive: https://drive.proton.me/urls/FAN8WBTJKG#ljsau61YPCxc
🔐 Mega Drive: https://mega.nz/file/YZRGmA6b#_bf1DpFmleeaWyWzjXdDUEETQlMop7ixJcuu54otOtc
🔐 Yandex Drive: https://disk.yandex.ru/d/CklDnrhB5w8rOA

📜 Solscan API Vulnerability Report (report from 01.04.2025):
📝 A story about transparency in decentralized blockchain technologies and more...
https://github.com/CryptoXside/SolscanAPI_BugReport

📅 GitHub clone repository (18.07.2025):
🔐 Google Drive: https://drive.google.com/file/d/1DL0JrMMinkmtRaH0XLEfk5X8riMr7o5g/view?usp=sharing
🔐 Proton Drive: https://drive.proton.me/urls/KW2EGEHGKG#FQZPAuy9UD4H
🔐 Mega Drive: https://mega.nz/file/pRRCDaJI#uKZBXB-yE0jRBl7XGr9rJqs_EabE_DzOnLINvcZlmcE
🔐 Yandex Drive: https://disk.yandex.ru/d/LrP4k-SiZieNng

➖

[Updated ~ 04.04.2025]

📜 Solscan API Vulnerability Report
📝 A story about transparency in decentralized blockchain technologies and more...

📜 SolscanAPI_BugReport_Eng.pdf:
https://drive.proton.me/urls/XGDTFCNTB8#zyj5EtwMXaSD

📜 SolscanAPI_BugReport_Rus.pdf:
https://drive.proton.me/urls/Q5K4W2AZMW#5DhdMJ7TmeBB

📹 Video-screencast proofs:
https://drive.google.com/file/d/15USIe71fIG2HxZZYhH99kHivrppWh8Wp/view?usp=sharing

📖 Research materials 📖
🔐 Proton Drive: https://drive.proton.me/urls/RA6PEQRZJW#xh6grrxk3RYO
🔐 Google Drive: https://drive.google.com/drive/folders/1PTsXBMwA5grbkbKl7PQjh-Rcxg49U4Hc
🔐 GitHub: https://github.com/CryptoXside/SolscanAPI_BugReport

📢 Discussions 📢
📌 GitHub: https://github.com/CryptoXside/SolscanAPI_BugReport/discussions/1
📌 Mastodon: https://mastodon.social/@CryptoXside/114265873723735000
📌 Twitter: https://x.com/CryptoXside/status/1907192770915172815

[ ~ ***** ~ ]

Security Specialist, Vulnerability Researcher
Ramil [CryptoXside]
眯眼沙王 🐉 弥勒已来

logfiles

Copper Member
Legendary

Offline

Activity: 2464
Merit: 2104

Re: [SECURITY ISSUE?] Solscan API Vulnerability. 20+ Days After Report, No Response

March 05, 2025, 11:30:57 PM

Such projects usually have a dedicated link for bug bounties, such as this one for etherscan (https://etherscan.io/bugbounty). No, I understand that Etherscan and Solscan are now one, maybe you try contacting the Etherscan team as well.

Or perhaps they just don't care? Just try talking to them first.

▄▄███▄▄
▄▄███████████▄▄
▄██████████████████▄
▄█████▀▀▀█████▀▀▀█████▄
████▌░░░░░░░░░░░░░▐████
████▌░░░░░░░░░░░░░▐████
████▀░░░▄▄░░░▄▄░░░▀████
████░░░██▀░░░▀██░░░████
████▄░░░░░▀█▀░░░░░▄████
▀█████▄▄▄▄▄▄▄▄▄▄▄█████▀
▀██████████████████▀
▀▀███████████▀▀
▀▀███▀▀

.
betpanda.io

│

ANONYMOUS & INSTANT
.......ONLINE CASINO.......

│

▄███████████████████████▄
█████████████████████████
█████████████████████████
████████▀▀▀▀▀▀███████████
████▀▀▀█░▀▀░░░░░░▄███████
████░▄▄█▄▄▀█▄░░░█▄░▄█████
████▀██▀░▄█▀░░░█▀░░██████
██████░░▄▀░░░░▐░░░▐█▄████
██████▄▄█░▀▀░░░█▄▄▄██████
█████████████████████████
█████████████████████████
█████████████████████████
▀███████████████████████▀

▄███████████████████████▄
█████████████████████████
██████████▀░░░▀██████████
█████████░░░░░░░█████████
████████░░░░░░░░░████████
████████░░░░░░░░░████████
█████████▄░░░░░▄█████████
███████▀▀▀█▄▄▄█▀▀▀███████
██████░░░░▄░▄░▄░░░░██████
██████░░░░█▀█▀█░░░░██████
██████░░░░░░░░░░░░░██████
█████████████████████████
▀███████████████████████▀

▄███████████████████████▄
█████████████████████████
██████████▀▀▀▀▀▀█████████
███████▀▀░░░░░░░░░███████
██████▀░░░░░░░░░░░░▀█████
██████░░░░░░░░░░░░░░▀████
██████▄░░░░░░▄▄░░░░░░████
████▀▀▀▀▀░░░█░░█░░░░░████
████░▀░▀░░░░░▀▀░░░░░█████
████░▀░▀▄░░░░░░▄▄▄▄██████
█████░▀░█████████████████
█████████████████████████
▀███████████████████████▀

SLOT GAMES
....SPORTS....
LIVE CASINO

│

▄░░▄█▄░░▄
▀█▀░▄▀▄░▀█▀
▄▄▄▄▄▄▄▄▄▄▄
█████████████
█░░░░░░░░░░░█
█████████████
▄▀▄██▀▄▄▄▄▄███▄▀▄
▄▀▄██▄███▄█▄██▄▀▄
▄▀▄█▐▐▌███▐▐▌█▄▀▄
▄▀▄██▀█████▀██▄▀▄
▄▀▄█████▀▄████▄▀▄
▀▄▀▄▀█████▀▄▀▄▀
▀▀▀▄█▀█▄▀▄▀▀

Regional Sponsor of the
Argentina National Team

CryptoXside (OP)

Newbie

Offline

Activity: 7
Merit: 1

Re: [SECURITY ISSUE?] Solscan API Vulnerability. 20+ Days After Report, No Response

March 06, 2025, 08:34:41 AM

Quote from: logfiles on March 05, 2025, 11:30:57 PM

I understand your point of view. Based on your words, Solscan and Etherscan are the same, but I’m not sure about that.

Most likely, you didn’t fully understand what this is about.
Everything is clearly visible on Twitter.

Have you seen the post on Twitter?

logfiles

Copper Member
Legendary

Offline

Activity: 2464
Merit: 2104

Re: [SECURITY ISSUE?] Solscan API Vulnerability. 20+ Days After Report, No Response

March 07, 2025, 10:47:32 PM

Quote from: CryptoXside on March 06, 2025, 08:34:41 AM

I am no fan of twitter and these days twitter (x.com) does not allow unregistered users to see posts minus signing in. You have the burden of sharing all the details here because not all members around these streets have Twitter accounts

I literally shared to you a link of an official announcement stating that they are now under one family. I am not sure if you read through it. My point is, if you can't get Solscan to respond to your bug report, you might as well try reporting it through the Etherscan bug bounty portal or inquire from their support. What is there to lose?

.
betpanda.io

│

ANONYMOUS & INSTANT
.......ONLINE CASINO.......

│

SLOT GAMES
....SPORTS....
LIVE CASINO

│

Regional Sponsor of the
Argentina National Team

TryNinja

Legendary

Offline

Activity: 3318
Merit: 8639

♻️ Automatic Exchange

Re: [SECURITY ISSUE?] Solscan API Vulnerability. 20+ Days After Report, No Response

March 08, 2025, 04:12:18 AM

Quote from: CryptoXside on March 05, 2025, 06:12:35 PM

Is there is anything at risk besides their paywalled data for free? Not sure I would call this vulnerability "critical" as your tweet says. No leak of personal data from their users, no risk at their crypto funds, no major security issues where you can change the blockchain data on their explorer for social engineering attacks, etc...

Not trying to down play your find, but I guess this is why they have been lazy at fixing it.

░░░░▄▄████████████▄
░▄████████████████▀
▄████████████████▀▄█▄
▄███████▀▀░░▄███▀▄████▄
▄██████▀░░░▄███▀░▀██████▄
██████▀░░▄████▄░░░▀██████
██████░░▀▀▀▀░▄▄▄▄░░██████
██████▄░░░▀████▀░░▄██████
▀██████▄░▄███▀░░░▄██████▀
▀████▀▄████░░▄▄███████▀
▀█▀▄████████████████▀
▄████████████████▀░
▀████████████▀▀░░░░

^CCECASH

INSTANT CRYPTO EXCHANGE
^{BTC │ ETH │ TRX │ BNB │ XMR │ SOL │ LTC │ etc.}

^ANN THREAD

^TUTORIAL

CryptoXside (OP)

Newbie

Offline

Activity: 7
Merit: 1

Re: [SECURITY ISSUE?] Solscan API Vulnerability. 40+ Days After Report, No Response

April 04, 2025, 04:00:25 PM

Solscan API Vulnerability Report

A story about transparency in decentralized blockchain technologies and more...

SolscanAPI_BugReport_Eng.pdf:
https://github.com/CryptoXside/SolscanAPI_BugReport/blob/main/SolscanAPI_BugReport_GitHub_Eng.pdf

SolscanAPI_BugReport_Rus.pdf:
https://github.com/CryptoXside/SolscanAPI_BugReport/blob/main/SolscanAPI_BugReport_GitHub_Rus.pdf

Video-screencast proofs:
https://drive.google.com/file/d/15USIe71fIG2HxZZYhH99kHivrppWh8Wp/view?usp=sharing

Research materials
Proton Drive: https://drive.proton.me/urls/RA6PEQRZJW#xh6grrxk3RYO
Google Drive: https://drive.google.com/drive/folders/1PTsXBMwA5grbkbKl7PQjh-Rcxg49U4Hc
GitHub: https://github.com/CryptoXside/SolscanAPI_BugReport

Discussions
GitHub: https://github.com/CryptoXside/SolscanAPI_BugReport/discussions/1
Mastodon: https://mastodon.social/@CryptoXside/114265873723735000
Twitter: https://x.com/CryptoXside/status/1907192770915172815

Security Specialist, Vulnerability Researcher
Ramil [CryptoXside]
眯眼沙王 🐉 弥勒已来

CryptoXside (OP)

Newbie

Offline

Activity: 7
Merit: 1

Re: [SECURITY ISSUE?] Solscan API Vulnerability. 40+ Days After Report, No Response

May 06, 2025, 11:36:48 PM
Last edit: May 07, 2025, 12:22:42 AM by CryptoXside

📜 Solscan API Critical Vulnerability (Full Responsible Disclosure)
➖
⏳ ⏳ ⏳ Full Responsible Disclosure will be coming soon (with full screencast-exploit [screencast = 44 min] & full all .txt logs)..
➖
Check here:
https://github.com/CryptoXside/SolscanAPI_CriticalVulnerability_FullResponsibleDisclosure

CryptoXside (OP)

Newbie

Offline

Activity: 7
Merit: 1

Re: [SECURITY ISSUE?] Solscan API Vulnerability. 40+ Days After Report, No Response

July 12, 2025, 06:04:19 PM

Quote from: CryptoXside on May 06, 2025, 11:36:48 PM

CryptoXside (OP)

Newbie

Offline

Activity: 7
Merit: 1

Re: [SECURITY ISSUE?] Solscan API Critical Vulnerability. 130+ Days After Report

July 21, 2025, 02:14:47 PM

📜 Solscan API Critical Vulnerability - Full Responsible Disclosure (report from 03.07.2025):
https://github.com/CryptoXside/SolscanAPI_CriticalVulnerability_FullResponsibleDisclosure

📅 GitHub clone repository date: 18.07.2025

🔐 Google Drive: https://drive.google.com/file/d/11hkUEXds_nplPkSn-JCDGpIqWfaIZNfs/view?usp=sharing

🔐 Proton Drive: https://drive.proton.me/urls/FAN8WBTJKG#ljsau61YPCxc

🔐 Mega Drive: https://mega.nz/file/YZRGmA6b#_bf1DpFmleeaWyWzjXdDUEETQlMop7ixJcuu54otOtc

🔐 Yandex Drive: https://disk.yandex.ru/d/CklDnrhB5w8rOA

➖

📜 Solscan API Vulnerability Report (report from 01.04.2025):
📝 A story about transparency in decentralized blockchain technologies and more...
https://github.com/CryptoXside/SolscanAPI_BugReport

📅 GitHub clone repository date: 18.07.2025

🔐 Google Drive: https://drive.google.com/file/d/1DL0JrMMinkmtRaH0XLEfk5X8riMr7o5g/view?usp=sharing

🔐 Proton Drive: https://drive.proton.me/urls/KW2EGEHGKG#FQZPAuy9UD4H

🔐 Mega Drive: https://mega.nz/file/pRRCDaJI#uKZBXB-yE0jRBl7XGr9rJqs_EabE_DzOnLINvcZlmcE

🔐 Yandex Drive: https://disk.yandex.ru/d/LrP4k-SiZieNng

➖

Security Specialist, Vulnerability Researcher
Ramil [CryptoXside]
眯眼沙王 🐉 弥勒已来

Pages: [1]

Bitcoin Forum > Economy > Trading Discussion > Scam Accusations > [SECURITY ISSUE?] Solscan API Critical Vulnerability. 130+ Days After Report

« previous topic next topic »

Jump to: