[UTXO-BUG] 3 Critical Security Vulnerabilities in UTXO Layer

[kuanglaodi2-sudo]

[UTXO-BUG] Security Vulnerabilities Found — Bug Bounty Submission

Severity: Critical / High / Medium

---

Finding 1 [CRITICAL] — Coinbase Conservation Law Bypass (Bounty: 200 RTC)

File: node/utxo_db.py, method apply_transaction()

Bug: Conservation check is skipped for coinbase transactions.

# Line ~310 in utxo_db.py:
if inputs and (output_total + fee) > input_total:  # ← 'if inputs' excludes coinbase!
    conn.execute("ROLLBACK")
    return False

Impact: A malicious miner can create unlimited RTC by crafting a coinbase transaction with massive outputs and no inputs. The conservation law is completely bypassed.

Reproduction: See TestCoinbaseConservationBypass in node/test_utxo_security.py

Fix: Add a maximum coinbase reward check — coinbase outputs must not exceed the block reward schedule.

---

Finding 2 [HIGH] — Genesis Migration Non-Idempotency / Permanent Stuck State (Bounty: 100 RTC)

File: node/utxo_genesis_migration.py, method migrate()

Bug: If migration crashes mid-way through the BEGIN IMMEDIATE transaction, re-running it permanently blocks.

if check_existing_genesis(utxo_db):  # Checks if ANY genesis boxes exist
    print("ERROR: Genesis boxes already exist. Aborting.")
    return {'error': 'genesis_already_exists'}

Impact: If a node crashes after inserting some genesis boxes but before COMMIT, the DB has partial state. Re-running sees existing genesis boxes → permanently aborts. All 4 nodes must have identical state roots — one crashed node blocks the entire migration with no recovery path.

Reproduction: See TestGenesisMigrationIdempotency in node/test_utxo_security.py

Fix: Make migration idempotent — check if each individual wallet already has its genesis box before inserting, rather than checking globally.

---

Finding 3 [MEDIUM] — Negative/Zero Value Output Spam (Bounty: 50 RTC)

File: node/utxo_db.py, method apply_transaction()

Bug: No validation that out['value_nrtc'] > 0. Transactions can create zero or negative value boxes.

# No check before: output_records.append({... 'value_nrtc': out['value_nrtc'] ...})

Impact: Zero-value outputs are economically meaningless but consume DB space and clutter the UTXO set. Negative values are mathematically invalid. Both could cause consensus divergence between nodes.

Reproduction: See TestNegativeValueOutputs in node/test_utxo_security.py

Fix: Add validation: if out['value_nrtc'] <= 0: return False

---

Test Files

All 3 findings include failing unit tests in node/test_utxo_security.py.

Run: python -m pytest node/test_utxo_security.py -v

All 3 tests FAIL on the current codebase, demonstrating the bugs exist.

---

Bounty Total: 200 + 100 + 50 = 350 RTC

[github-actions]

Welcome to RustChain! Thanks for your first pull request.

Before we review, please make sure:

• Your PR has a BCOS-L1 or BCOS-L2 label
• New code files include an SPDX license header
• You've tested your changes against the live node

Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150)

A maintainer will review your PR soon. Thanks for contributing!

[Scottcjn]

Thanks for the security audit. The three vulnerabilities you identified (negative fees, empty-input bypass, non-atomic rollback) were also found by createkr in PRs #2059, #2060, and #2063, which were submitted first and have been merged. Closing as duplicate. If you found additional vulnerabilities not covered by those three PRs, please open a new PR with a focused fix and we'll review it separately. 25 RTC for independent discovery of the same bugs.