Security audit: 31 findings in gravity-aptos (GAPTOS-001 through GAPTOS-023)#45
Open
Richard1048576 wants to merge 1 commit intoaptos-nodefrom
Open
Security audit: 31 findings in gravity-aptos (GAPTOS-001 through GAPTOS-023)#45Richard1048576 wants to merge 1 commit intoaptos-nodefrom
Richard1048576 wants to merge 1 commit intoaptos-nodefrom
Conversation
Internal security audit of Gravity-specific changes (~54 commits) identified: - 1 CRITICAL: NewEpochEvent serialization mismatch (serde_json vs BCS) - 5 HIGH: Noise handshake peer_id validation removed, DKG config hardcoded, unwrap panics in validator set and DKG conversion, JWK type panic - 8 MEDIUM: todo!() in consensus, LedgerInfo hash fields, JWK provider GC, JWK sort disabled globally, X25519 RNG ignored, key material logged, network address silent fallback, config deserialization TODO - 9 LOW + 8 INFO: ChainId parsing, validation, logging, documentation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Internal security audit of Gravity-specific changes (~54 commits on top of Aptos) identified
31 findings across consensus, DKG, networking, mempool, JWK, API, relayer, IDL, config, and
crypto modules.
NewEpochEventserialization mismatch:serde_json::to_vec()used forserialization but
bcs::from_bytes()used for deserialization — epoch transitions will failDKG randomness config hardcoded to 0 (bypasses on-chain emergency disable),
unwrap()panicsin validator set deserialization and DKG conversion (crash on malformed data),
panic!()onunknown JWK type (DoS vector)
todo!()in consensus RoundProposer path, LedgerInfo hash field determinism,JWK provider garbage collection missing, JWK sort disabled globally (not just gravity://),
X25519 key generation ignores RNG, sensitive data logged at debug level, network address
silent fallback, consensus config deserialization TODO
panics, IDL round-trip data loss, logging, config validation, documentation
Changes
Documentation (2 files, +463):
docs/security/2026-02-26-security-audit-report.md— Full audit reportdocs/security-fix-checklist.md— Tracking checklist with cross-repo concernsKey Findings
Cross-Repository Concerns
Test plan
cargo test -p aptos-consensus— consensus unit testscargo test -p aptos-dkg— DKG testscargo test -p aptos-network— network handshake testscargo test -p aptos-types— type serialization testscargo test -p aptos-jwk-consensus— JWK tests🤖 Generated with Claude Code