Skip to content

fix: adversarial bug-hunt campaign — 10 confirmed defects (2 critical security)#28

Merged
Parad0x-Labs merged 1 commit into
mainfrom
feat/nulla-bugfix-campaign-2026-06
Jun 22, 2026
Merged

fix: adversarial bug-hunt campaign — 10 confirmed defects (2 critical security)#28
Parad0x-Labs merged 1 commit into
mainfrom
feat/nulla-bugfix-campaign-2026-06

Conversation

@Parad0x-Labs

Copy link
Copy Markdown
Owner

Two max-agent adversarial hunts (16+ findings) → independent confirm passes (which also killed a false-positive 'ReDoS') → per-bug fix agents → adversarial review. 10 confirmed defects fixed, several in code shipped earlier this run. Every fix has a regression test that fails pre-fix, passes post-fix.

🔴 Critical

  • Confused-deputy escrow drain/v1/tasks/<id>/complete took the payout wallet from the request body, letting any signed caller redirect the full escrow remainder. Now bound to the signed signer + persisted claimed_by (enforced; legacy rows safe).
  • Sandbox FS escape — the 'sandbox' confined network only, not the filesystem (proven: a job cat'd a secret outside the workspace). Added OS-independent path-arg confinement + macOS Seatbelt file-write-deny + Linux bwrap --ro-bind/--bind/--tmpfs (verified end-to-end on macOS: out-of-workspace write denied, in-workspace ok, network still denied, symlink-escape denied).

🟠 High

  • x402 receipt verifier checked the wrong account + wrong devnet mint (every real settlement fail-closed) → verify the credited ATA, select mint by mode.
  • Live x402 keypair built from 32 bytes (seed only) → correct solders keypair.
  • Peer self-declared trust_score via CAPABILITY_AD (Sybil/defame) → reject agent_id≠sender; self-reported value kept in a separate column never read by routing.
  • Escrow receipt-ID collisions dropped same-second money ops → unique IDs (explicit IDs stay idempotent).
  • Daemon worker semaphore leak; concurrent anchor-thread ALTER race; memory temporal-collapse merging distinct facts + FTS agent mis-tag; router create-file regex baking trailing text / dropping conjoined files.

Med/Low

rate-limiter unbounded dicts, USDC truncation, multi-ATA balance, network-guard flag-evasion.

Verification

Full suite 2312 passed (1 pre-existing env-only acceptance test unrelated; CI excludes it). ruff clean. publicnode-only, no new hardcoded ids, no secrets.

Deferred to a follow-up (held to avoid colliding with the escrow-drain fix on the same file): the credit_ledger escrow release/refund-mutates-ALL-rows-sharing-parent_task_id critical (LIMIT-1 read vs UPDATE-all).

…oney/memory/concurrency)

Two max-agent adversarial hunts + independent confirm passes found these in the
live tree (several in code shipped earlier this run); each fix has a regression
test that fails pre-fix and passes post-fix; all adversarially reviewed.

CRITICAL
- Confused-deputy escrow drain: /v1/tasks/<id>/complete took the payout wallet from
  the request BODY; now bound to the SIGNED signer + persisted claimed_by (enforced).
- Sandbox FS escape: 'sandbox' confined network only, not filesystem. Add OS-independent
  path-arg confinement + macOS Seatbelt file-write-deny-outside-workspace + Linux bwrap
  --ro-bind/--bind/--tmpfs; plus a network-guard global-flag evasion fix.

HIGH
- Escrow receipt-id collisions: second-granular auto ids dropped same-second money ops
  -> unique uuid ids (explicit ids stay idempotent).
- x402 receipt verifier checked recipient WALLET not the credited account + wrong mint
  for devnet -> select mint by mode, verify the right ATA, fail-closed.
- Live x402 keypair built from 32 bytes (seed only) -> correct solders keypair.
- Peer self-declared trust_score via CAPABILITY_AD -> reject agent_id!=sender; trust kept
  in a separate self_reported_trust column, never read by routing/abuse gates.
- Daemon worker semaphore permit leaked on Thread.start() failure -> released.
- Concurrent anchor threads collided on a runtime ALTER -> column in the schema DDL.
- Memory temporal-collapse merged distinct facts on cosine alone -> require token-overlap;
  FTS backfill mis-tagged agent_id -> per-node agent_id.
- Router create-file regex baked trailing instructions into content / dropped conjoined
  second files -> bounded capture + conjoined split.

MED/LOW: rate-limiter unbounded dicts, USDC truncation, multi-ATA balance, network-guard.
(One swarm-reported 'ReDoS' was a false positive — confirm pass could not reproduce it.)

Full suite: 2312 passed (1 pre-existing env-only acceptance test unrelated). ruff clean.
@Parad0x-Labs Parad0x-Labs merged commit a66e248 into main Jun 22, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant