🔒Security
Authentication
BasePass uses SIWE (Sign-In With Ethereum):
Frontend requests a nonce
User signs a message proving wallet ownership
Backend verifies and issues a JWT
JWT stored in HttpOnly cookie (not localStorage)
HttpOnly cookies cannot be read by JavaScript, preventing XSS attacks. The Secure flag ensures HTTPS-only transmission.
Route Protection
All write endpoints enforce:
Authentication
Valid JWT cookie present
Ownership
Cookie's wallet matches the resource being modified
Smart Contract
Zero-address validation
Prevents deploy with invalid addresses
Subscribe revert if active
Prevents losing remaining subscription time
Fee hard cap (10%)
Owner cannot set exploitative fees
Two-step ownership
New owner must explicitly accept
Pausable
Emergency shutdown of subscribe/renew
Non-upgradeable
Code is immutable after deployment
SafeERC20
Safe USDC transfer handling
Telegram Linking
The Telegram flow is designed to prevent impersonation and replay attacks:
Tokens are SHA-256 hashed before DB storage
Tokens are single-use and expire in 10 minutes
Rate limited: 5 requests/min per wallet and per Telegram ID
1:1 mapping: one wallet per Telegram, one Telegram per wallet
Bot requests authenticated via shared secret header
API Keys
Generated as
bp_live_+ 32 random bytesOnly the SHA-256 hash is stored
Shown once at creation, cannot be retrieved
Scoped to a creator wallet
Secrets Management
Never commit secrets to source control. Use environment variables:
JWT_SECRET— min 32 random charactersDISCORD_BOT_SECRET/TELEGRAM_BOT_SECRET— shared secretsDISCORD_BOT_TOKEN/TELEGRAM_BOT_TOKEN— platform tokensDATABASE_URL— connection string
Reporting Vulnerabilities
If you discover a security issue, report it responsibly. Do not open a public issue. Contact the team directly.
Was this helpful?