Skip to content

security: Add rate limiting on frontend stream creation to prevent spam #147

Description

@Austinaminu2

Description

There is currently no client-side rate limiting on stream creation. A malicious user (or buggy script) could rapidly fire hundreds of create_stream transactions, spamming the contract's index storage and potentially degrading RPC performance.

While the Stellar network itself has base fee and sequence number constraints, adding frontend rate limiting provides an additional layer of defense and better UX (prevents accidental double-submissions).

Proposed Solution

  • Debounce the "Create Stream" button — disable it for 5 seconds after a successful submission
  • Track creation count per session — warn after 10 streams in a 5-minute window
  • Add a confirmation dialog for batch creation of more than 20 streams
  • Use AbortController to prevent duplicate in-flight transactions

Acceptance Criteria

  • "Create Stream" button is disabled while a transaction is in-flight
  • Button remains disabled for 3-5 seconds after successful creation
  • Warning shown if creating more than 10 streams in 5 minutes
  • Batch creation shows a confirmation dialog above a configurable threshold
  • Duplicate rapid clicks don't produce duplicate transactions

Metadata

Metadata

Assignees

No one assigned

    Labels

    frontendNext.js frontendsecuritySecurity improvements

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions