Skip to content

Security audit: 31 findings in gravity-aptos (GAPTOS-001 through GAPTOS-023)#45

Open
Richard1048576 wants to merge 1 commit intoaptos-nodefrom
security-audit-fixes
Open

Security audit: 31 findings in gravity-aptos (GAPTOS-001 through GAPTOS-023)#45
Richard1048576 wants to merge 1 commit intoaptos-nodefrom
security-audit-fixes

Conversation

@Richard1048576
Copy link

@Richard1048576 Richard1048576 commented Feb 26, 2026

Summary

Internal security audit of Gravity-specific changes (~54 commits on top of Aptos) identified
31 findings across consensus, DKG, networking, mempool, JWK, API, relayer, IDL, config, and
crypto modules.

  • 1 CRITICALNewEpochEvent serialization mismatch: serde_json::to_vec() used for
    serialization but bcs::from_bytes() used for deserialization — epoch transitions will fail
  • 5 HIGH — Noise handshake peer_id validation removed (peer spoofing on VFN/Public networks),
    DKG randomness config hardcoded to 0 (bypasses on-chain emergency disable), unwrap() panics
    in validator set deserialization and DKG conversion (crash on malformed data), panic!() on
    unknown JWK type (DoS vector)
  • 8 MEDIUMtodo!() in consensus RoundProposer path, LedgerInfo hash field determinism,
    JWK provider garbage collection missing, JWK sort disabled globally (not just gravity://),
    X25519 key generation ignores RNG, sensitive data logged at debug level, network address
    silent fallback, consensus config deserialization TODO
  • 9 LOW + 8 INFO — ChainId parsing, field validation, PartialEq inconsistency, OnceLock
    panics, IDL round-trip data loss, logging, config validation, documentation

Changes

Documentation (2 files, +463):

  • docs/security/2026-02-26-security-audit-report.md — Full audit report
  • docs/security-fix-checklist.md — Tracking checklist with cross-repo concerns

Key Findings

ID Severity Module Issue
GAPTOS-001 CRITICAL Types NewEpochEvent serde_json vs BCS mismatch
GAPTOS-002 HIGH Network Noise handshake peer_id check removed
GAPTOS-003 HIGH DKG Randomness config hardcoded, TODO
GAPTOS-004 HIGH IDL ValidatorSet deserialization unwrap()
GAPTOS-005 HIGH DKG DKG validator conversion unwrap()
GAPTOS-006 HIGH Types Unknown JWK type causes panic!()

Cross-Repository Concerns

Finding Repos Affected
GAPTOS-001 gravity-aptos ↔ gravity-sdk (epoch transitions)
GAPTOS-003 gravity-aptos ↔ gravity-reth (on-chain config)
GAPTOS-008 gravity-aptos ↔ gravity-sdk (consensus signing)
GAPTOS-014 gravity-aptos ↔ gravity-reth (config format)

Test plan

  • cargo test -p aptos-consensus — consensus unit tests
  • cargo test -p aptos-dkg — DKG tests
  • cargo test -p aptos-network — network handshake tests
  • cargo test -p aptos-types — type serialization tests
  • cargo test -p aptos-jwk-consensus — JWK tests
  • Verify epoch transitions work end-to-end

🤖 Generated with Claude Code

@Richard1048576 @claude
docs: add security audit report and fix checklist (31 findings)
0f7e8dd 
Internal security audit of Gravity-specific changes (~54 commits) identified:
- 1 CRITICAL: NewEpochEvent serialization mismatch (serde_json vs BCS)
- 5 HIGH: Noise handshake peer_id validation removed, DKG config hardcoded,
  unwrap panics in validator set and DKG conversion, JWK type panic
- 8 MEDIUM: todo!() in consensus, LedgerInfo hash fields, JWK provider GC,
  JWK sort disabled globally, X25519 RNG ignored, key material logged,
  network address silent fallback, config deserialization TODO
- 9 LOW + 8 INFO: ChainId parsing, validation, logging, documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Richard1048576