RPC Security Flaw: Internal Database Errors Leaked to Untrusted Clients

A critical information leak has been identified in the RPC layer of a software project, exposing internal database errors directly to untrusted clients. The vulnerability resides in the `get_transaction` method handler, where database failures are mapped into JSON-RPC error responses containing the raw, unfiltered database error text. This design flaw transforms routine backend failures into a reconnaissance vector, allowing any external caller to probe the system's internal state.

The specific issue is in the `handle` function within `crates/rpc/src/methods/get_transaction.rs`. When a database query fails, the error is formatted as `"database error: {}"` and sent back to the client. This error payload can inadvertently reveal sensitive backend implementation details, including database schema information, specific SQL errors, storage state, or operational metadata. An attacker can exploit this by sending malformed or edge-case transaction hash values to trigger different database-side failures, using the returned error strings to fingerprint the backend system and refine subsequent attacks.

This medium-severity finding, sourced from an automated security audit, highlights a common but dangerous pattern in RPC input validation. The exposure of system internals lowers the barrier for attackers conducting reconnaissance, potentially aiding in the development of more targeted exploits. The suggested remediation is to return only a generic internal error message to the client while logging the full diagnostic details server-side, thereby containing sensitive information within the trusted computing boundary.