Skip to content

[Security] AST-02: Example API Keys in Documentation Match Live Key Format #86

New issue
New issue
Open
Open
[Security] AST-02: Example API Keys in Documentation Match Live Key Format#86
@mefai-dev

Description

@mefai-dev
mefai-dev
opened on Mar 20, 2026

AST-02: Example API Keys in Documentation Match Live Key Format

Severity: HIGH
Affected File(s): aster-finance-futures-api.md, aster-finance-spot-api.md (multiple lines)

Description

API documentation contains three distinct 64-character hex key pairs that match the format of real Aster API keys. Only the spot docs include a 'for demonstration only' disclaimer. The futures docs and createApiKey response example contain no disclaimer.

Vulnerable Code

apiKey: dbefbc809e3e83c283a984c3a1459732ea7db1360ca80c5c2c8867408d28cc83
secretKey: 2b5eb11e18796d12d88f13dc27dbbd02c2cc51ff7059765ed9821957d82bb4d9

Impact

If any keys are or were active, an attacker could execute trades or access account data. The pattern teaches developers that publishing keys in documentation is acceptable.

Recommended Fix

  1. Confirm all three key pairs are revoked/non-functional
  2. Replace with clearly labeled placeholders (YOUR_API_KEY_HERE)
  3. Add 'for demonstration only' disclaimer to ALL examples

Methodology: Triple-verification static analysis -- each finding verified across three independent code review passes.
Researcher: Independent Security Researcher -- Mefai Security Team

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions