Stellar APY Relayer Vulnerability: Unsanitized ProtocolID Opens Path Traversal and SSRF Attack Surface

A critical security flaw has been identified in the Stellar protocol's APY relayer implementation. The `FetchProtocolAPY` function in `internal/stellar/apy_relayer.go` constructs HTTP request URLs by concatenating a base URL with a `protocolID` parameter sourced directly from the on-chain yield registry — without any URL encoding, path sanitization, or input validation. The vulnerability creates dual attack vectors: path traversal and server-side request forgery.

The specific code pattern concatenates the `protocolID` into the URL using string formatting, allowing an attacker with operator access to register a protocol carrying a crafted identifier such as `../../admin/config`. This could cause the constructed URL to resolve to unintended internal paths on target servers. More severely, if the `baseURL` itself is influenceable — through a compromised operator key or a misconfigured environment variable — the relayer can be redirected to issue HTTP GET requests against arbitrary internal network addresses. This transforms the relayer process into a potential SSRF proxy, enabling reconnaissance and interaction with internal services that should be inaccessible from external networks.

The implications are significant for any deployment where the relayer operates with network egress permissions. An attacker who gains operator-level access could leverage the relayer to probe internal infrastructure, exfiltrate service data accessible via internal APIs, or pivot further into connected systems. The risk is compounded by the relayer's trusted position in the protocol's yield aggregation architecture. Mitigations would require input validation and strict allowlisting of acceptable `protocolID` values, plus hardening of the `baseURL` configuration to prevent runtime modification.