Skip to content

Security audit fixes: Phase 1-3 + cross-review (GSDK-001~027, part of ~117 cross-repo findings)#595

Open
Richard1048576 wants to merge 10 commits intomainfrom
bugfix/security-fixes-phase3
Open

Security audit fixes: Phase 1-3 + cross-review (GSDK-001~027, part of ~117 cross-repo findings)#595
Richard1048576 wants to merge 10 commits intomainfrom
bugfix/security-fixes-phase3

Conversation

@Richard1048576
Copy link
Copy Markdown
Contributor

@Richard1048576 Richard1048576 commented Mar 5, 2026
edited
Loading

Summary

Phase 1 Fixes (2026-02-23 Audit, 5 findings — all fixed)

  • GSDK-001/002 (HIGH): Move /set_failpoint and /mem_prof behind authenticated admin endpoints
  • GSDK-003 (MEDIUM): Move DKG/consensus endpoints from HTTP to HTTPS
  • GSDK-004/005: Fix SSRF via DNS bypass in sentinel probe URL validation

Phase 2 Audit Report (2026-02-28, GSDK-006~016 — tracked separately)

Phase 3 Audit + Fixes (2026-03-05, GSDK-017~027)

11 findings, 10 valid and implemented:

Severity Total Valid Implemented
HIGH 2 2 2
MEDIUM 4 4 4
LOW 5 4 4
Total 11 10 10

HIGH fixes:

  • GSDK-017: Merge latest_epoch_change_block_number (eliminate nested mutex deadlock)
  • GSDK-018: CancellationToken per epoch for stale block cleanup

MEDIUM fixes:

  • GSDK-019: Metrics for silently dropped blocks
  • GSDK-020: Track discarded blocks by state during epoch transition
  • GSDK-021: Fix TOCTOU in consume_epoch_change
  • GSDK-022: Retry logic with consecutive error counting

Cross-Module Context

This PR is part of a cross-repo security audit covering gravity-reth, grevm, gravity-aptos, gravity-sdk, and core Solidity contracts. The full cross-review identified ~117 unique findings across all repositories.

Key cross-repo concerns affecting gravity-sdk:

  • GCEI protocol boundary: Serialization format mismatches between Solidity→gravity-reth→gravity-sdk→gravity-aptos (3 BCS deviations found)
  • JWK pipeline: process_jwk_update in state_computer.rs has chained .unwrap() calls (GCEI-D-002, CRITICAL)
  • DKG transcript: bcs::to_bytes(&transcript).unwrap() in state_computer.rs (GCEI-D-005, HIGH)
  • JWK signature not verified: TODO comment at state_computer.rs:280 (GCEI-D-011, MEDIUM)

Dependencies

  • tokio-util added for CancellationToken (GSDK-018)

Test plan

  • Code compiles
  • cargo test --workspace --exclude smoke-test
  • E2E test with epoch transition scenarios
  • Verify nested mutex elimination under high contention

🤖 Generated with Claude Code

@Richard1048576 Richard1048576 changed the title Security audit fixes: Phase 1 + Phase 3 implementation (GSDK-001~027) Security audit fixes: Phase 1-3 + cross-review (GSDK-001~027, part of ~117 cross-repo findings) Mar 5, 2026
zz and others added 10 commits March 10, 2026 15:45
@claude
docs: add security audit report and design document for 4 findings
665606a 
Security audit report covering GSDK-001 through GSDK-004:
- 2 HIGH (unauthenticated failpoint/mem_prof endpoints)
- 2 MEDIUM (plaintext HTTP for consensus data, sentinel SSRF)

Design document details the fix approach for each finding.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
docs: add GSDK-005 DNS bypass finding to security audit report
79ac5f2 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
ci: add Claude Code security review GitHub Action
354ba57 
Adds automated security review on PRs using anthropics/claude-code-security-review.
Runs on non-draft PRs, uses claude-sonnet-4-6, excludes docs/gravity_e2e/cluster/examples/.github.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ci: enable run-every-commit and full fetch depth for security review
9982b4a
@Lchangliang
docs: add review comments to security fixes design doc
1237e3b
@nekomoto911
docs: add round 2 security audit report and fixes design (#585)
582cc08 
Security audit round 2 for gravity-sdk, 11 findings (GSDK-006 to
GSDK-016):
- GSDK-006/007/008 (HIGH): unwrap panics in consensus loops, relayer,
mempool
- GSDK-009/010/011/012/013 (MEDIUM): verbose errors, config race, no
rate limiting, webhook SSRF, ensure_https bypass
- GSDK-014/015/016 (LOW): address parse, ReDoS, glob injection
@Lchangliang
docs: add review comments for GSDK-009, GSDK-011, GSDK-013
7bd14f8
@Lchangliang
docs: add review comments for all GSDK findings
dd3be28
@Richard1048576 @claude
docs: add Phase 2 security audit report (2026-03-05)
61caf38 
Multi-agent parallel audit identified 11 new findings in the BlockBufferManager
state machine, GCEI protocol, and RethCli coordinator bridge. Includes 2 HIGH
(nested mutex, epoch transition waste), 4 MEDIUM, and 5 LOW severity issues
not covered in the 2026-02-23 or 2026-02-28 audits.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
docs: remove 1 invalid finding from Phase 3 audit report
e53b58a 
Removed GSDK-025 (two-phase epoch update — no observation window,
mutex provides atomicity). Renumbered GSDK-026/027 to GSDK-025/026.
Updated counts: 11→10.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Richard1048576 Richard1048576 force-pushed the bugfix/security-fixes-phase3 branch from 92b2204 to e53b58a Compare March 10, 2026 07:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@khalidbalosh211-ux khalidbalosh211-ux khalidbalosh211-ux approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Richard1048576 @khalidbalosh211-ux @Lchangliang @nekomoto911