From 91150e5a5de2f2f490ebc61238c2a924b7c64c12 Mon Sep 17 00:00:00 2001
From: Lutra23 <lutra23@users.noreply.github.com>
Date: Sun, 22 Feb 2026 20:49:11 +0800
Subject: [PATCH] fix(mcp): validate evm wallet addresses at API entrypoints

---
 apps/mcp/src/index.ts                  | 12 ++++++++++++
 apps/mcp/src/lib/validation/address.ts | 10 ++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 apps/mcp/src/lib/validation/address.ts

diff --git a/apps/mcp/src/index.ts b/apps/mcp/src/index.ts
index 469dd7a..af02afe 100644
--- a/apps/mcp/src/index.ts
+++ b/apps/mcp/src/index.ts
@@ -10,6 +10,7 @@ import env, { getPort, getTrustedOrigins, isDevelopment } from "./env.js";
 import { auth, db } from "./lib/auth.js";
 import { getBalancesSummary } from "./lib/balance-tracker.js";
 import { isNetworkSupported, type UnifiedNetwork } from "./lib/3rd-parties/cdp/wallet/networks.js";
+import { isEvmNetwork, isValidEvmAddress } from "./lib/validation/address.js";
 import { SecurityHook } from "./lib/proxy/hooks/security-hook.js";
 import { X402WalletHook } from "./lib/proxy/hooks/x402-wallet-hook.js";
 import { VLayerHook } from "./lib/proxy/hooks/vlayer-hook.js";
@@ -138,6 +139,9 @@ app.post("/api/onramp/url", async (c) => {
         if (!walletAddress) {
             return c.json({ error: "Missing walletAddress" }, 400);
         }
+        if (!isValidEvmAddress(walletAddress)) {
+            return c.json({ error: "Invalid walletAddress: expected a valid EVM address" }, 400);
+        }
 
         const url = await createOneClickBuyUrl(walletAddress, {
             network: typeof body.network === "string" && body.network ? body.network : undefined,
@@ -225,6 +229,14 @@ app.get("/api/balance", async (c) => {
             network = "base" as UnifiedNetwork;
         }
 
+        if (!isEvmNetwork(network)) {
+            return c.json({ error: `Network "${network}" is not supported by the balance tracker (EVM only)` }, 400);
+        }
+
+        if (!isValidEvmAddress(walletAddress)) {
+            return c.json({ error: "Invalid walletAddress: expected a valid EVM address" }, 400);
+        }
+
         const summary = await getBalancesSummary(walletAddress as any, network);
 
         const serializeNative = (n: any) => n ? {
diff --git a/apps/mcp/src/lib/validation/address.ts b/apps/mcp/src/lib/validation/address.ts
new file mode 100644
index 0000000..d2d71c1
--- /dev/null
+++ b/apps/mcp/src/lib/validation/address.ts
@@ -0,0 +1,10 @@
+import { isAddress } from "viem";
+import { getNetworkConfig, type UnifiedNetwork } from "../3rd-parties/cdp/wallet/networks.js";
+
+export function isValidEvmAddress(address: string): boolean {
+    return isAddress(address);
+}
+
+export function isEvmNetwork(network: UnifiedNetwork): boolean {
+    return getNetworkConfig(network)?.architecture === "evm";
+}