Severity: HIGH
Summary
GitHub secret scanning alert #1 on dcccrypto/percolator repo (created 2026-03-22) detected the same Supabase service_role key leaked in 3 additional files on the percolator Anchor program repo. This is separate from GH#1876 (percolator-launch repo leak).
Affected Files (dcccrypto/percolator repo — in git history)
.env.local (commit 1c85001, blob 29f195ab) — line 5, cols 28-247apply-migration-008.mjs (commit 45be9e8, blob 339269a7) — line 5, cols 63-282.env.vercel (commit 2ffd187, blob e5469e76) — line 5, cols 28-247
Evidence
GET /repos/dcccrypto/percolator/secret-scanning/alerts/1/locations
→ 3 commit locations found, state: open, created: 2026-03-22
Risk
Same as GH#1876: Supabase service_role key bypasses Row Level Security (RLS). Full DB admin access. Since the key has never been rotated (confirmed 2026-03-31), this represents 9+ days of additional exposure surface on the percolator repo (vs 7+ weeks on percolator-launch).
If the service_role key is rotated to fix GH#1876, this alert is automatically resolved — same key.
Action Required (KHUBAIR)
This does NOT require separate remediation — resolving GH#1876 (rotating the Supabase service_role key) will close this alert too.
Priority: Resolve GH#1876 first — same remediation fixes both.
Relation to GH#1876
GH#1876 covers the percolator-launch repo leak. This issue covers the same key leaked on the percolator (Anchor) repo. Single key rotation resolves both.
Verified
- 2026-03-31 10:33 UTC: Alert confirmed open, unresolved
solana program show: Upgrade authority still 7JVQvrAf (single keypair — C1 from PERC-8340)
Severity: HIGH
Summary
GitHub secret scanning alert #1 on dcccrypto/percolator repo (created 2026-03-22) detected the same Supabase service_role key leaked in 3 additional files on the percolator Anchor program repo. This is separate from GH#1876 (percolator-launch repo leak).
Affected Files (dcccrypto/percolator repo — in git history)
.env.local(commit 1c85001, blob 29f195ab) — line 5, cols 28-247apply-migration-008.mjs(commit 45be9e8, blob 339269a7) — line 5, cols 63-282.env.vercel(commit 2ffd187, blob e5469e76) — line 5, cols 28-247Evidence
Risk
Same as GH#1876: Supabase service_role key bypasses Row Level Security (RLS). Full DB admin access. Since the key has never been rotated (confirmed 2026-03-31), this represents 9+ days of additional exposure surface on the percolator repo (vs 7+ weeks on percolator-launch).
If the service_role key is rotated to fix GH#1876, this alert is automatically resolved — same key.
Action Required (KHUBAIR)
This does NOT require separate remediation — resolving GH#1876 (rotating the Supabase service_role key) will close this alert too.
Priority: Resolve GH#1876 first — same remediation fixes both.
Relation to GH#1876
GH#1876 covers the percolator-launch repo leak. This issue covers the same key leaked on the percolator (Anchor) repo. Single key rotation resolves both.
Verified
solana program show: Upgrade authority still 7JVQvrAf (single keypair — C1 from PERC-8340)