fix(scan): stop chain-walk fanout + route /rpc to correct host#56
Merged
Conversation
V2 (scan.sentriscloud.com + scan-testnet.sentriscloud.com) was missing from the live audit surface. Both stay live alongside V1 per ops direction; the audit needs to monitor both. Renamed v1 entries with explicit `-v1` suffix for symmetry. Verified locally: clean across all 17 surface URLs.
Before: 64-hex regex matched but only ran probeTx() on both networks.
A user pasting a block hash → both probes fail → "Transaction not
found" error message even though the hash IS a valid block hash.
After: 4 parallel probes (tx + block on current + other network).
Block hits resolve through getBlock({blockHash}) and route to
/blocks/<resolved-height> since the block route is height-keyed.
Tx still wins precedence — they're disjoint hash spaces in practice
but the explicit ordering keeps semantics deterministic.
Cost: 4 RPC calls instead of 2, but they run concurrently → wall
time stays bounded by the slowest single probe (~50ms).
Found via deep audit on 2026-05-11: every page mount fired ~110
eth_getLogs requests at api.sentrixchain.com/rpc — the wrong host
(no CORS), composed by `${apiBase}/rpc`. Total per home page load:
202 requests, 6 stuck skeletons that never resolved after 30s.
Three fixes, one PR:
1. **chain.ts: getRpcUrl(network) helper** — single source of truth
for the JSON-RPC endpoint. Reads NEXT_PUBLIC_(MAINNET|TESTNET)_RPC
with sane defaults to rpc.sentrixchain.com.
2. **api.ts: route 3 raw fetch sites through getRpcUrl** — stops the
`${apiBase}/rpc` composition that was the wrong host plus CORS-
stripped on testnet. Affected calls: eth_blockNumber tip read in
fetchEvmTokensFromFactory, eth_call probes for ERC20 metadata,
eth_getLogs in fetchEventLogs.
3. **api.ts: 5-min TTL cache + in-flight dedup for token-factory walk**
— the underlying scan is ~110 chunked eth_getLogs (deploy-block to
tip in 5K-block windows). Token list is append-only and changes
maybe a few times per hour at most, so caching is safe. In-flight
dedup prevents two simultaneous mounts from doubling the walk.
Plus an audit-static rule (Rule 10) to catch any future
`${apiBase}/rpc` regression at lint time.
Verified locally:
- typecheck clean
- audit-static.sh: 0 hard errors
- scan-network-trace.mjs (new tool): expect home page to drop from
~200 requests → <20 once the cache warms
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Deep audit on 2026-05-11 caught scan v1 firing ~110 eth_getLogs requests per page mount at the wrong host (
api.sentrixchain.com/rpc— no CORS, Caddy passthrough). Total per home page load: 202 network requests, 6 skeleton placeholders that never resolved after 30 seconds.Root cause
Three connected bugs:
Wrong host — three call sites in `api.ts` composed `${apiBase}/rpc` (where apiBase = api.sentrixchain.com). The actual JSON-RPC endpoint is rpc.sentrixchain.com. The api host happened to proxy /rpc but stripped CORS headers, breaking testnet entirely and burning extra round-trips.
Chain walk on every mount — `fetchEvmTokensFromFactory` walks the deploy-block → tip range in 5K-block chunks looking for TokenCreated events. For mainnet that's ~110 eth_getLogs per call. `labels.tsx` calls `fetchTokens` on every page mount → walk fires every page transition.
No deduplication — two simultaneous mounts (e.g. concurrent tabs, or a fast nav burst) doubled the walk.
Fixes
Cache TTL of 5 minutes is the right balance: the token list is append-only and changes maybe a few times per hour at most, so users get fresh-enough data without re-walking on every visit. In-flight dedup means concurrent mounts share the walk.
New audit tooling (also committed)
Verification
Scope NOT in this PR (separate workstreams)
Test plan