fix: block alchemy_ prefixed methods

[sammdec]

Summary

• Reject any /api/rpc-proxy request whose method is missing, non-string, or starts with alchemy_, so callers can't use the proxy to hit Alchemy-only RPCs

Test plan

• curl -X POST .../api/rpc-proxy -d '{"chainId":1,"method":"alchemy_getTokenBalances","params":[...]}' returns 400 {"error":"Method not allowed"}
• curl -X POST .../api/rpc-proxy -d '{"chainId":1,"method":"eth_blockNumber","params":[]}' still returns a block number

[odin-mjolnir]

Linked Findings

AAV-14 JSON-RPC Method Injection via /api/rpc-proxy

Severity	Medium
Status	Mitigating
Discovered	15 May 2026

View in Odin

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
interface	Ready	Preview, Comment	May 21, 2026 1:08pm

[github-actions]

• Ipfs hash: bafybeidhh2cl4665slqreenkoepc7fzyp3emhxqx43opot2zmvdcxwpu4m
• Ipfs preview link: https://bafybeidhh2cl4665slqreenkoepc7fzyp3emhxqx43opot2zmvdcxwpu4m.ipfs.cf-ipfs.com/

[github-actions]

📦 Next.js Bundle Analysis for aave-ui

This analysis was generated by the Next.js Bundle Analysis action. 🤖

⚠️ Global Bundle Size Increased

Page	Size (compressed)
global	1.15 MB (🟡 +77 B)

Details

The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!