Prepared by:
HALBORN
Last Updated 11/07/2025
Date of Engagement: September 10th, 2025 - November 4th, 2025
100% of all REPORTED Findings have been addressed
All findings
68
Critical
5
High
9
Medium
31
Low
17
Informational
6
The security review was commissioned by VerifiedX and was performed by Halborn security engineers. The broad scope was defined as an L1 and related consensus code review of the VerifiedX-Core repository and related services, including assessment of legacy and active consensus paths, P2P services, cryptographic primitives, and node/validator networking. The purpose of the engagement was to identify security defects and recommend mitigations to harden consensus, networking, cryptography, and state-handling components.
The engagement required multiple specialist reviews and took place over the period captured in the supplied findings of 40 days. A cross-functional Halborn team was applied and manual review was emphasized alongside automated scans and unit-test verification. The principal goals were detection of cryptographic, consensus, networking, and input‑validation weaknesses and validation of remediations. The overall security posture of the codebase was strong after remediation activity: All issues flagged were fixed, legacy attack surface was removed, and multiple defensive controls were implemented. The most important fixes or improvements identified and confirmed as solved were:
Cryptography: ECDSA signing/verification was hardened (zero-component retries and public-key curve membership checks).
Consensus safety: V4 winner-selection determinism, parent-hash binding, fork-choice rules, and VRF tie/endian handling observations were addressed or documented.
Networking and authentication: Signed consensus metadata, nonce-based handshake protection, replay prevention, and address–publicKey binding were implemented.
Input validation and DoS hardening: JSON size/depth limits, safe parsing (TryParse), rate limiting, SignalRQueue global caps, and pre-validation checks for blocks and proofs were applied.
Legacy code removal: Deprecated consensus paths and unused methods that exposed theoretical risks were removed or guarded, reducing attack surface.
A consolidated remediation state of "Solved" was reported for all of the findings in the provided dataset.
The assessment was executed by sequencing discovery, targeted manual review, and automated analysis. Initial repository reconnaissance and scoping was performed to identify active execution paths versus legacy/unused code. Manual code review was then applied to high‑risk components (consensus, cryptography, P2P servers, and state application). Automated static analysis and unit-test review was used to surface parsing errors, unsafe APIs, and deserialization risks. A verification phase was performed where developer-supplied remediation comments, commits, and unit test results were examined to confirm fixes.
The phases were as follows:
Research and scoping: repository mapping and identification of active versus legacy code paths.
Manual secure-code review: focused inspection of consensus algorithms, ECDSA/Elliptic Curve handling, message parsing, handshake logic, and P2P endpoints.
Automated scans and tooling: static analyzers and JSON/serialization safety checks (details in Automated Testing section).
Remediation verification: confirmation of applied fixes via code comments, commit references, and unit-test evidence when provided.
A balance was maintained between manual and automated work: manual review was prioritized for design-level consensus and cryptography issues while automated checks were used to validate input-parsing, deserialization, and potential DoS vectors. Confidence in coverage was increased by cross-validating manual findings with remediation evidence and unit tests provided in the context data.
| EXPLOITABILITY METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Attack Origin (AO) | Arbitrary (AO:A) Specific (AO:S) | 1 0.2 |
| Attack Cost (AC) | Low (AC:L) Medium (AC:M) High (AC:H) | 1 0.67 0.33 |
| Attack Complexity (AX) | Low (AX:L) Medium (AX:M) High (AX:H) | 1 0.67 0.33 |
| IMPACT METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Confidentiality (C) | None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C) | 0 0.25 0.5 0.75 1 |
| Integrity (I) | None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C) | 0 0.25 0.5 0.75 1 |
| Availability (A) | None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C) | 0 0.25 0.5 0.75 1 |
| Deposit (D) | None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C) | 0 0.25 0.5 0.75 1 |
| Yield (Y) | None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C) | 0 0.25 0.5 0.75 1 |
| SEVERITY COEFFICIENT () | COEFFICIENT VALUE | NUMERICAL VALUE |
|---|---|---|
| Reversibility () | None (R:N) Partial (R:P) Full (R:F) | 1 0.5 0.25 |
| Scope () | Changed (S:C) Unchanged (S:U) | 1.25 1 |
| Severity | Score Value Range |
|---|---|
| Critical | 9 - 10 |
| High | 7 - 8.9 |
| Medium | 4.5 - 6.9 |
| Low | 2 - 4.4 |
| Informational | 0 - 1.9 |
Critical
5
High
9
Medium
31
Low
17
Informational
6
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| Point validation logic returns inverted results | Critical | Solved - 09/25/2025 |
| Randomness manipulation via last-revealer due to linear CombineRandoms and weak commit/reveal | Critical | Solved - 11/02/2025 |
| Block validation counts retired signers toward majority while threshold uses current signers | Critical | Solved - 11/02/2025 |
| Foreign parent acceptance in proof validation | Critical | Solved - 11/02/2025 |
| Missing fork-choice policy enables persistent divergence | Critical | Solved - 11/02/2025 |
| Unauthenticated consensus metadata parsing allows state manipulation | High | Solved - 10/04/2025 |
| Unauthenticated peer state updates allow liveness disruption | High | Solved - 10/25/2025 |
| Unsigned consensus metadata allows client state manipulation | High | Solved - 10/25/2025 |
| Missing signature verification in ReceiveDownloadRequest | High | Solved - 10/26/2025 |
| Message signature check bypass for methodCode=0 | High | Solved - 11/02/2025 |
| Quorum computed from registered signers but waits use liveness | High | Solved - 11/02/2025 |
| Dynamic membership without per-round snapshot (shifting quorum threshold) | High | Solved - 11/02/2025 |
| Missing anti-equivocation detection enables double-voting | High | Solved - 11/02/2025 |
| Nondeterministic tie-handling in VRF selection | High | Solved - 11/02/2025 |
| Unrestricted deserialization of incoming proof lists | Medium | Solved - 10/04/2025 |
| Height calculation uses incorrect peer collection after validator connectivity check | Medium | Solved - 10/04/2025 |
| Authentication handshake vulnerable to replay attacks | Medium | Solved - 10/04/2025 |
| Uncaught parsing exception enables handshake denial of service | Medium | Solved - 10/04/2025 |
| Unauthenticated validator discovery enables network topology manipulation | Medium | Solved - 10/04/2025 |
| Unsafe string slicing on untrusted wallet version causes connection failures | Medium | Solved - 10/04/2025 |
| Address-based bans applied before authentication | Medium | Solved - 10/04/2025 |
| Unbounded field lengths in handshake and validator models | Medium | Solved - 10/04/2025 |
| Fire-and-forget broadcasts without error handling or flow control | Medium | Solved - 10/05/2025 |
| Missing validator role assertion in block reception | Medium | Solved - 10/05/2025 |
| Synchronous remote port check in handshake path | Medium | Solved - 10/25/2025 |
| Missing address–publicKey binding in validator handshake | Medium | Solved - 10/25/2025 |
| Silent exception handling hides abuse and operational faults | Medium | Solved - 10/25/2025 |
| Unbounded winner list responses without pagination or size limits | Medium | Solved - 10/25/2025 |
| Block broadcast not gated on validation success | Medium | Solved - 10/25/2025 |
| Excessive parallel requests and static backoff | Medium | Solved - 10/25/2025 |
| Unsafe response parsing risks exceptions and desynchronization | Medium | Solved - 10/25/2025 |
| Unchecked split-based parsing in message/hash endpoints | Medium | Solved - 10/25/2025 |
| Unbounded transaction broadcast list ingestion | Medium | Solved - 10/26/2025 |
| Unsafe timestamp parsing and missing nonce in handshake | Medium | Solved - 10/25/2025 |
| Inverted duplicate handling logic in task answer processing | Medium | Solved - 10/25/2025 |
| IP-only gating enables session hijack and misrouting | Medium | Solved - 10/25/2025 |
| Unsafe timestamp parsing and missing nonce in blockcaster handshake | Medium | Solved - 10/25/2025 |
| ReceiveBlockVal heavy path without SignalRQueue/DoS guard | Medium | Solved - 10/26/2025 |
| Aggressive parallelism/backoff in peer connections and updates | Medium | Solved - 10/25/2025 |
| IP-keyed session mapping enables hijack/misdirection | Medium | Solved - 10/25/2025 |
| DoS throttling weaknesses in SignalRQueue | Medium | Solved - 10/25/2025 |
| Transaction nonce ordering not enforced | Medium | Solved - 11/02/2025 |
| Reserve CallBack/Recover lack idempotence; locked balance underflow risk | Medium | Solved - 11/04/2025 |
| Missing fee floor and global mempool limits enable economic/space DoS | Medium | Solved - 11/04/2025 |
| Unbounded deserialization and missing cancellation/backpressure in NodeDataProcessor | Medium | Solved - 11/04/2025 |
| Signature generation lacks validation for zero components | Low | Solved - 09/25/2025 |
| Signature verification accepts off-curve public keys | Low | Solved - 09/25/2025 |
| Synchronous disposal blocks on asynchronous operations causing potential hangs | Low | Solved - 10/04/2025 |
| Missing DoS guard and rate limits on block reception | Low | Solved - 10/05/2025 |
| Missing pre-validation filters on block reception | Low | Solved - 10/05/2025 |
| Premature exit from majority calculation | Low | Solved - 10/25/2025 |
| Synchronous blocking on async disposal | Low | Solved - 10/25/2025 |
| Unbounded growth of message/hash caches | Low | Solved - 10/25/2025 |
| Pre-authentication state and balance validation | Low | Solved - 10/25/2025 |
| Signature reuse map grows without cleanup | Low | Solved - 10/25/2025 |
| Unsafe parsing operations in task answer processing | Low | Solved - 10/25/2025 |
| Unbounded JSON inputs and unsafe asset name handling | Low | Solved - 10/25/2025 |
| Blockcaster Handshake: Pre‑Authentication State/Balance Checks | Low | Solved - 10/25/2025 |
| Unsafe parsing and substring OOB | Low | Solved - 10/25/2025 |
| Payload fields not cryptographically bound to authenticated identity | Low | Solved - 10/25/2025 |
| TOCTTOU in per-IP queue accounting (ConnectionCount/BufferCost) | Low | Solved - 10/25/2025 |
| Transaction staleness check depends on download state | Low | Solved - 11/02/2025 |
| Documentation contains spelling errors and misleading descriptions | Informational | Solved - 09/25/2025 |
| Hardcoded timeouts and fixed delays without observability | Informational | Solved - 10/05/2025 |
| Unauthenticated validator list updates and weak binding checks | Informational | Solved - 10/25/2025 |
| Unbounded validator registry growth without pruning or TTL | Informational | Solved - 10/25/2025 |
| VRFNumber endianness dependency can cause cross-platform consensus splits | Informational | Solved - 11/03/2025 |
| V4 proof validation lacks committee membership and winner enforcement | Informational | Solved - 11/02/2025 |
//Critical
//Critical
//Critical
//Critical
//Critical
//High
//High
//High
//High
//High
//High
//High
//High
//High
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
VerifiedX Core
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
