fix: validate address param in getUsernames endpoint

[stephancill]

What changed? Why?

Added input validation for the `address` query parameter in the `/api/basenames/getUsernames` endpoint to prevent path traversal attacks. The endpoint was receiving malformed requests with values like `..%2Faddresses%3F` (decoded: `../addresses?`) which caused 500 errors when the CDP API rejected the malformed URL.

Changes:

• Validate `address` is a valid Ethereum address using viem's `isAddress()`
• Return 400 for invalid addresses instead of passing them to the CDP API
• Add error handling for CDP API failures (check `response.ok`)

Ticket ID/URL

N/A

Notes to reviewers

This fixes 500 errors caused by malicious external requests attempting path traversal. Legitimate internal usage from `useNameList()` hook uses wallet addresses from `useAccount()` which are always valid.

How has it been tested?

Have you tested the following pages?

BaseWeb

• [] base.org
• base.org/names
• [] base.org/builders
• [] base.org/ecosystem
• [] base.org/name/jesse
• [] base.org/manage-names
• [] base.org/resources

[cb-heimdall]

✅ Heimdall Review Status

Requirement	Status	More Info
Reviews	✅ 1/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 0 Sum 1

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
base-web	Ready	Preview, Comment	Jan 16, 2026 11:37am

[arjun-dureja]

Nice