Skip to content

Self-Audit: bridge_api.py + utxo_db.py — 6 security findings (BossChaos)#3147

Merged
Scottcjn merged 3 commits intoScottcjn:mainfrom
BossChaos:bosschaos-self-audit-bridge-utxo
May 2, 2026
Merged

Self-Audit: bridge_api.py + utxo_db.py — 6 security findings (BossChaos)#3147
Scottcjn merged 3 commits intoScottcjn:mainfrom
BossChaos:bosschaos-self-audit-bridge-utxo

Conversation

@BossChaos
Copy link
Copy Markdown
Contributor

@BossChaos BossChaos commented May 2, 2026

Self-Audit Submission — BossChaos

Two audit packets for the #6460 Self-Audit bounty:

Audit 1: node/bridge_api.py (876 lines, SHA: 59ef682)

# Severity Title
1 high Cross-chain bridge deposits skip balance lock when admin_initiated=True — phantom deposits possible
2 high update_external endpoint has no replay protection — attacker can alter transfer status via race condition
3 medium Bridge transfer amount stored as REAL (floating point) causes precision loss in cross-chain accounting

Audit 2: node/utxo_db.py (913 lines, SHA: fe2cdd7)

# Severity Title
1 high Transaction ID malleability — outputs excluded from tx_id hash when inputs are present
2 medium Exception handling swallows critical database errors — potential silent data corruption
3 medium Mempool input tracking not cleaned up on transaction abort — UTXOs permanently blocked

Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602

Full audit reports with reproduction steps and known-failures attached.

BossChaos and others added 3 commits May 1, 2026 15:55
@BossChaos
deps: update python-socketio requirement from >=5.10.0 to >=5.16.1
c198522 
- Updates python-socketio to latest stable version 5.16.1
- Includes bug fixes and performance improvements
- Closes Scottcjn#2830
@BossChaos
Self-Audit: node/bridge_api.py — 3 findings (admin bypass, replay att…
412203c 
…ack, float precision)
@BossChaos
Self-Audit: node/utxo_db.py — 3 findings (tx_id malleability, silent …
0f6b05e 
…ROLLBACK failure, mempool cleanup)
@github-actions github-actions Bot added documentation Improvements or additions to documentation size/XS PR: 1-10 lines labels May 2, 2026
@BossChaos BossChaos mentioned this pull request May 2, 2026
Closed
@Scottcjn
Copy link
Copy Markdown
Owner

Scottcjn commented May 2, 2026

Self-Audit deep-verify (#6460 rubric): PASS.

Clean packet: 2 audits (bridge_api.py + utxo_db.py), 6 findings combined. File:line citations are accurate, severity ratings calibrated, remediations actionable.

Payout: 20 RTC.

  • pending_id: 1314
  • tx_hash: d24c59d3ac0dc92851f97aee7d91b385
  • to: RTC6d1f27d28961279f1034d9561c2403697eb55602
  • 24h auto-void window standard

Merging. Pre-existing test workflow failure (22s, infra-flake — same failure across all PRs in this batch) is unrelated to your audit content.

— Scott

@Scottcjn Scottcjn merged commit a6d6002 into Scottcjn:main May 2, 2026
11 of 12 checks passed
This was referenced May 3, 2026
Merged
Merged
@Scottcjn Scottcjn mentioned this pull request May 4, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation size/XS PR: 1-10 lines

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BossChaos @Scottcjn