fix: x402 replay amount bypass + bounded batch queries

Kenbak · Kenbak · commit 2d151c4fea8c · 2026-04-12T20:15:33.000+02:00
x402: cached verification now re-checks received amount against the
current request's expected_amount_zec. Prevents a $5 txid verified
once from passing as proof for a $500 resource (CWE-294).

Bounded allocations: added LIMIT to webhook retry (200), subscription
cancel/renewal/past_due queries (500 each) to prevent OOM under load.
diff --git a/src/api/x402.rs b/src/api/x402.rs
@@ -96,13 +96,40 @@ pub async fn verify(
     if let Some(received_zatoshis) =
         get_existing_verified(pool.get_ref(), &merchant.id, &body.txid, protocol).await
     {
-        return HttpResponse::Ok().json(VerifyResponse {
-            valid: true,
-            received_zec: received_zatoshis as f64 / 100_000_000.0,
-            received_zatoshis,
-            previously_verified: true,
-            reason: None,
-        });
+        // Re-check amount against the current request to prevent replay across price tiers:
+        // a $5 txid verified once must not pass as proof for a $500 resource.
+        let expected_zatoshis = match zec_to_zatoshis(body.expected_amount_zec) {
+            Some(amount) => amount,
+            None => {
+                return HttpResponse::BadRequest().json(serde_json::json!({
+                    "error": "expected_amount_zec must be representable in zatoshis"
+                }));
+            }
+        };
+        let min_acceptable = (expected_zatoshis as f64 * SLIPPAGE_TOLERANCE) as u64;
+
+        if received_zatoshis >= min_acceptable {
+            return HttpResponse::Ok().json(VerifyResponse {
+                valid: true,
+                received_zec: received_zatoshis as f64 / 100_000_000.0,
+                received_zatoshis,
+                previously_verified: true,
+                reason: None,
+            });
+        } else {
+            let reason = format!(
+                "Previously verified amount insufficient: received {} ZEC, expected {} ZEC",
+                received_zatoshis as f64 / 100_000_000.0,
+                body.expected_amount_zec
+            );
+            return HttpResponse::Ok().json(VerifyResponse {
+                valid: false,
+                received_zec: received_zatoshis as f64 / 100_000_000.0,
+                received_zatoshis,
+                previously_verified: true,
+                reason: Some(reason),
+            });
+        }
     }
 
     let previously_verified = false;
diff --git a/src/subscriptions/mod.rs b/src/subscriptions/mod.rs
@@ -177,7 +177,7 @@ pub async fn process_renewals(
     // 1. Cancel subscriptions marked for end-of-period cancellation
     // First, select the ones we're about to cancel (before updating) so we dispatch webhooks only for these
     let q = format!(
-        "SELECT {} FROM subscriptions WHERE cancel_at_period_end = 1 AND current_period_end <= ? AND status = 'active'",
+        "SELECT {} FROM subscriptions WHERE cancel_at_period_end = 1 AND current_period_end <= ? AND status = 'active' LIMIT 500",
         SUB_COLS
     );
     let to_cancel: Vec<Subscription> = sqlx::query_as::<_, Subscription>(&q)
@@ -225,7 +225,7 @@ pub async fn process_renewals(
         .to_string();
 
     let q = format!(
-        "SELECT {} FROM subscriptions WHERE status = 'active' AND current_period_end <= ? AND cancel_at_period_end = 0",
+        "SELECT {} FROM subscriptions WHERE status = 'active' AND current_period_end <= ? AND cancel_at_period_end = 0 LIMIT 500",
         SUB_COLS
     );
     let due_subs: Vec<Subscription> = sqlx::query_as::<_, Subscription>(&q)
@@ -334,7 +334,7 @@ pub async fn process_renewals(
     // Note: subscription.renewed webhook is dispatched by the scanner on payment confirmation.
     // This step is a fallback for edge cases (e.g., server restart during scan).
     let q = format!(
-        "SELECT {} FROM subscriptions WHERE status = 'active' AND current_period_end <= ? AND cancel_at_period_end = 0",
+        "SELECT {} FROM subscriptions WHERE status = 'active' AND current_period_end <= ? AND cancel_at_period_end = 0 LIMIT 500",
         SUB_COLS
     );
     let past_due_candidates: Vec<Subscription> = sqlx::query_as::<_, Subscription>(&q)
diff --git a/src/webhooks/mod.rs b/src/webhooks/mod.rs
@@ -259,7 +259,8 @@ pub async fn retry_failed(
          JOIN merchants m ON wd.merchant_id = m.id
          WHERE wd.status = 'pending'
          AND wd.attempts < 5
-         AND (wd.next_retry_at IS NULL OR wd.next_retry_at <= ?)",
+         AND (wd.next_retry_at IS NULL OR wd.next_retry_at <= ?)
+         LIMIT 200",
     )
     .bind(&now)
     .fetch_all(pool)
