From fbcb679bcf723ada99ddc4bca112ac9d641ff5f9 Mon Sep 17 00:00:00 2001
From: clawbot <clawbot@noreply.example.org>
Date: Fri, 27 Feb 2026 11:42:18 -0800
Subject: [PATCH] fix(L5): truncate token name/symbol from RPC responses

Limits token name to 64 chars and symbol to 12 chars to prevent
storage of excessively long values from malicious contracts.
---
 src/shared/balances.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/shared/balances.js b/src/shared/balances.js
index 24f19a6..732812a 100644
--- a/src/shared/balances.js
+++ b/src/shared/balances.js
@@ -192,6 +192,10 @@ async function lookupTokenInfo(contractAddress, rpcUrl) {
         name = symbol;
     }
 
+    // Truncate to prevent storage of excessively long values from RPC
+    name = String(name).slice(0, 64);
+    symbol = String(symbol).slice(0, 12);
+
     log.infof("Token resolved:", symbol, "decimals", Number(decimals));
     return { name, symbol, decimals: Number(decimals) };
 }