Skip to content

[UTXO-BUG] Security audit: 4 vulnerabilities found with failing test cases#2065

Open
dinnar1407-code wants to merge 1 commit intoScottcjn:mainfrom
dinnar1407-code:utxo-bug-reports
Open

[UTXO-BUG] Security audit: 4 vulnerabilities found with failing test cases#2065
dinnar1407-code wants to merge 1 commit intoScottcjn:mainfrom
dinnar1407-code:utxo-bug-reports

Conversation

@dinnar1407-code
Copy link
Copy Markdown

@dinnar1407-code dinnar1407-code commented Apr 4, 2026

UTXO Red Team Security Audit

Submitted for bounty: Scottcjn/rustchain-bounties#2819

Findings

🔴 CRITICAL: No spending_proof validation (200 RTC)

apply_transaction() never validates spending_proof. Any user can spend any UTXO by passing a fake proof string. This is a fund theft vulnerability — Bob can steal Alice's UTXOs.

🟡 MEDIUM: Silent fund destruction (50 RTC)

Conservation check only rejects output_total + fee > input_total but accepts output_total + fee < input_total. The difference silently vanishes instead of being enforced as strict equality or explicit fee.

🟢 LOW: Zero/negative output values accepted (25 RTC)

  • Zero-value outputs pollute the UTXO set
  • Negative-value outputs can bypass conservation checks (e.g., one output of +20 RTC and another of -10 RTC passes the sum check against a 10 RTC input)

🟢 LOW: Duplicate inputs not rejected upfront (25 RTC)

Same box_id listed twice in inputs inflates input_total. The second UPDATE fails (defense in depth), but the design should reject duplicates during validation, not rely on DB-level atomicity.

Test File

node/test_utxo_bugs.py — 5 failing test cases demonstrating each vulnerability.

Suggested Fixes

  1. Add spending_proof signature verification against the UTXO's proposition
  2. Enforce strict conservation: output_total + fee == input_total
  3. Reject outputs where value_nrtc <= 0
  4. Check for duplicate box_ids in inputs before processing

[UTXO-BUG] Security audit: 4 bugs found — missing proof validation, s…
d66561c 
…ilent fund destruction, zero/negative outputs, duplicate inputs
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 4, 2026

Welcome to RustChain! Thanks for your first pull request.

Before we review, please make sure:

  • Your PR has a BCOS-L1 or BCOS-L2 label
  • New code files include an SPDX license header
  • You've tested your changes against the live node

Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150)

A maintainer will review your PR soon. Thanks for contributing!

@github-actions github-actions bot added BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) node Node server related size/L PR: 201-500 lines labels Apr 4, 2026
@zhuzhushiwojia
Copy link
Copy Markdown

zhuzhushiwojia commented Apr 5, 2026

Comprehensive security audit! The test cases for the vulnerabilities are well documented.

Feedback:

  • Good coverage of edge cases
  • The failing test cases clearly demonstrate the issues
  • Consider adding remediation suggestions for each finding

Good work! ✅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) node Node server related size/L PR: 201-500 lines

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dinnar1407-code @zhuzhushiwojia