Skip to content

fix: remediate all Round 3 security audit findings#69

Merged
0xZunia merged 1 commit intomainfrom
fix/audit-r3-remediation
Feb 22, 2026
Merged

fix: remediate all Round 3 security audit findings#69
0xZunia merged 1 commit intomainfrom
fix/audit-r3-remediation

Conversation

@0xZunia
Copy link
Copy Markdown
Contributor

@0xZunia 0xZunia commented Feb 22, 2026

Summary

Addresses 43+ findings across all 13 Round 3 audit issues, spanning every layer of the stack (core, consensus, storage, execution, network, API, SDK, bridge, compliance, confidentiality, explorer, generators, node).

44 files changed — 427 insertions, 152 deletions. 2,334 tests passing, 0 warnings.

Critical (1)

  • CRIT-01: MergeForkState discarded non-contract account mutations (balance/nonce changes lost after contract calls). Added GetModifiedAccounts() to IStateDatabase and rewrote merge to iterate all dirty accounts.

High (2)

  • HIGH-01: BlockBuilder used parameterless TransactionExecutor constructor (no chain params, no validator). Reordered SetupBlockProduction() to pass pre-constructed executor.
  • HIGH-02: Sandboxed SDK dispatch Task was orphaned on timeout, risking cross-contract state corruption. dispatchTask now awaited before scope disposal.

Medium (6)

  • MED-01/MED-03 (Consensus): VoterPublicKey binding enforced in BasaltBft and PipelinedConsensus vote/view-change handlers — reject messages where SenderId doesn't match registered public key.
  • MED-01 (Execution): ChargeGasAndIncrementNonce now computes actual gas equivalent for proposer tip credit.
  • MED-02 (Execution): InsufficientBalance failure paths report tx.GasLimit as GasUsed (not 0).
  • MED-03 (Execution): UInt256.TryAdd overflow check in TransactionValidator for value + gasCost.
  • NEW-M01 (Network): TcpTransport per-IP counter leaked on failed connections — moved increment after successful connect.
  • MED-01 (Compliance): SanctionsList post-add eviction when at capacity.

Low (~25)

  • UInt256 hex truncation guard, KeystoreManager key zeroing
  • PipelinedConsensus sequential proposal rejection, SlashingEngine atomic percent slash
  • ValidatorSet lock on GetByAddress, StateDbRef delegation for GetModifiedStorageKeys/GetModifiedAccounts
  • REST multi-read consistency via state fork, PeerInfo dead code removal
  • ReputationScorer thread-safe penalty accumulator, EpisubService atomic IWANT rate limiting
  • ComplianceEngine defensive copy, BST-1155/BST-3525 checked arithmetic
  • ViewingKey/ConfidentialityModule ephemeral key zeroing, BridgeState recipient validation
  • GraphQL Mutation logger injection + generic error messages, case-insensitive 0x handling
  • Explorer AOT JSON context fix, faucet key zeroing, DataDir symlink resolution
  • Global rate limiter (not per-endpoint), CORS restricted to explorer domain
  • Codec size comment, BLS PoP documentation note, nullifier reset docs

Informational (3)

  • Docker no-new-privileges + cap_drop: ALL on all validators
  • GossipService re-serialization dedup comment
  • TransportEncryption single-thread assumption documented

Design Decisions (unchanged)

  • LOW-05 (Core): UInt256 implicit int conversion — runtime OverflowException on negative values is intentional for ergonomics.
  • M-03/R1 (Consensus): WeightedLeaderSelector.StakeToWeight precision — ~0.02% deviation acceptable for leader selection.
  • LOW-03 (Consensus): No on-chain BLS Proof-of-Possession — mitigated by P2P-based key exchange.

Test plan

Closes #56, closes #57, closes #58, closes #59, closes #60, closes #61, closes #62, closes #63, closes #64, closes #65, closes #66, closes #67, closes #68

@0xZunia
fix: remediate all Round 3 security audit findings
f679379 
Address 43+ findings across 13 audit issues (#56-#68) spanning all layers:

Critical:
- CRIT-01: MergeForkState now merges all modified accounts, not just contract address

High:
- HIGH-01: BlockBuilder receives pre-constructed TransactionExecutor
- HIGH-02: Sandboxed orphaned Task awaited before scope disposal

Medium:
- MED-01/03: VoterPublicKey binding enforced in BasaltBft and PipelinedConsensus
- MED-01 (Execution): ChargeGasAndIncrementNonce uses actual gas for tip credit
- MED-02: InsufficientBalance paths report tx.GasLimit as GasUsed
- MED-03: UInt256.TryAdd overflow check in TransactionValidator
- NEW-M01: TcpTransport per-IP counter leak on failed connections
- MED-01 (Compliance): SanctionsList post-add eviction

Low/Informational:
- UInt256 hex truncation guard, KeystoreManager key zeroing
- PipelinedConsensus sequential proposal rejection
- SlashingEngine atomic percent slash, ValidatorSet lock
- StateDbRef GetModifiedStorageKeys/GetModifiedAccounts delegation
- REST multi-read consistency via state fork
- PeerInfo dead code removal, ReputationScorer thread safety
- TransportEncryption/EpisubService concurrency docs and fixes
- ComplianceEngine defensive copy, BST-1155/3525 checked arithmetic
- ViewingKey/ConfidentialityModule ephemeral key zeroing
- BridgeState recipient validation
- GraphQL Mutation logger injection, case-insensitive 0x handling
- Explorer AOT JSON context, faucet key zeroing, DataDir symlink resolution
- Rate limiter global policy, CORS hardening
- Docker no-new-privileges and cap_drop ALL
- Codec size comment, BLS PoP documentation, nullifier reset docs

44 files changed, 2334 tests passing, 0 warnings.
@0xZunia 0xZunia merged commit 992fa01 into main Feb 22, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment