Bounties can be posted without authentication - security risk

[crtahlin]

Problem

The `POST /api/v1/bounties` endpoint accepts requests without any authentication. Anyone can create a bounty with any poster address:

curl -X POST https://agents.datafund.io/api/v1/bounties \
  -H "Content-Type: application/json" \
  -d '{
    "poster": "0x0000000000000000000000000000000000000001",
    "title": "Fake bounty",
    "rewardAmount": "1000000000000000000000",
    "rewardToken": "ETH"
  }'

# Response: 200 OK - bounty created

No verification that:

• The poster address is controlled by the requester
• Any funds are actually available
• The request is from a legitimate user

Security Risks

1. Spam - Flood the bounties page with fake listings
2. Impersonation - Create bounties appearing to be from known addresses
3. Market manipulation - Create fake demand signals
4. Phishing - Lure sellers with fake high-value bounties

Expected Behavior

Bounty creation should require:

1. Wallet signature proving ownership of poster address
2. OR API key authentication tied to verified wallet
3. Rate limiting per IP/wallet as additional protection

Suggested Implementation

Option A: Wallet signature

// Request includes signed message
{
  "poster": "0x...",
  "signature": "0x...",  // Sign: "Create bounty: {title} for {amount}"
  "title": "...",
  ...
}
// Server verifies signature matches poster address

Option B: API key auth

curl -X POST .../bounties \
  -H "Authorization: Bearer {api_key}" \
  -d '...'

Option C: Rate limiting (minimum)

• 1 bounty per IP per hour
• Require email verification
• CAPTCHA for web submissions

Acceptance Criteria

• Bounty creation requires proof of poster address ownership
• OR rate limiting prevents spam
• Cannot impersonate other addresses

[crtahlin]

Finding: Fix Already Exists in Repo

The authentication fix already exists in the codebase but production hasn't been redeployed.

Evidence

Commit b160874 (2026-02-01 14:33) added verifySignature middleware:

• Created src/api/middleware/verify-signature.ts
• Applied to POST /bounties endpoint

Current code in bounties.ts:

router.post('/', verifySignature, (req, res) => {
  const verifiedAddress = (req as any).verifiedAddress as string
  // ...
  const poster = verifiedAddress  // Always uses verified signer
})

But production still accepts unauthenticated requests:

curl -X POST "https://agents.datafund.io/api/v1/bounties" \
  -H "Content-Type: application/json" \
  -d '{"title":"Test","rewardAmount":"1000","rewardToken":"ETH"}'
# Returns 201 Created (should return 401)

Resolution

No code changes needed - just deploy the latest molt branch to production.

After deployment, verify with:

# Should return 401:
curl -X POST "https://agents.datafund.io/api/v1/bounties" \
  -H "Content-Type: application/json" \
  -d '{"title":"Test"}'

@plur9 Can you redeploy the latest code to production?