Summary: - Multiple critical vulnerabilities in the Chia RPC server ( ) allow remote attackers to drain funds and extract private keys. Key Vulnerabilities: - Authentication Bypass (CWE-306): - If no RPC credentials are set in the config (default), returns for all requests. - No CORS headers, no origin validation. - CSRF / Cross-Origin Request Forgery: - Malicious websites can send POST requests to (Wallet) or (Full Node). - Browser blocks reading the response, but the wallet executes the command. - Master Passphrase Bypass (Critical): - The Wallet GUI enforces a Master Passphrase, but the RPC server ignores the locked state. - Any local process with access to mTLS certificates can call to steal funds or to exfiltrate 24-word seed in plain text without a passphrase prompt. Proof of Concepts: - Remote CSRF PoC: Demonstrates sending a transaction signed and broadcasted despite CORS error. - Local Privilege Escalation PoC: Demonstrates extracting the 24-word seed without a passphrase using a cURL command. - Hashdump PoC: Demonstrates sending a transaction without a passphrase prompt.