[SECURITY] S4 — No Binance API rate limiting (IP ban risk)

[cluster2600]

Summary

No rate limiting on Binance API calls in binance_executor.py. High-frequency trading loop will exceed Binance limits and trigger permanent IP ban.

Risk

HIGH — Binance enforces strict rate limits (1200 req/min weight). Exceeding them results in IP ban (temporary or permanent). No retry/backoff logic detected.

Binance Limits

• REST API: 1200 request weight/min
• Order rate: 10 orders/sec, 100000 orders/24h
• Violation: HTTP 429 → repeated violation → HTTP 418 (IP ban)

Fix

from binance.exceptions import BinanceAPIException
import time

class RateLimiter:
    def __init__(self, max_weight=1000, window_sec=60):
        self.max_weight = max_weight
        self.window_sec = window_sec
        self.requests = []
    
    def check_and_wait(self, weight=1):
        now = time.time()
        self.requests = [r for r in self.requests if now - r[0] < self.window_sec]
        total = sum(r[1] for r in self.requests)
        if total + weight > self.max_weight:
            time.sleep(self.window_sec - (now - self.requests[0][0]))
        self.requests.append((now, weight))

Sprint

Sprint 1 — Story 1.2 (Security Hardening)

Found by PM agent audit — Feb 17, 2026

[cluster2600]

Fixed in sprint2/reliability-risk (ff745bf) — Binance API rate limiting with tenacity retry + exponential backoff. Validated in sprint3/paper-trading.