Security: Airdrop Double-Claiming Protection by MichaelSovereign · Pull Request #2891 · Scottcjn/Rustchain

MichaelSovereign · 2026-05-02T05:30:07Z

Summary

This PR addresses a significant vulnerability in the Airdrop V2 module that could allow users to claim rewards multiple times.

Changes

Global Uniqueness Constraints: Updated the database schema to enforce constraints on and independently. This ensures that a single GitHub account cannot claim rewards to multiple wallets, and a single wallet cannot receive rewards from multiple GitHub accounts.
Hardened Eligibility Logic: Updated to perform a global check across all chains for both the GitHub handle and the wallet address.
Sybil Resistance: Significantly increases the cost of Sybil attacks by preventing the reuse of eligible accounts or wallets.

Closes #7444

…ottcjn#2288)

…ministic JSON

…warding

… API

…n for auto-settler

…and contract updates

…nfiguration

…llisions

…shes on empty data

…ations in payouts

…in claims eligibility

… report tampering

…nts to prevent negative value injection

…ions

…C address and flag storage

…on endpoints to prevent data leakage

…vent race condition bypass

…in Sophia Inspector

…n for Ergo anchoring

…que WART addresses per epoch

…in airdrop to prevent double-claiming

jaxint

PR Review: Airdrop Double-Claiming Protection

Summary

This PR addresses a security vulnerability in the RustChain codebase.

Key Changes

node/airdrop_v2.py: +8 -4
node/anti_double_mining.py: +2 -1
node/arch_cross_validation.py: +7 -2

Assessment

✅ Approve — Meaningful security fix.

Reviewed by: jaxint
Wallet: AhqbFaPBPLMMiaLDzA9WhQcyvv4hMxiteLhPk3NhG1iG

MichaelSovereign added 30 commits April 12, 2026 16:30

feat: implement RIP-309 Phase 1 Fingerprint Check Rotation

9005379

fix: address Codex review for RIP-309 Phase 1

1c1e41c

fix: complete RIP-309 integration with reward gating and signature fix

d4ad46b

fix: integrate canonical RIP-309 rotation module for reward weighting

4d2b086

fix: bind _handle_get_state signature to msg_id and ttl (arity fix Sc…

d5c825d

…ottcjn#2288)

Security: Hardened P2P sync with replay protection, nonces, and deter…

2080a24

…ministic JSON

Security: Prevent mining reward type confusion in mempool and UTXO apply

464a08e

Security: Hardened Server Proxy with path whitelisting and header for…

ba859a7

…warding

Security: Atomic balance checks and secure hash generation for Bridge…

a84314c

… API

Security: Fix voting precision by migrating from REAL to INTEGER weights

ed6d1e9

Enhancement: Added environment variable support and API authenticatio…

2437488

…n for auto-settler

Security: Implemented cryptographic authentication for bounty claims …

574c26b

…and contract updates

Enhancement: Added address validation and security checks for x402 co…

2aef619

…nfiguration

Security: Fixed potential SQL injection in passport listing

cc7b765

Security: Protected Hall of Rust from SQL injection and data vandalism

9e59f39

Security: Hardened LLM JSON extraction in Sophia Governor

1239068

Security: Switched to full SHA-256 for machine identity to prevent co…

92a73c9

…llisions

Security: Added robustness to cache feature extraction to prevent cra…

4851646

…shes on empty data

Security: Switched from float to Decimal for precise financial calcul…

29c6686

…ations in payouts

Security: Switched from print to logging and improved error handling …

ee06e4e

…in claims eligibility

Security: Enforced commitment matching in BCOS attestation to prevent…

dfbfa93

… report tampering

Security: Added database-level CHECK constraints for transaction amou…

1b134b4

…nts to prevent negative value injection

Security: Hardened claim ID generation to prevent potential ID collis…

179a811

…ions

Security: Prevented field-level DoS in hardware binding by capping MA…

11e7c32

…C address and flag storage

Security: Implemented HMAC authentication for P2P state and attestati…

a0cee05

…on endpoints to prevent data leakage

Security: Implemented atomic transactions for IP rate limiting to pre…

88cac3f

…vent race condition bypass

Security: Implemented input sanitization to prevent prompt injection …

a6ec6e6

…in Sophia Inspector

Enhancement: Added environment variable support and timeout protectio…

2d532ae

…n for Ergo anchoring

Security: Prevented Sybil attacks in Warthog rewards by enforcing uni…

140f85d

…que WART addresses per epoch

Security: Enforced global uniqueness for GitHub accounts and wallets …

631c761

…in airdrop to prevent double-claiming

MichaelSovereign requested a review from Scottcjn as a code owner May 2, 2026 05:30

github-actions Bot added BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) node Node server related tests Test suite changes size/XL PR: 500+ lines labels May 2, 2026

jaxint approved these changes May 3, 2026

View reviewed changes

jaxint mentioned this pull request May 3, 2026

Claim: PR Review #2891 - Security PR by MichaelSovereign Scottcjn/rustchain-bounties#8364

Open

Scottcjn closed this May 3, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security: Airdrop Double-Claiming Protection#2891

Security: Airdrop Double-Claiming Protection#2891
MichaelSovereign wants to merge 30 commits intoScottcjn:mainfrom
MichaelSovereign:security-fix/airdrop-double-claim

MichaelSovereign commented May 2, 2026

Uh oh!

jaxint left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

MichaelSovereign commented May 2, 2026

Summary

Changes

Uh oh!

jaxint left a comment

Choose a reason for hiding this comment

PR Review: Airdrop Double-Claiming Protection

Summary

Key Changes

Assessment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants