Solutions

Company

Resources

Blog

Contact

Login

    • Assurance

      Smart Contract Assessment

      Securing code integrity, protecting digital assets

      Blockchain Layer 1 Assessment

      Assessing protocols, securing blockchain foundations

      Code Security Audit

      Uncovering flaws, strengthening software integrity

      Web Application Penetration Testing

      Exposing weaknesses, fortifying digital defenses

      Cloud Infrastructure Penetration Testing

      Securing configurations, protecting critical environments

      Red Team Exercise

      Simulating real-world attacks, strengthening defenses

      AI Red Teaming

      Testing AI systems against real threats

      AI Security Assessment

      Securing AI models, data, and pipelines

    • Advisory

      AI Advisory

      Guiding secure, strategic AI adoption forward

      Risk Assessment

      From unknown threats to actionable insights

      Blockchain Architecture Assessment

      Optimizing architecture for tomorrow’s networks

      Compliance Readiness

      Stay ready as regulations evolve

      Custody and Key Management Assessment

      Securing the heart of digital custody

      Technical Due Diligence

      See the risks before you invest

      Technical Training

      Empower your teams to secure what matters

    • Who We Are

      The best security engineers in the world

      Careers

      Work with the elite

      Who Trusts Us

      The trusted security advisor for blockchain and financial services industries

      Brand

      Access official logos, fonts, and guidelines

      Service Commitments

      Committed to Protecting Your Data

    • Audits

      In-depth evaluations of smart contracts and blockchain infrastructures

      BVSS

      Blockchain Vulnerability Scoring System

      Disclosures

      All the latest vulnerabilities discovered by Halborn

      Case Studies

      How Halborn’s solutions have empowered clients to overcome security issues

      Reports

      Comprehensive reports and data

  • Blog

  • Contact

  • Login

THIS WEBSITE USES COOKIES

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you've provided to them or that they've collected from your use of their services. You consent to our cookies if you continue to use our website. Learn More.

STAY CURRENT WITH HALBORN

Subscribe to the monthly Halborn Digest for our top blogs and videos, major company announcements, new whitepapers, webinar and event invites, and one exclusive interview.

ADVISORY SERVICES

AI AdvisoryRisk AssessmentBlockchain Architecture AssessmentCompliance ReadinessCustody and Key Management AssessmentTechnical Due DiligenceTechnical Training

ASSURANCE SERVICES

AI Security AssessmentAI Red TeamingSmart Contract AssessmentBlockchain Layer 1 AssessmentCode Security AuditWeb Application Penetration TestingCloud Infrastructure Penetration TestingRed Team Exercise

COMPANY

Who We AreWho Trusts UsService CommitmentsCareersBrandBlogContact

RESOURCES

AuditsDisclosuresReportsBVSSCase Studies
Halborn Logo
Privacy PolicyTerms of UseVulnerability Disclosure Policy

© Halborn 2025. All rights reserved.

Background

// Security Assessment

09.10.2025 - 11.04.2025

VerifiedX Core

VerifiedX

Halborn logotext
← Back to Audits

VerifiedX Core - VerifiedX

Prepared by:

Halborn Logo

HALBORN

Last Updated 11/07/2025

Date of Engagement: September 10th, 2025 - November 4th, 2025

Summary

100% of all REPORTED Findings have been addressed

All findings

68

Critical

5

High

9

Medium

31

Low

17

Informational

6

Table of Contents

  • 1. Introduction
  • 2. Assessment summary
  • 3. Test approach and methodology
  • 4. Risk methodology
  • 5. Scope
  • 6. Assessment summary & findings overview
  • 7. Findings & Tech Details
    1. 7.1 Point validation logic returns inverted results
    2. 7.2 Randomness manipulation via last-revealer due to linear combinerandoms and weak commit/reveal
    3. 7.3 Block validation counts retired signers toward majority while threshold uses current signers
    4. 7.4 Foreign parent acceptance in proof validation
    5. 7.5 Missing fork-choice policy enables persistent divergence
    6. 7.6 Unauthenticated consensus metadata parsing allows state manipulation
    7. 7.7 Unauthenticated peer state updates allow liveness disruption
    8. 7.8 Unsigned consensus metadata allows client state manipulation
    9. 7.9 Missing signature verification in receivedownloadrequest
    10. 7.10 Message signature check bypass for methodcode=0
    11. 7.11 Quorum computed from registered signers but waits use liveness
    12. 7.12 Dynamic membership without per-round snapshot (shifting quorum threshold)
    13. 7.13 Missing anti-equivocation detection enables double-voting
    14. 7.14 Nondeterministic tie-handling in vrf selection
    15. 7.15 Unrestricted deserialization of incoming proof lists
    16. 7.16 Height calculation uses incorrect peer collection after validator connectivity check
    17. 7.17 Authentication handshake vulnerable to replay attacks
    18. 7.18 Uncaught parsing exception enables handshake denial of service
    19. 7.19 Unauthenticated validator discovery enables network topology manipulation
    20. 7.20 Unsafe string slicing on untrusted wallet version causes connection failures
    21. 7.21 Address-based bans applied before authentication
    22. 7.22 Unbounded field lengths in handshake and validator models
    23. 7.23 Fire-and-forget broadcasts without error handling or flow control
    24. 7.24 Missing validator role assertion in block reception
    25. 7.25 Synchronous remote port check in handshake path
    26. 7.26 Missing address–publickey binding in validator handshake
    27. 7.27 Silent exception handling hides abuse and operational faults
    28. 7.28 Unbounded winner list responses without pagination or size limits
    29. 7.29 Block broadcast not gated on validation success
    30. 7.30 Excessive parallel requests and static backoff
    31. 7.31 Unsafe response parsing risks exceptions and desynchronization
    32. 7.32 Unchecked split-based parsing in message/hash endpoints
    33. 7.33 Unbounded transaction broadcast list ingestion
    34. 7.34 Unsafe timestamp parsing and missing nonce in handshake
    35. 7.35 Inverted duplicate handling logic in task answer processing
    36. 7.36 Ip-only gating enables session hijack and misrouting
    37. 7.37 Unsafe timestamp parsing and missing nonce in blockcaster handshake
    38. 7.38 Receiveblockval heavy path without signalrqueue/dos guard
    39. 7.39 Aggressive parallelism/backoff in peer connections and updates
    40. 7.40 Ip-keyed session mapping enables hijack/misdirection
    41. 7.41 Dos throttling weaknesses in signalrqueue
    42. 7.42 Transaction nonce ordering not enforced
    43. 7.43 Reserve callback/recover lack idempotence; locked balance underflow risk
    44. 7.44 Missing fee floor and global mempool limits enable economic/space dos
    45. 7.45 Unbounded deserialization and missing cancellation/backpressure in nodedataprocessor
    46. 7.46 Signature generation lacks validation for zero components
    47. 7.47 Signature verification accepts off-curve public keys
    48. 7.48 Synchronous disposal blocks on asynchronous operations causing potential hangs
    49. 7.49 Missing dos guard and rate limits on block reception
    50. 7.50 Missing pre-validation filters on block reception
    51. 7.51 Premature exit from majority calculation
    52. 7.52 Synchronous blocking on async disposal
    53. 7.53 Unbounded growth of message/hash caches
    54. 7.54 Pre-authentication state and balance validation
    55. 7.55 Signature reuse map grows without cleanup
    56. 7.56 Unsafe parsing operations in task answer processing
    57. 7.57 Unbounded json inputs and unsafe asset name handling
    58. 7.58 Blockcaster handshake: pre‑authentication state/balance checks
    59. 7.59 Unsafe parsing and substring oob
    60. 7.60 Payload fields not cryptographically bound to authenticated identity
    61. 7.61 Tocttou in per-ip queue accounting (connectioncount/buffercost)
    62. 7.62 Transaction staleness check depends on download state
    63. 7.63 Documentation contains spelling errors and misleading descriptions
    64. 7.64 Hardcoded timeouts and fixed delays without observability
    65. 7.65 Unauthenticated validator list updates and weak binding checks
    66. 7.66 Unbounded validator registry growth without pruning or ttl
    67. 7.67 Vrfnumber endianness dependency can cause cross-platform consensus splits
    68. 7.68 V4 proof validation lacks committee membership and winner enforcement

1. Introduction

The security review was commissioned by VerifiedX and was performed by Halborn security engineers. The broad scope was defined as an L1 and related consensus code review of the VerifiedX-Core repository and related services, including assessment of legacy and active consensus paths, P2P services, cryptographic primitives, and node/validator networking. The purpose of the engagement was to identify security defects and recommend mitigations to harden consensus, networking, cryptography, and state-handling components.

2. Assessment Summary

The engagement required multiple specialist reviews and took place over the period captured in the supplied findings of 40 days. A cross-functional Halborn team was applied and manual review was emphasized alongside automated scans and unit-test verification. The principal goals were detection of cryptographic, consensus, networking, and input‑validation weaknesses and validation of remediations. The overall security posture of the codebase was strong after remediation activity: All issues flagged were fixed, legacy attack surface was removed, and multiple defensive controls were implemented. The most important fixes or improvements identified and confirmed as solved were:

    • Cryptography: ECDSA signing/verification was hardened (zero-component retries and public-key curve membership checks).

    • Consensus safety: V4 winner-selection determinism, parent-hash binding, fork-choice rules, and VRF tie/endian handling observations were addressed or documented.

    • Networking and authentication: Signed consensus metadata, nonce-based handshake protection, replay prevention, and address–publicKey binding were implemented.

    • Input validation and DoS hardening: JSON size/depth limits, safe parsing (TryParse), rate limiting, SignalRQueue global caps, and pre-validation checks for blocks and proofs were applied.

    • Legacy code removal: Deprecated consensus paths and unused methods that exposed theoretical risks were removed or guarded, reducing attack surface.

A consolidated remediation state of "Solved" was reported for all of the findings in the provided dataset.

3. Test Approach and Methodology

The assessment was executed by sequencing discovery, targeted manual review, and automated analysis. Initial repository reconnaissance and scoping was performed to identify active execution paths versus legacy/unused code. Manual code review was then applied to high‑risk components (consensus, cryptography, P2P servers, and state application). Automated static analysis and unit-test review was used to surface parsing errors, unsafe APIs, and deserialization risks. A verification phase was performed where developer-supplied remediation comments, commits, and unit test results were examined to confirm fixes.

The phases were as follows:

    • Research and scoping: repository mapping and identification of active versus legacy code paths.

    • Manual secure-code review: focused inspection of consensus algorithms, ECDSA/Elliptic Curve handling, message parsing, handshake logic, and P2P endpoints.

    • Automated scans and tooling: static analyzers and JSON/serialization safety checks (details in Automated Testing section).

    • Remediation verification: confirmation of applied fixes via code comments, commit references, and unit-test evidence when provided.

A balance was maintained between manual and automated work: manual review was prioritized for design-level consensus and cryptography issues while automated checks were used to validate input-parsing, deserialization, and potential DoS vectors. Confidence in coverage was increased by cross-validating manual findings with remediation evidence and unit tests provided in the context data.

4. RISK METHODOLOGY

Every vulnerability and issue observed by Halborn is ranked based on two sets of Metrics and a Severity Coefficient. This system is inspired by the industry standard Common Vulnerability Scoring System.
The two Metric sets are: Exploitability and Impact. Exploitability captures the ease and technical means by which vulnerabilities can be exploited and Impact describes the consequences of a successful exploit.
The Severity Coefficients is designed to further refine the accuracy of the ranking with two factors: Reversibility and Scope. These capture the impact of the vulnerability on the environment as well as the number of users and smart contracts affected.
The final score is a value between 0-10 rounded up to 1 decimal place and 10 corresponding to the highest security risk. This provides an objective and accurate rating of the severity of security vulnerabilities in smart contracts.
The system is designed to assist in identifying and prioritizing vulnerabilities based on their level of risk to address the most critical issues in a timely manner.

4.1 EXPLOITABILITY

Attack Origin (AO):
Captures whether the attack requires compromising a specific account.
Attack Cost (AC):
Captures the cost of exploiting the vulnerability incurred by the attacker relative to sending a single transaction on the relevant blockchain. Includes but is not limited to financial and computational cost.
Attack Complexity (AX):
Describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Includes but is not limited to macro situation, available third-party liquidity and regulatory challenges.
Metrics:
EXPLOITABILITY METRIC (mem_eme​)METRIC VALUENUMERICAL VALUE
Attack Origin (AO)Arbitrary (AO:A)
Specific (AO:S)		1
0.2
Attack Cost (AC)Low (AC:L)
Medium (AC:M)
High (AC:H)		1
0.67
0.33
Attack Complexity (AX)Low (AX:L)
Medium (AX:M)
High (AX:H)		1
0.67
0.33
Exploitability EEE is calculated using the following formula:

E=∏meE = \prod m_eE=∏me​

4.2 IMPACT

Confidentiality (C):
Measures the impact to the confidentiality of the information resources managed by the contract due to a successfully exploited vulnerability. Confidentiality refers to limiting access to authorized users only.
Integrity (I):
Measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of data stored and/or processed on-chain. Integrity impact directly affecting Deposit or Yield records is excluded.
Availability (A):
Measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. This metric refers to smart contract features and functionality, not state. Availability impact directly affecting Deposit or Yield is excluded.
Deposit (D):
Measures the impact to the deposits made to the contract by either users or owners.
Yield (Y):
Measures the impact to the yield generated by the contract for either users or owners.
Metrics:
IMPACT METRIC (mIm_ImI​)METRIC VALUENUMERICAL VALUE
Confidentiality (C)None (C:N)
Low (C:L)
Medium (C:M)
High (C:H)
Critical (C:C)		0
0.25
0.5
0.75
1
Integrity (I)None (I:N)
Low (I:L)
Medium (I:M)
High (I:H)
Critical (I:C)		0
0.25
0.5
0.75
1
Availability (A)None (A:N)
Low (A:L)
Medium (A:M)
High (A:H)
Critical (A:C)		0
0.25
0.5
0.75
1
Deposit (D)None (D:N)
Low (D:L)
Medium (D:M)
High (D:H)
Critical (D:C)		0
0.25
0.5
0.75
1
Yield (Y)None (Y:N)
Low (Y:L)
Medium (Y:M)
High (Y:H)
Critical (Y:C)		0
0.25
0.5
0.75
1
Impact III is calculated using the following formula:

I=max(mI)+∑mI−max(mI)4I = max(m_I) + \frac{\sum{m_I} - max(m_I)}{4}I=max(mI​)+4∑mI​−max(mI​)​

4.3 SEVERITY COEFFICIENT

Reversibility (R):
Describes the share of the exploited vulnerability effects that can be reversed. For upgradeable contracts, assume the contract private key is available.
Scope (S):
Captures whether a vulnerability in one vulnerable contract impacts resources in other contracts.
Metrics:
SEVERITY COEFFICIENT (CCC)COEFFICIENT VALUENUMERICAL VALUE
Reversibility (rrr)None (R:N)
Partial (R:P)
Full (R:F)		1
0.5
0.25
Scope (sss)Changed (S:C)
Unchanged (S:U)		1.25
1
Severity Coefficient CCC is obtained by the following product:

C=rsC = rsC=rs

The Vulnerability Severity Score SSS is obtained by:

S=min(10,EIC∗10)S = min(10, EIC * 10)S=min(10,EIC∗10)

The score is rounded up to 1 decimal places.
SeverityScore Value Range
Critical9 - 10
High7 - 8.9
Medium4.5 - 6.9
Low2 - 4.4
Informational0 - 1.9

5. SCOPE

REPOSITORY
(a) Repository: VerifiedX-Core
(b) Assessed Commit ID: dd57121
(c) Items in scope:
  • Scope Overview
  • Primary Directories & Files
  • P2P/ (8,000+ lines)
  • P2P networking
  • Consensus protocols
  • Services/
  • BlockValidator* (1,500+ lines)
  • - Block validation logic
  • TransactionValidator* (2,100+ lines)
  • - Transaction validation
  • Consensus*
  • - Consensus protocol implementation
  • Data/
  • StateData.cs (2,200+ lines)
  • - State management
  • BlockchainData.cs
  • - Blockchain data operations
  • Nodes/ (4,000+ lines)
  • Node processing logic
  • Models/
  • Block.cs
  • Blockchain.cs
  • - Core blockchain models
  • Scope Overview
  • Primary Directories & Files
  • P2P/ (8,000+ lines)
↓ Expand ↓
Remediation Commit ID:
  • https://github.com/VerifiedXBlockchain/VerifiedX-Core/pull/8
  • 71f203a
  • a69709e
  • f0e8bb1
  • 33eb0ec
  • 3b2521e
  • NA
  • d7cb9b5
  • c8f095d
  • 2dc90e7
  • c8fd239
  • 4b50cee
  • f0e7907
  • f684afb
  • c22923d
  • ee3471f
  • 9403c34
  • fe79406
  • 533df68
  • bcd88da
  • 1a2e584
  • 2c277f1
  • 6f2ad36
  • cfa8fb5
  • 61c7b0e
  • 85234d2
  • 49a5635
  • f71fee7
  • f70ab47
  • 46edb71
  • 667066a
  • 2985f08
  • 156b8c1
  • bfdf82b
  • 06e138b
  • 66dfc00
  • 5c8fc56
  • 842485e
  • 4f5784a
  • 3684968
  • https://github.com/VerifiedXBlockchain/VerifiedX-Core/pull/10
  • https://github.com/VerifiedXBlockchain/VerifiedX-Core/pull/11
  • 0e3ffdb
  • 1dfd18e
  • 1a29d87
  • aab9e83
  • f35e354
  • 7ecfc83
  • 1de47fb
  • 0b0134b
  • e29ea79
  • 7ecfc83
  • bec76a1
  • 654f7fa
  • f8df1aa
  • https://github.com/VerifiedXBlockchain/VerifiedX-Core/pull/9/commits/d82893b9c474730bb4ea25bb4de75bf0133441bd
  • e2f16b6
  • ccf1393
  • 83f8ed3
  • cb096dc
Out-of-Scope: New features/implementations after the remediation commit IDs.

6. Assessment Summary & Findings Overview

Critical

5

High

9

Medium

31

Low

17

Informational

6

Security analysisRisk levelRemediation Date
Point validation logic returns inverted resultsCriticalSolved - 09/25/2025
Randomness manipulation via last-revealer due to linear CombineRandoms and weak commit/revealCriticalSolved - 11/02/2025
Block validation counts retired signers toward majority while threshold uses current signersCriticalSolved - 11/02/2025
Foreign parent acceptance in proof validationCriticalSolved - 11/02/2025
Missing fork-choice policy enables persistent divergenceCriticalSolved - 11/02/2025
Unauthenticated consensus metadata parsing allows state manipulationHighSolved - 10/04/2025
Unauthenticated peer state updates allow liveness disruptionHighSolved - 10/25/2025
Unsigned consensus metadata allows client state manipulationHighSolved - 10/25/2025
Missing signature verification in ReceiveDownloadRequestHighSolved - 10/26/2025
Message signature check bypass for methodCode=0HighSolved - 11/02/2025
Quorum computed from registered signers but waits use livenessHighSolved - 11/02/2025
Dynamic membership without per-round snapshot (shifting quorum threshold)HighSolved - 11/02/2025
Missing anti-equivocation detection enables double-votingHighSolved - 11/02/2025
Nondeterministic tie-handling in VRF selectionHighSolved - 11/02/2025
Unrestricted deserialization of incoming proof listsMediumSolved - 10/04/2025
Height calculation uses incorrect peer collection after validator connectivity checkMediumSolved - 10/04/2025
Authentication handshake vulnerable to replay attacksMediumSolved - 10/04/2025
Uncaught parsing exception enables handshake denial of serviceMediumSolved - 10/04/2025
Unauthenticated validator discovery enables network topology manipulationMediumSolved - 10/04/2025
Unsafe string slicing on untrusted wallet version causes connection failuresMediumSolved - 10/04/2025
Address-based bans applied before authenticationMediumSolved - 10/04/2025
Unbounded field lengths in handshake and validator modelsMediumSolved - 10/04/2025
Fire-and-forget broadcasts without error handling or flow controlMediumSolved - 10/05/2025
Missing validator role assertion in block receptionMediumSolved - 10/05/2025
Synchronous remote port check in handshake pathMediumSolved - 10/25/2025
Missing address–publicKey binding in validator handshakeMediumSolved - 10/25/2025
Silent exception handling hides abuse and operational faultsMediumSolved - 10/25/2025
Unbounded winner list responses without pagination or size limitsMediumSolved - 10/25/2025
Block broadcast not gated on validation successMediumSolved - 10/25/2025
Excessive parallel requests and static backoffMediumSolved - 10/25/2025
Unsafe response parsing risks exceptions and desynchronizationMediumSolved - 10/25/2025
Unchecked split-based parsing in message/hash endpointsMediumSolved - 10/25/2025
Unbounded transaction broadcast list ingestionMediumSolved - 10/26/2025
Unsafe timestamp parsing and missing nonce in handshakeMediumSolved - 10/25/2025
Inverted duplicate handling logic in task answer processingMediumSolved - 10/25/2025
IP-only gating enables session hijack and misroutingMediumSolved - 10/25/2025
Unsafe timestamp parsing and missing nonce in blockcaster handshakeMediumSolved - 10/25/2025
ReceiveBlockVal heavy path without SignalRQueue/DoS guardMediumSolved - 10/26/2025
Aggressive parallelism/backoff in peer connections and updatesMediumSolved - 10/25/2025
IP-keyed session mapping enables hijack/misdirectionMediumSolved - 10/25/2025
DoS throttling weaknesses in SignalRQueueMediumSolved - 10/25/2025
Transaction nonce ordering not enforcedMediumSolved - 11/02/2025
Reserve CallBack/Recover lack idempotence; locked balance underflow riskMediumSolved - 11/04/2025
Missing fee floor and global mempool limits enable economic/space DoSMediumSolved - 11/04/2025
Unbounded deserialization and missing cancellation/backpressure in NodeDataProcessorMediumSolved - 11/04/2025
Signature generation lacks validation for zero componentsLowSolved - 09/25/2025
Signature verification accepts off-curve public keysLowSolved - 09/25/2025
Synchronous disposal blocks on asynchronous operations causing potential hangsLowSolved - 10/04/2025
Missing DoS guard and rate limits on block receptionLowSolved - 10/05/2025
Missing pre-validation filters on block receptionLowSolved - 10/05/2025
Premature exit from majority calculationLowSolved - 10/25/2025
Synchronous blocking on async disposalLowSolved - 10/25/2025
Unbounded growth of message/hash cachesLowSolved - 10/25/2025
Pre-authentication state and balance validationLowSolved - 10/25/2025
Signature reuse map grows without cleanupLowSolved - 10/25/2025
Unsafe parsing operations in task answer processingLowSolved - 10/25/2025
Unbounded JSON inputs and unsafe asset name handlingLowSolved - 10/25/2025
Blockcaster Handshake: Pre‑Authentication State/Balance ChecksLowSolved - 10/25/2025
Unsafe parsing and substring OOBLowSolved - 10/25/2025
Payload fields not cryptographically bound to authenticated identityLowSolved - 10/25/2025
TOCTTOU in per-IP queue accounting (ConnectionCount/BufferCost)LowSolved - 10/25/2025
Transaction staleness check depends on download stateLowSolved - 11/02/2025
Documentation contains spelling errors and misleading descriptionsInformationalSolved - 09/25/2025
Hardcoded timeouts and fixed delays without observabilityInformationalSolved - 10/05/2025
Unauthenticated validator list updates and weak binding checksInformationalSolved - 10/25/2025
Unbounded validator registry growth without pruning or TTLInformationalSolved - 10/25/2025
VRFNumber endianness dependency can cause cross-platform consensus splitsInformationalSolved - 11/03/2025
V4 proof validation lacks committee membership and winner enforcementInformationalSolved - 11/02/2025

7. Findings & Tech Details

7.1 Point validation logic returns inverted results

//

Critical

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:C/D:N/Y:N (10.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/pull/8

7.2 Randomness manipulation via last-revealer due to linear CombineRandoms and weak commit/reveal

//

Critical

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:C/D:N/Y:N (10.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/71f203a1c099e9485aab88a016b89af3867be5b5

7.3 Block validation counts retired signers toward majority while threshold uses current signers

//

Critical

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:C/D:N/Y:N (10.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/a69709ec67fd4f3906ffc737ae51a7ef8c2fb9ae

7.4 Foreign parent acceptance in proof validation

//

Critical

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:C/D:N/Y:N (10.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/f0e8bb1097c29cd64b18bd2bcbc5f5045c395e7d

7.5 Missing fork-choice policy enables persistent divergence

//

Critical

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:C/D:N/Y:N (10.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/33eb0eccf23f7dd5febaa61a79e617d5b5ef9a8f

7.6 Unauthenticated consensus metadata parsing allows state manipulation

//

High

Description
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:H/D:N/Y:N (7.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/3b2521e34f04a029bcab22f17101c8f028c4089c

7.7 Unauthenticated peer state updates allow liveness disruption

//

High

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:H/D:N/Y:N (7.5)
Recommendation
Remediation Comment
Remediation Hash

7.8 Unsigned consensus metadata allows client state manipulation

//

High

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:M/A:M/I:M/D:N/Y:N (7.5)
Recommendation
Remediation Comment
Remediation Hash

7.9 Missing signature verification in ReceiveDownloadRequest

//

High

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:H/D:N/Y:N (7.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/d7cb9b512ceb170680435639f17f3f91b7b53d0b

7.10 Message signature check bypass for methodCode=0

//

High

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:H/D:N/Y:N (7.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/c8f095d60b3905c1a70bed4e9ac923eacb8e80d8

7.11 Quorum computed from registered signers but waits use liveness

//

High

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:H/D:N/Y:N (7.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/2dc90e70cdf6c724756c18876b124ba2233c00ef

7.12 Dynamic membership without per-round snapshot (shifting quorum threshold)

//

High

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:H/D:N/Y:N (7.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/c8fd2393ada0536915930eae3a7bc23858f1a286

7.13 Missing anti-equivocation detection enables double-voting

//

High

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:H/D:N/Y:N (7.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/4b50cee62fcba46918cef640d68c442e64e02dff

7.14 Nondeterministic tie-handling in VRF selection

//

High

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:H/D:N/Y:N (7.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/f0e79072d7c340c0400ee277dea8592fb9707a36

7.15 Unrestricted deserialization of incoming proof lists

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:M/I:M/D:N/Y:N (6.3)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/f684afb03646e5264a7762628fa7833ff9b34445

7.16 Height calculation uses incorrect peer collection after validator connectivity check

//

Medium

Description
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/c22923d832b854f85fe9f80075b4e537d4c0e3e7

7.17 Authentication handshake vulnerable to replay attacks

//

Medium

Description
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:M/A:N/I:N/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/ee3471ff6d9a33cfe181d5cd7934bb21737fce94

7.18 Uncaught parsing exception enables handshake denial of service

//

Medium

Description
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:M/I:N/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/9403c3434ca4b2da0ad4dcd0c1670d255137a9aa

7.19 Unauthenticated validator discovery enables network topology manipulation

//

Medium

Description
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/fe79406aec7e7ff0e0d8f2744ef13dd1e9ce5592

7.20 Unsafe string slicing on untrusted wallet version causes connection failures

//

Medium

Description
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/533df68531844b8fa17f0544fa44283b0901e872

7.21 Address-based bans applied before authentication

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/bcd88da38f976051db477954902a420ece3682f5

7.22 Unbounded field lengths in handshake and validator models

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/1a2e584b686fab4ff3ff16697330398d052031a7

7.23 Fire-and-forget broadcasts without error handling or flow control

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/2c277f1e2ddf9c024f0e43af00f7f70b862f7692

7.24 Missing validator role assertion in block reception

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/6f2ad36fc61c9636356bc03c053a428f2b9888af

7.25 Synchronous remote port check in handshake path

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:M/I:N/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/cfa8fb588cd3bd417b2a2a4ca168a4e3fe09cc6c

7.26 Missing address–publicKey binding in validator handshake

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/61c7b0e093a7e4e1e834e0d4818df6f748dced66

7.27 Silent exception handling hides abuse and operational faults

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/85234d232d43e9aa73becd607047e6476ee42ace

7.28 Unbounded winner list responses without pagination or size limits

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash

7.29 Block broadcast not gated on validation success

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/49a5635cecbca878bc5b11b8075b2f0c649547ab

7.30 Excessive parallel requests and static backoff

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/f71fee70db9e2b38a396fedc7d5b7808e826bd95

7.31 Unsafe response parsing risks exceptions and desynchronization

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash

7.32 Unchecked split-based parsing in message/hash endpoints

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/f70ab47b2bc63cddf8778e1a115cf248031e6ef8

7.33 Unbounded transaction broadcast list ingestion

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:M/I:N/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/46edb711d67c7c5435650766ce08ae6d242de31f

7.34 Unsafe timestamp parsing and missing nonce in handshake

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:M/I:N/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash

7.35 Inverted duplicate handling logic in task answer processing

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/667066a172907cceaee5a2c7bde1dac1a972a62d

7.36 IP-only gating enables session hijack and misrouting

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/2985f087f3e1d7c00af2fe1070c34c01936f0f3a

7.37 Unsafe timestamp parsing and missing nonce in blockcaster handshake

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash

7.38 ReceiveBlockVal heavy path without SignalRQueue/DoS guard

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/156b8c1984a7afcedebd0b9baaa94c50fdf9594e

7.39 Aggressive parallelism/backoff in peer connections and updates

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/bfdf82b2724b60646dc20b91082de5a4afc3dd18

7.40 IP-keyed session mapping enables hijack/misdirection

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/06e138b6d951daabf00b9be599d957306c9f276c

7.41 DoS throttling weaknesses in SignalRQueue

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/66dfc000c7726407763abc399331bdf765e62642

7.42 Transaction nonce ordering not enforced

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/5c8fc5656c2d152b88d75e0529f05d7126c10776

7.43 Reserve CallBack/Recover lack idempotence; locked balance underflow risk

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/842485e53b1dfd4352c0705fcde2438ba5125940

7.44 Missing fee floor and global mempool limits enable economic/space DoS

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/4f5784ab47c48942d0e5ca8602f8a3e5cdf9bb09

7.45 Unbounded deserialization and missing cancellation/backpressure in NodeDataProcessor

//

Medium

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/3684968b6f022080cdc6ca83ec7907f3b9a8d0ed

7.46 Signature generation lacks validation for zero components

//

Low

Description
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (2.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/pull/10

7.47 Signature verification accepts off-curve public keys

//

Low

Description
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (2.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/pull/11

7.48 Synchronous disposal blocks on asynchronous operations causing potential hangs

//

Low

Description
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (2.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/0e3ffdbcc85729c2bd96c330308592143cfc5177

7.49 Missing DoS guard and rate limits on block reception

//

Low

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (2.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/1dfd18e62e433f0652d83185a6e3b308e128cb9e

7.50 Missing pre-validation filters on block reception

//

Low

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (2.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/1a29d87929c622e77c146575040596da81481d28

7.51 Premature exit from majority calculation

//

Low

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (2.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/aab9e83e1aab92f4b927b88a66ac78c5daeac860

7.52 Synchronous blocking on async disposal

//

Low

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (2.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/0e3ffdbcc85729c2bd96c330308592143cfc5177

7.53 Unbounded growth of message/hash caches

//

Low

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (2.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/f35e3547b90f3a372908240943012471661c241c

7.54 Pre-authentication state and balance validation

//

Low

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (2.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/7ecfc83d937b24836919cd827209628dbe01c221

7.55 Signature reuse map grows without cleanup

//

Low

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (2.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/1de47fb07780a40b035bb294094a3b314b873bd0

7.56 Unsafe parsing operations in task answer processing

//

Low

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (2.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/0b0134bf16022a1c9384cc29d2f793c911aa05b7

7.57 Unbounded JSON inputs and unsafe asset name handling

//

Low

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (2.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/e29ea7947e22f0c2d201d5786dc0e0b1f5734c5c

7.58 Blockcaster Handshake: Pre‑Authentication State/Balance Checks

//

Low

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (2.5)
Recommendation
Remediation Comment
Remediation Hash

7.59 Unsafe parsing and substring OOB

//

Low

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (2.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/533df68531844b8fa17f0544fa44283b0901e872

7.60 Payload fields not cryptographically bound to authenticated identity

//

Low

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (2.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/bec76a118bf8d452d6f2b8c199928e20ad0c360b

7.61 TOCTTOU in per-IP queue accounting (ConnectionCount/BufferCost)

//

Low

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (2.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/654f7fa2877a7a7b368217d397a13707a2d215cd

7.62 Transaction staleness check depends on download state

//

Low

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (2.5)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/f8df1aa6fadfe20bf14f9ca75d5f9458543103d2

7.63 Documentation contains spelling errors and misleading descriptions

//

Informational

Description
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/pull/9/commits/d82893b9c474730bb4ea25bb4de75bf0133441bd

7.64 Hardcoded timeouts and fixed delays without observability

//

Informational

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/e2f16b6379964ea92b61f749ee6a3322205fb293

7.65 Unauthenticated validator list updates and weak binding checks

//

Informational

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/ccf1393532eff8db5f128d7116ec53500f9989ec

7.66 Unbounded validator registry growth without pruning or TTL

//

Informational

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/83f8ed368a06536c3bf78b817312b92bf63558e5

7.67 VRFNumber endianness dependency can cause cross-platform consensus splits

//

Informational

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)
Recommendation
Remediation Comment
Remediation Hash

7.68 V4 proof validation lacks committee membership and winner enforcement

//

Informational

Description
Proof of Concept
BVSS
AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)
Recommendation
Remediation Comment
Remediation Hash
https://github.com/VerifiedXBlockchain/VerifiedX-Core/commit/cb096dc7e6c2209f774e746b08a9ec2e6aded426

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

Table of Contents

  • 1. Introduction
  • 2. Assessment summary
  • 3. Test approach and methodology
  • 4. Risk methodology
  • 5. Scope
  • 6. Assessment summary & findings overview
  • 7. Findings & Tech Details
    1. 7.1 Point validation logic returns inverted results
    2. 7.2 Randomness manipulation via last-revealer due to linear combinerandoms and weak commit/reveal
    3. 7.3 Block validation counts retired signers toward majority while threshold uses current signers
    4. 7.4 Foreign parent acceptance in proof validation
    5. 7.5 Missing fork-choice policy enables persistent divergence
    6. 7.6 Unauthenticated consensus metadata parsing allows state manipulation
    7. 7.7 Unauthenticated peer state updates allow liveness disruption
    8. 7.8 Unsigned consensus metadata allows client state manipulation
    9. 7.9 Missing signature verification in receivedownloadrequest
    10. 7.10 Message signature check bypass for methodcode=0
    11. 7.11 Quorum computed from registered signers but waits use liveness
    12. 7.12 Dynamic membership without per-round snapshot (shifting quorum threshold)
    13. 7.13 Missing anti-equivocation detection enables double-voting
    14. 7.14 Nondeterministic tie-handling in vrf selection
    15. 7.15 Unrestricted deserialization of incoming proof lists
    16. 7.16 Height calculation uses incorrect peer collection after validator connectivity check
    17. 7.17 Authentication handshake vulnerable to replay attacks
    18. 7.18 Uncaught parsing exception enables handshake denial of service
    19. 7.19 Unauthenticated validator discovery enables network topology manipulation
    20. 7.20 Unsafe string slicing on untrusted wallet version causes connection failures
    21. 7.21 Address-based bans applied before authentication
    22. 7.22 Unbounded field lengths in handshake and validator models
    23. 7.23 Fire-and-forget broadcasts without error handling or flow control
    24. 7.24 Missing validator role assertion in block reception
    25. 7.25 Synchronous remote port check in handshake path
    26. 7.26 Missing address–publickey binding in validator handshake
    27. 7.27 Silent exception handling hides abuse and operational faults
    28. 7.28 Unbounded winner list responses without pagination or size limits
    29. 7.29 Block broadcast not gated on validation success
    30. 7.30 Excessive parallel requests and static backoff
    31. 7.31 Unsafe response parsing risks exceptions and desynchronization
    32. 7.32 Unchecked split-based parsing in message/hash endpoints
    33. 7.33 Unbounded transaction broadcast list ingestion
    34. 7.34 Unsafe timestamp parsing and missing nonce in handshake
    35. 7.35 Inverted duplicate handling logic in task answer processing
    36. 7.36 Ip-only gating enables session hijack and misrouting
    37. 7.37 Unsafe timestamp parsing and missing nonce in blockcaster handshake
    38. 7.38 Receiveblockval heavy path without signalrqueue/dos guard
    39. 7.39 Aggressive parallelism/backoff in peer connections and updates
    40. 7.40 Ip-keyed session mapping enables hijack/misdirection
    41. 7.41 Dos throttling weaknesses in signalrqueue
    42. 7.42 Transaction nonce ordering not enforced
    43. 7.43 Reserve callback/recover lack idempotence; locked balance underflow risk
    44. 7.44 Missing fee floor and global mempool limits enable economic/space dos
    45. 7.45 Unbounded deserialization and missing cancellation/backpressure in nodedataprocessor
    46. 7.46 Signature generation lacks validation for zero components
    47. 7.47 Signature verification accepts off-curve public keys
    48. 7.48 Synchronous disposal blocks on asynchronous operations causing potential hangs
    49. 7.49 Missing dos guard and rate limits on block reception
    50. 7.50 Missing pre-validation filters on block reception
    51. 7.51 Premature exit from majority calculation
    52. 7.52 Synchronous blocking on async disposal
    53. 7.53 Unbounded growth of message/hash caches
    54. 7.54 Pre-authentication state and balance validation
    55. 7.55 Signature reuse map grows without cleanup
    56. 7.56 Unsafe parsing operations in task answer processing
    57. 7.57 Unbounded json inputs and unsafe asset name handling
    58. 7.58 Blockcaster handshake: pre‑authentication state/balance checks
    59. 7.59 Unsafe parsing and substring oob
    60. 7.60 Payload fields not cryptographically bound to authenticated identity
    61. 7.61 Tocttou in per-ip queue accounting (connectioncount/buffercost)
    62. 7.62 Transaction staleness check depends on download state
    63. 7.63 Documentation contains spelling errors and misleading descriptions
    64. 7.64 Hardcoded timeouts and fixed delays without observability
    65. 7.65 Unauthenticated validator list updates and weak binding checks
    66. 7.66 Unbounded validator registry growth without pruning or ttl
    67. 7.67 Vrfnumber endianness dependency can cause cross-platform consensus splits
    68. 7.68 V4 proof validation lacks committee membership and winner enforcement

// Download the full report

VerifiedX Core

* Use Google Chrome for best results

** Check "Background Graphics" in the print settings if needed