I've been a cloudflare user and advocate for many years. I even hold a small amount of NET stock. A few months ago I enabled their web3 offering which gives you an ethereum gateway and added it as a backup to an other gateway I had set up for a small site of mine which gets around 1000 unique visitors a day. It has been running in the free tier for awhile and I thought everything was fine.

Then I got an invoice for $400, I immediately removed cloudflare eth gateway from my site and thought I had unsubscribed from the web3 service on cloudflare's site. The next month I got another $490 invoice (~49 million requests) and saw that it was still enabled on the site so I completely deleted and removed it as best I could from their UI. Additionally their website dashboard UI has zero visibility into where the traffic comes from, how much there is or what the bill will be until you get an invoice.

This is the entirety of the information you get in the invoice (1):

    > Ethereum Gateway Queries (First 500,000 requests are included
    > 01/17/2023 - 02/16/2023 48,788,614 $0.00 $490.00

I sent a support email asking if they would consider a refund as the traffic was very likely not from my site visitors, one feature other ethereum gateway service providers offer that cloudflare does not is the ability to add a domain whitelist or even API key authentication. Cloudflare just lets you set up a domain name that they happily accept any requests to. I should have assumed someone would have abused it but unfortunately I did not. However without any data provided it would be entirely possible for cloudflare themselves to have a bug that mistakingly hits my set up domain and inflates the bill. At the least I would like to be able to see where the requests came from, on what dates, and other information.

The support ticket was open for 12 days unanswered, I sent a follow up reply and the next day the ticket was closed with this message:

> Cloudflare only issues refunds in very specific situations, such as fault in service. As this is not the case, we will not be able to attend your request.

I accept that I'm liable for the charges and have no recourse, but I wanted to share this as a warning to others and also to hopefully reach some cloudflare employees or leadership about the need for better visibility into paid features usage. Being able to set up access rules for the service and having user set limits would also be very helpful. With this service in particular there is zero way to prevent someone from abusing it as all the customer can do is point DNS to cloudflare's managed server.

1. https://i.imgur.com/DFrQEoO.png