A monorepo containing a community-managed dynamic JSON-RPC relay proxy that routes Ethereum requests to different backend servers based on contract addresses. The system uses Hedera Consensus Service for secure route registration and includes cryptographic verification of contract ownership. It consists of three main packages: a common utilities package, a proxy server that acts as a JSON-RPC relay with dynamic routing, and a prover client that establishes secure route registration.
- JSON-RPC Request: dApps/wallets send requests to the proxy
- Address Extraction: Proxy extracts "to" address from
eth_sendRawTransaction - Route Lookup: Check if address exists in verified route database
- Routing Decision: Route to custom relay if found, otherwise default to hashio.io
- Contract Address Generation: Owner generates deterministic address using either CREATE (deployer + nonce) or CREATE2 (deployer + salt + init code hash)
- Cryptographic Proof: Signs route data with ECDSA to prove ownership
- Secure Submission: Encrypts and submits route data to Hedera Consensus Service
- Message Processing: Proxy decrypts, verifies signatures, and validates ownership
- Challenge-Response: Proxy challenges the claimed JSON-RPC endpoint URL
- Verification: Prover responds with ECDSA signature to prove control of endpoint
- Route Activation: Successful verification adds route to database and sends confirmation
- Node.js: 18.0.0 or higher (required by all packages)
- npm: Latest version recommended
- Hedera testnet account with HBAR balance:
- Proxy Account: Minimum 25 HBAR (for HIP-991 topic creation)
- Prover Account: Minimum 1 HBAR (for $0.50 submission fees)
- Ethereum JSON-RPC endpoint (optional, for testing)
# Clone the repository
git clone https://github.com/your-username/hiero-json-rpc-relay-proxy.git
cd hiero-json-rpc-relay-proxy
# Install all dependencies for all packages
npm install
# Install pre-commit hooks (recommended for contributors)
npm run install:hooks
# Alternative: Install for specific packages only
npm install --workspace=packages/common
npm install --workspace=packages/proxy
npm install --workspace=packages/prover-
Configure the Proxy (required):
cd packages/proxy cp .env.example .env # Edit .env with your Hedera credentials # Ensure account has β₯25 HBAR for topic creation
-
Configure the Prover (optional for demo):
cd packages/prover cp .env.example .env # Edit .env with your Hedera credentials # Ensure account has β₯1 HBAR for submission fees
Advanced Topic Configuration: The prover supports flexible topic ID configuration:
- Use Proxy's Topic (default): Don't set
PROVER_HEDERA_TOPIC_ID- the prover will fetch and use whatever topic the proxy is configured to use - Override with Specific Topic: Set
PROVER_HEDERA_TOPIC_ID=0.0.1234567to use a specific topic regardless of what the proxy advertises
This allows testing with different topics while still maintaining compatibility with the proxy's RSA public key.
- Use Proxy's Topic (default): Don't set
-
Common Package: The
@hiero-json-rpc-relay/commonpackage is automatically installed as a dependency for both proxy and prover packages. It provides shared utilities for:- Cryptographic operations (RSA+AES encryption, ECDSA signing)
- HTTP request/response handling
- Route signature validation
- Environment variable loading
- Hedera integration utilities
-
Start the Proxy Server:
# From workspace root npm run proxy # Or from proxy package directory cd packages/proxy npm start # Development mode with auto-restart npm run proxy:dev
-
Run the Prover (in another terminal):
# From workspace root npm run prover # Or from prover package directory cd packages/prover npm start
-
Test the Proxy:
# Check status curl http://localhost:3000/status # Test JSON-RPC curl -X POST http://localhost:3000 \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
Version: 1.0.0
Description: Ethereum transaction routing proxy with Hedera Consensus Service integration and RSA key management
The main JSON-RPC relay proxy server that:
- Acts as a JSON-RPC relay proxy routing Ethereum requests to appropriate backend servers
- Analyzes transaction "to" addresses from
eth_sendRawTransactioncalls to determine routing - Maintains dynamic routing table mapping contract addresses to specific JSON-RPC relay endpoints
- Provides fallback routing to default JSON-RPC relay (e.g., hashio.io) for unregistered addresses
- Manages secure route registration via verified Hedera Consensus Service messages
- Creates and manages HIP-991 paid topics with $0.50 submission fee to prevent spam
- Handles RSA hybrid encryption for secure message communication on Hedera topics
- Verifies contract ownership through deterministic address computation and ECDSA signatures for both CREATE and CREATE2 deployments
- Implements challenge-response verification for URL reachability and endpoint validation
- Sends direct HTTP confirmation to provers upon successful route verification
- Provides status and management endpoints for monitoring and configuration
Key Features:
- Dynamic address-based routing for Ethereum JSON-RPC requests
- Secure route registration through Hedera Consensus Service
- Cryptographic proof of contract ownership required for route updates
- HTTP route update endpoints removed for security (all updates via Hedera only)
Security: Route updates can only be done through verified Hedera messages with cryptographic proof of contract ownership and challenge-response verification. HTTP route update endpoints have been removed for security.
Version: 1.0.0
Description: Hedera prover component for sending encrypted messages to Hedera Consensus Service
A demonstration client that shows the complete route registration flow for JSON-RPC relay endpoints:
- Fetches proxy configuration and RSA public keys from proxy status endpoints
- Creates route registration payloads mapping contract addresses to JSON-RPC relay endpoints
- Generates deterministic contract addresses using CREATE deployment parameters (deployer + nonce) or CREATE2 parameters (deployer + salt + init code hash)
- Signs route data with ECDSA for ownership verification (signs
addr+proofType+nonce+urlfor CREATE oraddr+proofType+salt+urlfor CREATE2) - Encrypts messages using RSA hybrid encryption (RSA + AES) for secure Hedera transmission
- Submits encrypted route data to Hedera topics for proxy processing
- Pays HIP-991 topic submission fees automatically (0.5 HBAR per registration)
- Starts HTTP challenge server to respond to proxy verification requests
- Handles challenge-response verification automatically with ECDSA signature responses
- Receives direct confirmation from proxy upon successful route verification
- Saves comprehensive results to timestamped JSON files and exits automatically
Purpose: Demonstrates how contract owners can securely register their preferred JSON-RPC relay endpoints with the proxy, enabling custom routing for their contract interactions.
Version: 1.0.0
Description: Common utilities and shared code for the Hiero JSON-RPC Relay system
A shared utility package providing common functionality used by both proxy and prover packages:
- RSA key management for key generation, validation, and metadata handling
- Cryptographic utilities for RSA/AES encryption, decryption, and ECDSA signature verification
- Database utilities for persistent storage, migration, and route management
- Environment variable management with validation and secure configuration loading
- Route signature validation with comprehensive error reporting and batch validation
- HTTP utilities for request parsing, CORS handling, and server creation helpers
- Hedera utilities for client initialization, ID validation, and timestamp conversion
- Message utilities for parsing, chunking, and validation of Hedera topic messages
- Ethereum utilities for transaction decoding and address validation
- Validation functions for contract addresses, configuration, and data integrity checks
Key Components:
- cryptoUtils: RSA key generation, AES encryption/decryption, signature verification
- databaseUtils: Database path management, migration, and persistence
- envLoader: Environment variable loading with validation and defaults
- validation: Route signature validation and error handling
- httpUtils: HTTP request parsing, CORS, and server utilities
- hederaUtils: Hedera client setup and utility functions
- messageUtils: Message parsing, chunking, and validation
- ethUtils: Ethereum transaction decoding and address utilities
Benefits: Centralizes common functionality, reduces code duplication, ensures consistent behavior across packages, and provides comprehensive test coverage for all shared utilities.
βββββββββββββββ βββββββββββββββ
β Proxy β β Prover β
β Package β β Package β
ββββββββ¬βββββββ ββββββββ¬βββββββ
β β
β β
ββββββββββ¬ββββββββββ
β
ββββββββΌβββββββ
β Common β
β Package β
β (utilities) β
βββββββββββββββ
ββββββββββββ ββββββββββββββββββββββββββββββββββββββββββββββββββββ ββββββββββββββββββ
β Ethereum β β JSON-RPC Relay PROXY β β JSON-RPC β
β dApps/ βββββΊβ ββββββΊβ Relay β
β Wallets β β 1. Receive JSON-RPC Request β β Servers β
β Clients β β 2. Extract `to` from `eth_sendRawTransaction` β β β
ββββββββββββ β 3. Lookup address in routes database β β β
β β β β
β βββββββββββββββββββ ββββββββββββββββββββ β β β
β β Address Lookup β β Routes Database β β β β
β β β β (Verified) β β β β
β β 0x123... βββββββΊβ β β β β β
β β β β 0x123 β relay-a β β β β
β β β β 0x456 β relay-b β β β β
β βββββββββββββββββββ β 0x789 β relay-c β β β β
β ββββββββββββββββββββ β β β
β β β β’ hashio.io β
| IF FOUND: Route to custom JSON-RPC Relay β β β’ example.com |
| β | β’ acme.org |
β IF NOT FOUND: Route to Default (hashio.io) β β β’ ... β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ ββββββββββββββββββ
Click here if you don't see the graphical Mermaid flow
sequenceDiagram
participant Prover as Prover (Contract Owner)
participant Proxy as Proxy
participant HCS as HCS
autonumber
rect rgb(191, 223, 255)
Note right of Proxy: Setup
Proxy ->> Proxy: π Generate RSA key pair
Proxy ->> HCS: Create new HIP-991 Paid Topic ($1 submission fee)
Proxy ->> HCS: Publish RSA Public Key (proxy exempt from fees)
Proxy -->> HCS: β³ Subscribe to messages
end
Prover ->> Proxy: Fetch /status
Proxy -->> Prover: Answer with Topic ID & RSA Public Key
Prover ->> Prover: π Generate AES shared secret key
Prover ->> HCS: π Submit Route Data (RSA+AES Encrypted, ECDSA signed), π° Pay $1 Topic Fee
Prover ->> Prover: β³ Listen for Challenge Requests
HCS -->> Proxy: Deliver Encrypted Message
Proxy ->> Proxy: Decrypt Message (RSA+AES), Extract AES key
Proxy ->> Proxy: Verify Signature, Extract Address (ECDSA)
Proxy ->> Proxy: β
Confirm Smart Contract's ownership (Address + Nonce)
Proxy ->> Prover: π Send Challenge Request (RSA Signed, AES Encrypted)
Prover -->> Proxy: π Respond to Challenge (ECDSA Signed, AES Encrypted)
Proxy ->> Proxy: Verify Challenge Response, Prover is accessible
Proxy ->> Proxy: Update Verified Routes Database
Proxy ->> Prover: π Confirm Route Registration Success (AES Encrypted)
rect rgb(255, 191, 191)
Note over Prover, Proxy: Security Cleanup
Prover ->> Prover: ποΈ Remove AES key from memory
Proxy ->> Proxy: ποΈ Remove AES key from memory
end
-
Contract Owner (Prover):
- Generates route data, including the contract address and relay information.
- Creates a shared AES secret key for secure communication with the Proxy.
- Signs the data using ECDSA and encrypts it using hybrid encryption (RSA for AES key + AES for payload).
- Submits the encrypted message to the Hedera topic.
- Maintains the AES key in memory for subsequent encrypted communications.
-
Hedera Consensus Service:
- Acts as a secure message relay, delivering the encrypted message to the Proxy.
- HIP-991 Paid Topics: Implements $0.50 USD equivalent submission fee (0.5 HBAR) to prevent spam.
- Fee Collection: Proxy collects submission fees as topic creator and fee collector.
- Fee Exemption: Proxy is exempt from submission fees via fee exempt key.
-
JSON-RPC Relay Proxy:
- Decrypts the message using its RSA private key to extract the AES key.
- Uses the AES key to decrypt the route data payload.
- Verifies the ECDSA signature to ensure authenticity.
- Validates the route data and updates the verified route database.
- Sends encrypted challenge requests to the Prover using the shared AES key.
- Verifies encrypted challenge responses from the Prover.
- Sends encrypted confirmation of successful route registration.
- Removes the AES key from memory after successful completion.
-
Security Features:
- Hybrid Encryption: RSA encrypts the AES key, AES encrypts all communication payloads.
- Shared Secret: AES key enables secure bidirectional communication.
- Memory Cleanup: Both Proxy and Prover remove the AES key after completion.
- Forward Secrecy: Each registration session uses a unique AES key.
- Verifies the ECDSA signature to ensure authenticity.
- Validates the route data and updates the verified route database.
- Sends a challenge request to the Prover to verify its availability.
- Verifies the Prover's challenge response.
- Confirms the successful route registration to the Prover.
The system implements HIP-991 Paid Topics to prevent spam and ensure quality route registrations. This provides economic security while maintaining decentralized access.
- Submission Fee: $0.50 USD equivalent (0.5 HBAR) per message submission
- Fee Purpose: Prevents spam attacks and ensures serious route registration attempts
- Fee Collection: Proxy collects all submission fees as the topic creator
- Fee Exemption: Proxy is exempt from fees via fee exempt key for operational messages
- Creates HIP-991 topic with custom fixed fee of 0.5 HBAR per submission
- Exempt from fees via fee exempt key for publishing RSA public key and confirmations
- Collects all fees paid by provers for route registration attempts
- Sets fee schedule key to allow future fee adjustments if needed
- Pays 0.5 HBAR fee automatically when submitting route registration messages
- Sets custom fee limit to maximum 0.6 HBAR to account for network fee variations
- Must have sufficient balance before attempting route registration
- Receives route verification and confirmation after successful payment and validation
- Spam Prevention: 0.5 HBAR cost makes spam attacks economically unfeasible
- Quality Assurance: Only serious projects with genuine intent will pay for registration
- Network Sustainability: Fees support proxy operation and maintenance
- Fair Access: No central gatekeeping - anyone can register by paying the transparent fee
- Scalable Economics: Fee collection scales with usage without additional infrastructure
# Proxy must have sufficient balance for topic creation (β₯25 HBAR recommended)
PROXY_HEDERA_ACCOUNT_ID=0.0.123456
PROXY_HEDERA_PRIVATE_KEY=302e020100300506032b65700...
# Prover must have sufficient balance for submissions (β₯1 HBAR recommended)
PROVER_HEDERA_ACCOUNT_ID=0.0.789012
PROVER_HEDERA_PRIVATE_KEY=0x48b52aba58f4b8dd4cd0e527...hiero-json-rpc-relay-proxy/
βββ packages/
β βββ common/ # π¦ Shared utilities and components
β β βββ src/
β β β βββ cryptoUtils.js # RSA+AES encryption, ECDSA signing
β β β βββ envLoader.js # Environment variable loading
β β β βββ hederaUtils.js # Hedera SDK utilities
β β β βββ httpUtils.js # HTTP request/response handling
β β β βββ validation.js # Route signature validation
β β β βββ index.js # Main exports
β β βββ test/ # Unit tests for common utilities
β βββ proxy/ # π JSON-RPC relay proxy server
β β βββ src/
β β β βββ proxy.js # Main proxy server
β β β βββ hederaManager.js # Hedera integration
β β β βββ dbManager.js # Route database management
β β β βββ ethTxDecoder.js # Ethereum transaction parsing
β β βββ test/ # Proxy-specific tests
β βββ prover/ # π Route registration client
β βββ src/
β β βββ prover.js # Main prover client
β β βββ hederaManager.js # Hedera integration for prover
β βββ test/ # Prover-specific tests
βββ docs/ # π Documentation
βββ test/ # π§ͺ Integration tests
βββ scripts/ # π οΈ Utility scripts
# All packages + integration tests (from workspace root)
npm test
# Individual package tests
npm run test:common
npm run test:proxy
npm run test:prover
# Integration tests only
npm run test:integration
# Test individual packages from their directories
cd packages/common && npm test
cd packages/proxy && npm test
cd packages/prover && npm test# Coverage for individual packages
npm run test:coverage --workspace=packages/common
npm run test:coverage --workspace=packages/proxy
npm run test:coverage --workspace=packages/prover
# Run coverage from package directories
cd packages/common && npm run test:coverage
cd packages/proxy && npm run test:coverage
cd packages/prover && npm run test:coverage| Script | Description |
|---|---|
npm run proxy |
Start the proxy server |
npm run proxy:dev |
Start proxy in development mode |
npm run prover |
Run the prover client |
npm run prover:dev |
Run prover in development mode |
npm test |
Run all package tests + integration |
npm run test:common |
Run common utilities tests only |
npm run test:proxy |
Run proxy tests only |
npm run test:prover |
Run prover tests only |
npm run test:integration |
Run integration tests only |
npm run test:workspaces |
Run all workspace package tests |
npm run clean |
Clean databases and node_modules |
npm run clean:db |
Clean routing databases only |
npm run format |
Format all code with Prettier |
npm run format:check |
Check code formatting |
npm run install:hooks |
Install git pre-commit hooks |
| Script | Description |
|---|---|
npm test |
Run unit tests |
npm run test:watch |
Run tests in watch mode |
npm run test:coverage |
Run tests with coverage report |
| Script | Description |
|---|---|
npm start |
Start the proxy server |
npm run dev |
Start in development mode (watch) |
npm test |
Run all proxy tests |
npm run test:unit |
Run unit tests only (skip integration) |
npm run test:integration |
Run integration tests only |
npm run test:watch |
Run tests in watch mode |
npm run test:coverage |
Run tests with coverage report |
npm run clean-db |
Clean proxy database |
| Script | Description |
|---|---|
npm start |
Run the prover client |
npm test |
Run all prover tests |
npm run test:watch |
Run tests in watch mode |
npm run test:coverage |
Run tests with coverage report |
hiero-json-rpc-relay-proxy/
βββ packages/
β βββ common/ # π¦ Shared utilities and components
β β βββ src/
β β β βββ cryptoUtils.js # RSA+AES encryption, ECDSA signing
β β β βββ databaseUtils.js # Database management utilities
β β β βββ envLoader.js # Environment variable loading
β β β βββ ethUtils.js # Ethereum transaction utilities
β β β βββ hederaUtils.js # Hedera SDK utilities
β β β βββ httpUtils.js # HTTP request/response handling
β β β βββ messageUtils.js # Message parsing and chunking
β β β βββ validation.js # Route signature validation
β β β βββ index.js # Main exports
β β βββ test/ # Unit tests for common utilities
β β βββ package.json # Package configuration
β βββ proxy/ # π JSON-RPC relay proxy server
β β βββ src/
β β β βββ proxy.js # Main proxy server
β β β βββ hederaManager.js # Hedera integration
β β β βββ dbManager.js # Route database management
β β β βββ ethTxDecoder.js # Ethereum transaction parsing
β β βββ test/ # Proxy-specific tests
β β βββ data/ # Database storage
β β βββ package.json # Package configuration
β βββ prover/ # π Route registration client
β βββ src/
β β βββ prover.js # Main prover client
β β βββ hederaManager.js # Hedera integration for prover
β βββ test/ # Prover-specific tests
β βββ data/ # Result storage
β βββ package.json # Package configuration
βββ docs/ # π Documentation
βββ test/ # π§ͺ Integration tests
βββ scripts/ # π οΈ Utility scripts
βββ wasteland/ # ποΈ Experimental/demo code
βββ package.json # Workspace configuration
-
For Common Utilities:
cd packages/common # Add your utility to src/ # Add tests to test/ # Update exports in src/index.js npm test
-
For Proxy Features:
cd packages/proxy # Add your feature to src/ # Add tests to test/ npm test
-
For Prover Features:
cd packages/prover # Add your feature to src/ # Add tests to test/ npm test
-
For Integration Features:
# Add tests to test/ npm run test:integration
- Private keys are generated automatically and stored securely
- Public keys are exposed via the status endpoint
- Key rotation is supported but requires manual intervention
- All routing messages must be signed with valid ECDSA signatures
- Encryption ensures message confidentiality
- Replay protection through timestamp validation
The proxy now includes robust security features to ensure only legitimate contract owners can register routing endpoints:
- CREATE deployment: Uses
deployer_address + noncepattern withethers.getCreateAddress() - CREATE2 deployment: Uses
deployer_address + salt + init_code_hashpattern withethers.getCreate2Address() - Computes expected contract addresses and verifies they match the provided address
- Route registrations must be signed by the contract deployer
- CREATE signature: Covers
addr + proofType + nonce + url - CREATE2 signature: Covers
addr + proofType + salt + url - Uses
ethers.verifyMessage()for signature recovery and validation
The proxy supports both CREATE and CREATE2 deployment proofs:
{
"routes": [
{
"addr": "0x3ed660420aa9bc674e8f80f744f8062603da385e",
"proofType": "create",
"nonce": 33,
"url": "http://localhost:7546",
"sig": "0x1234567890abcdef..."
},
{
"addr": "0x8ba1f109551bd432803012645hac136c5edf4aef",
"proofType": "create2",
"salt": "0x0000000000000000000000000000000000000000000000000000000000000001",
"initCodeHash": "0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef",
"url": "http://localhost:7546",
"sig": "0x9876543210fedcba..."
}
]
}- CREATE: Standard contract deployment using deployer address and nonce
- CREATE2: Deterministic deployment using deployer address, salt, and init code hash
- Both proof types ensure cryptographic verification of contract ownership
- Use HTTPS in production environments
- Implement proper firewall rules
- Monitor Hedera topic access patterns
When the prover sends messages larger than 1024 KB to Hedera, the messages are automatically split into multiple chunks. The proxy now supports seamless handling of these chunked messages:
- β
Automatic Detection: Identifies chunked messages using
chunk_infofield - β Order Independence: Assembles chunks correctly regardless of arrival order
- β
Group Management: Uses
transaction_valid_startto group related chunks - β Error Handling: Validates chunk totals and handles mismatched chunks
- β Automatic Cleanup: Expires old chunk groups to prevent memory leaks
- β Backward Compatibility: Works seamlessly with existing message processing
- Detection: Proxy detects chunked messages by checking for
chunk_infofield - Grouping: Messages are grouped by
transaction_valid_starttimestamp - Assembly: When all chunks are received, they are combined in correct order
- Processing: Combined message is processed normally (decryption, verification, etc.)
{
"chunk_info": {
"initial_transaction_id": {
"transaction_valid_start": "1749506740.674505590"
},
"number": 1,
"total": 2
},
"message": "base64-encoded-chunk-content",
"sequence_number": 2
}For detailed implementation information, see docs/chunked-messages.md.
-
Proxy won't start:
- Check Hedera credentials in
.env - Verify account has β₯25 HBAR for topic creation
- Verify network connectivity
- Ensure port 3000 is available
- Check Hedera credentials in
-
Prover can't connect:
- Verify proxy is running (
curl http://localhost:3000/status) - Check prover
.envconfiguration - Confirm Hedera credentials are valid
- Verify proxy is running (
-
HIP-991 Topic Issues:
- Insufficient Balance: Ensure proxy account has β₯25 HBAR for topic creation
- Submission Failed: Ensure prover account has β₯1 HBAR for submission fees
- Fee Limit Exceeded: Check account balance and increase HBAR if needed
- Topic Not Found: Verify topic ID in configuration matches created topic
-
Route Submission Failures:
- Payment Required: Verify prover account has sufficient HBAR balance
- Custom Fee Error: Check network status and retry with higher fee limit
- Balance Too Low: Add HBAR to prover account for submission fees
-
Tests failing:
- Run
npm run clean:alland reinstall - Check Node.js version (requires 18+)
- Verify test environment variables
- Run
Enable detailed logging:
DEBUG=* npm start # All debug logs
DEBUG=proxy:* npm start # Proxy logs only
DEBUG=prover:* npm run prover # Prover logs onlyApache-2.0 - See LICENSE file for details.
-
Fork the repository
-
Create a feature branch
-
Set up pre-commit hooks (recommended):
npm run install:hooks
This ensures your code is automatically formatted before each commit.
-
Add tests for new functionality
-
Ensure all tests pass
-
Submit a pull request
This project uses Prettier for code formatting. The pre-commit hook will automatically format your code, but you can also run formatting manually:
# Format all files
npm run format
# Check formatting without making changes
npm run format:checkFor issues and questions:
- Create an issue on GitHub
- Check the troubleshooting section
- Review package-specific READMEs