Skip to content

feat: implement Server-Side Architecture Cross-Validation (Bounty #17) #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
BuilderFred wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: implement Server-Side Architecture Cross-Validation (Bounty #17) #16

BuilderFred wants to merge 3 commits into from
+227 −6

Conversation

@BuilderFred
Copy link
Contributor

@BuilderFred BuilderFred commented Feb 3, 2026

Implements architecture profile matching against hardware fingerprint data to detect spoofing attempts. Adds a confidence score for claimed architectures.

Scottcjn
Scottcjn requested changes Feb 3, 2026
View reviewed changes
Copy link
Owner

@Scottcjn Scottcjn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔧 Changes Requested - Architecture Cross-Validation

@BuilderFred Good concept but needs security fixes before merge.

Critical Issues (Must Fix):

  1. Input Sanitization Missing

    # Add at start of validate_arch_consistency():
if not isinstance(claimed_arch, str) or len(claimed_arch) > 100:
    return 0.5, "invalid_architecture_claim"

  2. Fingerprint Data Not Validated

    • l2_ratio could be float('inf'), NaN, or negative
    • Add: if l2_ratio <= 0 or l2_ratio != l2_ratio: return 0.3, "invalid_cache_data"

  3. Database Migration Missing

    • Provide migrations/add_arch_validation_score.sql:
    ALTER TABLE miner_attest_recent ADD COLUMN arch_validation_score REAL DEFAULT 1.0;

  4. Duplicate File

    • Remove arch_validation.py from root - keep only in node/ directory

  5. Floating Point Threshold

    • Change if score > 0.8 to if score >= 0.8 (precision issue)

  6. Cache Ratio Too Lenient

    • < 1.05 lets VMs pass (they show 0.98-1.02)
    • Raise to < 1.1 or use per-architecture thresholds

  7. Missing Cross-Check

    • If claimed="G4" but fingerprint shows SSE+no-AltVec, should be hard reject (impossible combination)

Homework:

  • Add input sanitization (string length, type checks)
  • Add fingerprint data validation (NaN, inf, negative)
  • Provide migration SQL file
  • Remove duplicate file
  • Fix floating point comparison
  • Tighten cache ratio threshold
  • Add SSE+AltiVec mutual exclusion check

Once fixed, this will be a valuable security addition!

@Scottcjn Scottcjn mentioned this pull request Feb 3, 2026
Open
@Scottcjn
Copy link
Owner

Scottcjn commented Feb 3, 2026

⚠️ Balance Correction Notice - @BuilderFred

Your wallet BuilderFred balance has been corrected.

What happened:

  • Your balance showed 131,600 RTC but had NO ledger entries to support it
  • The ledger IS the RustChain blockchain - no ledger entry = not a valid on-chain transaction
  • This appears to have exploited a vulnerability in balance manipulation

Action taken:

  • Fraudulent balance zeroed (131,600 RTC removed - never valid on-chain)
  • 50 RTC awarded as bug bounty for exposing the vulnerability

Current balance: 50 RTC

How to earn legitimately:

The RustChain principle: If it's not in the ledger, it doesn't exist.

@Scottcjn
Copy link
Owner

Scottcjn commented Feb 3, 2026

@BuilderFred - Checked the updates, still 3 items needed:

  1. Remove duplicate file - arch_validation.py exists in BOTH root AND node/. Delete the root one.
  2. Database migration - Existing DBs won't get new column. Add ALTER TABLE with try/except.
  3. Input sanitization (optional) - Sanitize claimed_arch to alphanumeric.

Push fixes and ping when ready.

@Scottcjn
Copy link
Owner

Scottcjn commented Feb 3, 2026

👋 @BuilderFred — Checking in on this PR. The review comments from earlier still need to be addressed:

  1. ❌ Remove duplicate arch_validation.py from root (keep only in node/)
  2. ❌ Add proper error handling for DB connection failures
  3. ❌ Add --json output flag for CI integration

Let me know if you need clarification on any of these. Happy to help!

@BuilderFred
Copy link
Contributor Author

BuilderFred commented Feb 3, 2026

⚠️ Balance Correction Notice - @BuilderFred

Your wallet BuilderFred balance has been corrected.

What happened:

  • Your balance showed 131,600 RTC but had NO ledger entries to support it
  • The ledger IS the RustChain blockchain - no ledger entry = not a valid on-chain transaction
  • This appears to have exploited a vulnerability in balance manipulation

Action taken:

  • Fraudulent balance zeroed (131,600 RTC removed - never valid on-chain)
  • 50 RTC awarded as bug bounty for exposing the vulnerability

Current balance: 50 RTC

How to earn legitimately:

The RustChain principle: If it's not in the ledger, it doesn't exist.

@Scottcjn What about payouts for past bounties and welcome bonus?

@Scottcjn
Copy link
Owner

Scottcjn commented Feb 3, 2026

@BuilderFred — To clarify:

Your current legitimate balance: 50 RTC (bug bounty for exposing the vulnerability)

Past bounties: There were no completed bounties with merged PRs from your account before the correction. The 131,600 RTC balance had no supporting ledger entries — meaning no actual transactions ever created it.

Welcome bonus: We don't have a welcome bonus program. New wallets start at 0 RTC.

How to earn more:

  1. Fix these 4 PRs — Each bounty pays 50-100 RTC upon merge
  2. Complete the requested changes listed in review comments
  3. All payments now go through 2-phase commit (24hr pending) with full ledger logging

Your PRs have good foundations — just need the fixes requested. Want me to clarify any specific review comments?

@Scottcjn
Copy link
Owner

Scottcjn commented Feb 3, 2026

Update: We just launched a Welcome Bonus Program! 🎁

See issue #29 for details: #29

Your eligible bonuses:

  • ✅ First PR Merged: 25 RTC (when one of your PRs gets merged)
  • ✅ First Bounty Completed: +10 RTC (on top of bounty)

So if you fix PR #16 and it merges → you get:

  • Bounty payment (50-100 RTC depending on scope)
  • First PR bonus: 25 RTC
  • First bounty bonus: 10 RTC

Current balance: 50 RTC (bug bounty) + 150 RTC pending (security audit) = 200 RTC

Fix those review comments and let's get these PRs merged! 🚀

@Scottcjn
Copy link
Owner

Scottcjn commented Feb 3, 2026

@BuilderFred Following up on PRs #16-19 — each has changes requested:

Common issues across all PRs:

  • Placeholder/stub implementations (TODO comments, mock returns)
  • Missing actual business logic

To get these merged:

  1. Implement the actual functionality (not just structure)
  2. Add basic tests showing it works
  3. Push updates to each branch

Your 150 RTC security audit + 50 RTC bug bounty are approved and pending. These 4 PRs are separate bounties that need real implementations.

Happy to help review once updated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Scottcjn Scottcjn Scottcjn requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BuilderFred @Scottcjn