Glif API access-token security

Glif, our FEVM RPC API provider, is moving from free to paid plan. We will be paying for our RPC API usage based on the number of requests.

Since our access tokens are publicly visible (shipped as part of Station Core & Desktop), there is a potentially expensive attack vector where a malicious actor abuses our access token for making millions of RPC API calls that we will be billed for.

To make things more complicated, there is only one access token shared by all Station instances. We cannot selectively block an adversary Station operator, we have to block the entire network.

How can we mitigate this attack?

It would be best to give each Station instance their own access token (using an automated process) and configure rate limit for each access token given away.

We can also implement rate-limiting for the requests for new access tokens (e.g. new Station instances).

We can also tie each access token to a participant wallet address. This can effectively implement a staking mechanism, where the Station operators stake their scheduled rewards as a pledge to use their access token responsibly.

Can we find a simpler mitigation that’s easier to implement?

In particular, we either need to

1. Significantly reduce the probability that we will have to cut off the entire Station network due to a malicious actor DoSing us; or

2. Clearly acknowledge that we are fine with network-wide downtime in case of such an DoS attack, a downtime that can take up to several days in case of weekends and/or holidays; or

3. Clearly acknowledge that we are fine to pay arbitrary bill for RPC API to avoid network downtime when facing a DoS attack.