MobileCoin BFT

Findings · 14

1. 1 Codebase relies on a crate with a RUSTSEC advisory Medium
2. 2 The RustCrypto-utils dependency is behind two commits that added validation Informational
3. 3 Insuficient validation of responder IDs Informational
4. 4 Assertion violation in Slot::out_msg Undetermined
5. 5 Arithmetic underlow in Slot::out_msg Undetermined
6. 6 Mesh tests fail sporadically in the presence of malicious nodes High
7. 7 Metamesh tests fail sporadically with certain parameters Medium
8. 8 The keygen binary saves keyfiles with overly broad permissions High
9. 9 Messages with incorrectly ordered values are not rejected Informational
10. 10 Some metrics counters are never updated Informational
11. 11 Potential denial of service due to excessive gRPC message-length limit Medium
12. 12 Broadcasting and then handling resolved messages may fail Informational
13. 13 The node's handle_messages function always returns an “Ok” result in the current codebase Undetermined
14. 14 Overly restrictive checks in Slot::check_prepare_phase_invariants Medium

Findings extracted from the published report PDF. See the full report below for details and remediation.