Skip to content

[CLEAN] 6 UTXO Security Vulnerabilities + PoC Tests (Supersedes #4014 & #3935)#4036

Closed
BossChaos wants to merge 2 commits intoScottcjn:mainfrom
BossChaos:utxo-clean-submission
Closed

[CLEAN] 6 UTXO Security Vulnerabilities + PoC Tests (Supersedes #4014 & #3935)#4036
BossChaos wants to merge 2 commits intoScottcjn:mainfrom
BossChaos:utxo-clean-submission

Conversation

@BossChaos
Copy link
Copy Markdown
Contributor

@BossChaos BossChaos commented May 7, 2026

Summary

This is a clean, focused PR containing ONLY the UTXO vulnerability tests and minimal fixes. It supersedes #4014 and #3935 to avoid review noise and overlap confusion.

Vulnerabilities Covered (Bounty #2819)

Severity Vulnerability PoC Test
Critical _allow_minting bypass test_allow_minting_bypass
Critical TOCTOU double-spend test_toctou_double_spend
High Coinbase cap overflow test_coinbase_cap_overflow
High tx_id fee manipulation test_tx_id_fee_collision
Medium Missing box_id validation test_missing_box_id_validation
Medium Dust output attack test_dust_output_attack

Files Changed

  • node/utxo_db.py: 1-line fix (include fee in tx_id)
  • tests/test_utxo_bounty_vulnerabilities.py: 699 lines, 16 pass + 1 expected fail

Note

Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602

BossChaos added 2 commits May 5, 2026 02:52
@BossChaos
ci: disable workflow_dispatch for bottube-digest-bot (missing secrets)
f30766c
@BossChaos
fix(utxo): 6 security vulnerabilities + comprehensive PoC tests
6ac2710 
Critical:
- _allow_minting bypass (coinbase can mint arbitrary tokens)
- TOCTOU double-spend (race condition in UTXO consumption)

High:
- Coinbase cap overflow (no per-block minting limit)
- tx_id collision (fee not included, allows output substitution)

Medium:
- Missing box_id validation (invalid inputs accepted)
- Dust output attack (storage bloat)

Tests: 16 pass + 1 expected fail (PoC)
Signed-off-by: BossChaos <bosschaos@users.noreply.github.com>
@BossChaos BossChaos requested a review from Scottcjn as a code owner May 7, 2026 03:43
@github-actions github-actions Bot added BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) node Node server related tests Test suite changes ci size/XL PR: 500+ lines labels May 7, 2026
@BossChaos BossChaos mentioned this pull request May 7, 2026
Open
@BossChaos BossChaos closed this May 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Scottcjn Scottcjn Awaiting requested review from Scottcjn Scottcjn is a code owner

Assignees

No one assigned

Labels

BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) ci node Node server related size/XL PR: 500+ lines tests Test suite changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BossChaos