fix: adversarial bug-hunt campaign — 10 confirmed defects (2 critical security)#28
Merged
Merged
Conversation
…oney/memory/concurrency) Two max-agent adversarial hunts + independent confirm passes found these in the live tree (several in code shipped earlier this run); each fix has a regression test that fails pre-fix and passes post-fix; all adversarially reviewed. CRITICAL - Confused-deputy escrow drain: /v1/tasks/<id>/complete took the payout wallet from the request BODY; now bound to the SIGNED signer + persisted claimed_by (enforced). - Sandbox FS escape: 'sandbox' confined network only, not filesystem. Add OS-independent path-arg confinement + macOS Seatbelt file-write-deny-outside-workspace + Linux bwrap --ro-bind/--bind/--tmpfs; plus a network-guard global-flag evasion fix. HIGH - Escrow receipt-id collisions: second-granular auto ids dropped same-second money ops -> unique uuid ids (explicit ids stay idempotent). - x402 receipt verifier checked recipient WALLET not the credited account + wrong mint for devnet -> select mint by mode, verify the right ATA, fail-closed. - Live x402 keypair built from 32 bytes (seed only) -> correct solders keypair. - Peer self-declared trust_score via CAPABILITY_AD -> reject agent_id!=sender; trust kept in a separate self_reported_trust column, never read by routing/abuse gates. - Daemon worker semaphore permit leaked on Thread.start() failure -> released. - Concurrent anchor threads collided on a runtime ALTER -> column in the schema DDL. - Memory temporal-collapse merged distinct facts on cosine alone -> require token-overlap; FTS backfill mis-tagged agent_id -> per-node agent_id. - Router create-file regex baked trailing instructions into content / dropped conjoined second files -> bounded capture + conjoined split. MED/LOW: rate-limiter unbounded dicts, USDC truncation, multi-ATA balance, network-guard. (One swarm-reported 'ReDoS' was a false positive — confirm pass could not reproduce it.) Full suite: 2312 passed (1 pre-existing env-only acceptance test unrelated). ruff clean.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two max-agent adversarial hunts (16+ findings) → independent confirm passes (which also killed a false-positive 'ReDoS') → per-bug fix agents → adversarial review. 10 confirmed defects fixed, several in code shipped earlier this run. Every fix has a regression test that fails pre-fix, passes post-fix.
🔴 Critical
/v1/tasks/<id>/completetook the payout wallet from the request body, letting any signed caller redirect the full escrow remainder. Now bound to the signed signer + persistedclaimed_by(enforced; legacy rows safe).cat'd a secret outside the workspace). Added OS-independent path-arg confinement + macOS Seatbelt file-write-deny + Linux bwrap--ro-bind/--bind/--tmpfs(verified end-to-end on macOS: out-of-workspace write denied, in-workspace ok, network still denied, symlink-escape denied).🟠 High
agent_id≠sender; self-reported value kept in a separate column never read by routing.Med/Low
rate-limiter unbounded dicts, USDC truncation, multi-ATA balance, network-guard flag-evasion.
Verification
Full suite 2312 passed (1 pre-existing env-only acceptance test unrelated; CI excludes it). ruff clean. publicnode-only, no new hardcoded ids, no secrets.
Deferred to a follow-up (held to avoid colliding with the escrow-drain fix on the same file): the
credit_ledgerescrow release/refund-mutates-ALL-rows-sharing-parent_task_id critical (LIMIT-1 read vs UPDATE-all).