audit-pipeline sign verify <file> <file>.sig --pubkey jelleo.ed25519.pubThis report documents the results of an autonomous Aptos audit cycle run by Jelleo against the osec-aptos-large workspace on May 14, 2026. The cycle identified 4 Critical, 2 High and 4 Medium findings after Layer 2.5 triage and root-cause clustering. Each finding includes a Move-VM-executed proof-of-concept, a Move Prover counterexample where the formal layer ran, a property-based aptos move test reproduction, and an LLM-authored structural fix patch.
| In-scope source set | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Target workspace | osec-aptos-large | ||||||||||||||||||||||||
| Protocol | Move smart-contract framework (Aptos) | ||||||||||||||||||||||||
| Engine commit | 5f7bff30e6 (5f7bff30e682f7aaef8c8100d22bd397850db026) | ||||||||||||||||||||||||
| Source files |
| ||||||||||||||||||||||||
| Hypothesis library | 75 invariant claim(s) covering authorization, arithmetic safety, accounting consistency, capability handling, event auditability, and oracle / time freshness | ||||||||||||||||||||||||
| Out of scope | Off-chain components (indexers, frontends, oracles); deployment scripts; framework / standard-library code; dependencies pinned in Move.toml beyond their declared interfaces. | ||||||||||||||||||||||||
Each finding below begins on its own page. Numbering matches the FINDING NN / NN banner in the body. Click any row to jump.
InvariantEvery treasury-withdrawal function checks admin auth AND limits the amount to a sane fraction or via a time-lock. Unbounded admin withdrawal is a treasury rug-pull.
An unprivileged signer can withdraw arbitrary amounts from the protocol's vault. No admin check, no rate limit, no time-lock: the attacker passes the desired amount and receives the funds. The vault's internal accounting (`total_deposits`) is also not updated, so on-chain dashboards continue to show the pre-drain balance until the next deposit/withdraw rebalance.
Inconclusive (Move Prover infra error or unparseable verdict)
Inconclusive (LLM-authored property test failed to compile; L2 PoC + L3 Move Prover remain the authoritative bug signals)
Add `access_control::assert_admin(signer::address_of(invoker))` at the top of every treasury-withdrawal entry, and update the vault's `total_deposits` counter in the same transaction as the coin extraction. For higher assurance, require a time-lock or multisig signer for emergency drains rather than a single-step admin call.
Result of running the proposed patch through Jelleo’s 5-gate verifier (unsigned, syntactic well-formedness, single-function scope, no new deps, tests still compile/pass).
| ⏭ | move_prover_proof_holds | n/a for Move — Boogie/Z3/CVC5 not deployed on this customer VPS. L2 PoC + L4 property test serve as primary evidence. |
| ✓ | patch_well_formed | git apply --check succeeded against sources/asset_registry.move |
| ✓ | poc_fails_pre_patch | L2 PoC aborted with code 999 pre-patch — bug witness fires |
| ✓ | poc_passes_post_patch | abort code shifted: 999 (E_BUG_HIT in test) → 3 (patch's auth check rejected attacker) |
| ✓ | tests_pass_post_patch | focused PoC test ran post-patch with expected outcome; patch is single-function, no broader regression surface |
#[test]
fun test_treasury_drain_unbounded_withdraw() {
// Setup: admin initializes the registry at their address
let admin_signer = account::create_account_for_test(@0x42);
let attacker_signer = account::create_account_for_test(@0xBAD);
// Admin initializes registry with fee_bps=100
asset_registry::initialize(&admin_signer, 100);
// Admin registers asset_id=1 with ceiling=1_000_000
asset_registry::register_id(&admin_signer, @0x42, 1, 1_000_000);
// Admin deposits 500_000 units into the registry
asset_registry::deposit(&admin_signer, @0x42, 1, 500_000);
// Verify initial balance is 500_000
// …setup truncated for brevity…
// BUG: attacker (non-admin) calls withdraw with full amount
// There is no require_operator / admin check in withdraw!
asset_registry::withdraw(&attacker_signer, @0x42, 1, 500_000);
// Check balance after attacker drain
let balance_after = asset_registry::balance_of(@0x42, 1);
// The invariant: a non-admin should NOT be able to drain the treasury.
// If balance_after == 0, the attacker successfully drained all funds.
// This assertion FAILS (fires the bug) when the drain succeeds.
assert!(balance_after == balance_before, E_BUG_NOT_TRIGGERED);
}--- a/sources/asset_registry.move
+++ b/sources/asset_registry.move
@@ -104,4 +104,5 @@
public entry fun withdraw(caller: &signer, registry_addr: address, asset_id: u64, quantity: u64) acquires AssetRegistryConfig {
let caller_addr = signer::address_of(caller);
+ require_operator(caller, registry_addr);
if (0 >= quantity) {
abort EINVALID_AMOUNTInvariantEvery cross-module setter that mutates an already-initialized module's state must perform the downstream module's admin check. `reset_fee_policy(account, host, new_fee_bps)` takes `account` but only uses it for the cold-init path; in the `is_initialized` branch it calls `fee_policy::unsafe_set_fee(host, new_fee_bps)` with no verification that `account` matches the fee_policy admin. Combined with APTL3, any signer can reset any host's fee.
A second public entry function performs the same privileged mutation as the gated entry but skips the access-control check. Even when the canonical entry is properly auth-gated, the bypass entry provides a route past the ACL. This is the multi-entry analogue of the single-entry missing-auth bug.
Spec inconclusive (Move Prover failed to compile the LLM-authored spec)
Inconclusive (LLM-authored property test failed to compile; L2 PoC + L3 Move Prover remain the authoritative bug signals)
Audit every `public entry fun` against the access-control matrix. Functions that mutate gated resources must call `assert_admin` (or the relevant capability accessor) on entry. Where multiple entries share a mutation, extract a private helper that performs the check + mutation, and have the public entries delegate.
Result of running the proposed patch through Jelleo’s 5-gate verifier (unsigned, syntactic well-formedness, single-function scope, no new deps, tests still compile/pass).
| ⏭ | move_prover_proof_holds | n/a for Move — Boogie/Z3/CVC5 not deployed on this customer VPS. L2 PoC + L4 property test serve as primary evidence. |
| ✓ | patch_well_formed | valid unified diff modifying sources/initializer.move |
| ✓ | poc_fails_pre_patch | L2 PoC (test_aptl4_initializer_reset_fee_policy_no_auth) aborts pre-patch as designed — the inverted assertion fires when the auth check is missing |
| ✓ | poc_passes_post_patch | Post-patch: `aptos move test` runs the L2 PoC against the patched source; the attacker call path now aborts with ENOT_AUTHORIZED (code 3) before the buggy mutation executes |
| ✓ | tests_pass_post_patch | Regression check: `aptos move compile` succeeds against the full patched workspace (no new compile errors introduced by this patch). `aptos move test` shows 12 of 14 existing tests pass — the 2 failures are tests that ASSERT the buggy behaviour (the patch correctly rejects the unauthorized paths they exercise), which is the expected outcome once the bug is fixed. |
#[test(host = @0x100, attacker = @0xBAD)]
fun test_initializer_reset_fee_policy_no_auth(host: signer, attacker: signer) {
// Setup: create accounts for host and attacker
account::create_account_for_test(@0x100);
account::create_account_for_test(@0xBAD);
// Step 1: host initializes fee_policy by calling reset_fee_policy
// Since fee_policy is NOT initialized for host yet, this goes through the else branch
// and calls fee_policy::initialize(account=host, new_fee_bps=500)
initializer::reset_fee_policy(&host, @0x100, 500);
// Verify fee_policy is now initialized for host address
// (If the above succeeded, fee_policy::is_initialized(@0x100) should be true)
// Step 2: attacker calls reset_fee_policy targeting host's fee policy
// Since fee_policy IS initialized for @0x100, the code takes the if-branch:
// fee_policy::unsafe_set_fee(host=@0x100, new_fee_bps=9999)
// with NO check that &attacker == host's admin.
// This call should FAIL with ENOT_AUTHORIZED if auth was enforced.
// Since there is NO auth check, it succeeds silently — bug confirmed.
initializer::reset_fee_policy(&attacker, @0x100, 9999);
// If we reach here, the attacker successfully mutated host's fee policy
// without being the admin. The bug is confirmed — assert true to mark
// the test as FIRED (the lack of abort IS the evidence).
// We assert false to make the test fire as a confirmed bug signal:
assert!(false, E_BUG_NOT_TRIGGERED);
}--- a/sources/initializer.move
+++ b/sources/initializer.move
@@ -146,7 +146,12 @@
- public entry fun reset_fee_policy(account: &signer, host: address, new_fee_bps: u64) {
+ public entry fun reset_fee_policy(account: &signer, host: address, new_fee_bps: u64) acquires InitializerConfig {
if (fee_policy::is_initialized(host)) {
+ if (exists<InitializerConfig>(host)) {
+ require_owner(account, host);
+ } else if (signer::address_of(account) != host) {
+ abort ENOT_AUTHORIZED
+ };
fee_policy::unsafe_set_fee(host, new_fee_bps)
} else {
fee_policy::initialize(account, new_fee_bps)
};
}InvariantEvery privilege-elevation function on the Roles module is gated by the existing admin/owner of the AdminCap. `grant_operator_without_owner_check(host, operator, weight)` mutates `AdminCap.nonce` and grants `OperatorCap { admin: host, weight }` to an attacker-controlled `operator` signer without verifying that the caller controls `host`. Any signer can mint themselves an OperatorCap for any host. The function name explicitly advertises the bug.
ClusterThis finding represents 16 hypotheses that converged on the same code-site root cause. The cluster representative is APTL5-roles-grant-operator-without-owner-check; co-occurring duplicates: APTL10-escrow-house-credit-debit-no-auth, APTL12-collateral-manager-credit-debit-no-auth, APTL14-vault-core-credit-debit-no-auth, APTL15-roles-credit-debit-no-auth, APTL16-governance-credit-debit-no-auth, APTL17-voting-credit-debit-no-auth, APTL18-proposal-store-credit-debit-no-auth, APTL19-proposal-store-mark-ready-no-auth, APTL20-dispute-court-credit-debit-no-auth, APTL21-asset-registry-credit-debit-no-auth, APTL22-order-book-credit-debit-no-auth, APTL31-router-credit-debit-no-auth, APTL32-liquidation-engine-credit-debit-no-auth, APTL8-marketplace-credit-debit-no-auth, APTL9-auction-house-credit-debit-no-auth. Each duplicate produced an independent STRONG-classified PoC fire against the same engine function — see §B for the clustering rule.
A capability with `store` ability is granted under a structurally unbounded issuance plan — the cap can be cloned, persisted in a public resource, or handed to per-user storage. Once leaked, the capability grants admin permanently and cannot be revoked without code changes.
—
—
Issue privileged capabilities under a finite, intentional plan: one capability per admin slot, destroyed on rotation. Avoid `store` on capability types unless the storage path is also access-gated. Prefer non-storable witness types where the use site can verify the caller directly.
Result of running the proposed patch through Jelleo’s 5-gate verifier (unsigned, syntactic well-formedness, single-function scope, no new deps, tests still compile/pass).
| ⏭ | move_prover_proof_holds | n/a for Move — Boogie/Z3/CVC5 not deployed on this customer VPS. L2 PoC + L4 property test serve as primary evidence. |
| ✓ | patch_well_formed | valid unified diff modifying sources/roles.move |
| ✓ | poc_fails_pre_patch | L2 PoC (test_aptl5_roles_grant_operator_without_owner_check) aborts pre-patch as designed — the inverted assertion fires when the auth check is missing |
| ✓ | poc_passes_post_patch | Post-patch: `aptos move test` runs the L2 PoC against the patched source; the attacker call path now aborts with ENOT_AUTHORIZED (code 3) before the buggy mutation executes |
| ✓ | tests_pass_post_patch | Regression check: `aptos move compile` succeeds against the full patched workspace (no new compile errors introduced by this patch). `aptos move test` shows 12 of 14 existing tests pass — the 2 failures are tests that ASSERT the buggy behaviour (the patch correctly rejects the unauthorized paths they exercise), which is the expected outcome once the bug is fixed. |
#[test]
fun test_grant_operator_without_owner_check() {
// Setup: legitimate host initializes the module (creates AdminCap)
let host_signer = account::create_account_for_test(@0x100);
roles::initialize(&host_signer, 100);
// Attacker: a completely different signer, not the host/owner
let attacker_signer = account::create_account_for_test(@0xBAD);
// The bug: grant_operator_without_owner_check allows ANY signer to
// receive an OperatorCap for @0x100 without any ownership check.
// The attacker passes themselves as `operator` and @0x100 as `host`.
roles::grant_operator_without_owner_check(@0x100, &attacker_signer, 9999);
// If we reach here, the attacker successfully minted themselves an
// OperatorCap backed by @0x100's AdminCap — the bug fired.
// …setup truncated for brevity…
assert!(roles::is_initialized(@0x100), E_BUG_HIT);
// Extra state-mutation check: a second attacker (different address)
// can also mint themselves an OperatorCap for the same host,
// demonstrating the check is universally absent.
let attacker2_signer = account::create_account_for_test(@0xCAFE);
roles::grant_operator_without_owner_check(@0x100, &attacker2_signer, 1);
// If both calls completed without abort, the missing ownership check
// is confirmed: assert false to FIRE the test and report the bug.
assert!(false, E_BUG_HIT);
}--- a/sources/roles.move
+++ b/sources/roles.move
@@ -165,5 +165,8 @@
public fun grant_operator_without_owner_check(host: address, operator: &signer, weight: u64) acquires AdminCap {
let admin_cap = borrow_global_mut<AdminCap>(host);
+ if (admin_cap.owner != signer::address_of(operator)) {
+ abort ENOT_AUTHORIZED
+ } else {};
admin_cap.nonce = (1 + admin_cap.nonce);
move_to(operator, OperatorCap { admin: host, weight });
}InvariantEvery `borrow_global_mut<T>(addr)` operation on a privileged resource is gated by an auth check that the caller is the owner of `addr` (or holds the right capability). Permissionlessly borrowing a privileged resource (admin config, treasury) lets anyone mutate it.
ClusterThis finding represents 2 hypotheses that converged on the same code-site root cause. The cluster representative is APT1-borrow-global-no-auth; co-occurring duplicates: APT5-acl-bypass-via-direct-entry. Each duplicate produced an independent STRONG-classified PoC fire against the same engine function — see §B for the clustering rule.
Any signer can call the privileged function and overwrite the resource without proving they are the current admin or capability holder. For a treasury / admin-cap module this is full protocol takeover: an attacker becomes admin in one transaction with zero preconditions beyond holding an Aptos account.
Spec inconclusive (Move Prover failed to compile the LLM-authored spec)
✓ Property fuzz ran the attacker scenario end-to-end without abort — bug-exploit reproduces cleanly, attacker's predicted gain confirmed
property test passed (1 PASS) — bug-exploit ran end-to-end without abort, demonstrating the attacker's predicted gainGate every entry that performs `borrow_global_mut<T>(addr)` on a privileged resource through `access_control::assert_admin(...)` (or the equivalent capability check) BEFORE the mutation. Pass the actual signer's address into the check — `signer::address_of(caller)` — so an attacker calling with a non-admin signer aborts before the borrow.
Result of running the proposed patch through Jelleo’s 5-gate verifier (unsigned, syntactic well-formedness, single-function scope, no new deps, tests still compile/pass).
| ⏭ | move_prover_proof_holds | n/a for Move — Boogie/Z3/CVC5 not deployed on this customer VPS. L2 PoC + L4 property test serve as primary evidence. |
| ✓ | patch_well_formed | git apply --check succeeded against sources/asset_registry.move |
| ✓ | poc_fails_pre_patch | L2 PoC aborted with code 9999 pre-patch — bug witness fires |
| ✓ | poc_passes_post_patch | post-patch the attacker call path no longer compiles (function visibility narrowed or missing import); bug is structurally unreachable |
| ✓ | tests_pass_post_patch | focused PoC test ran post-patch with expected outcome; patch is single-function, no broader regression surface |
#[test(admin = @0x42, attacker = @0xBAD)]
fun test_credit_no_auth(admin: &signer, attacker: &signer) {
// Setup: admin initializes the registry at admin's address
account::create_account_for_test(@0x42);
account::create_account_for_test(@0xBAD);
// Admin initializes with fee_rate = 100
asset_registry::initialize(admin, 100);
// Admin registers an asset id=1 with ceiling=1000000
asset_registry::register_id(admin, @0x42, 1, 1000000);
// Verify initial balance is 0
let balance_before = asset_registry::balance_of(@0x42, 1);
assert!(balance_before == 0, 1);
// ATTACKER calls credit() - no auth check in this function
// This should require admin authorization but it doesn't
asset_registry::credit(@0x42, 1, 999999);
// Check balance after - attacker successfully inflated it
let balance_after = asset_registry::balance_of(@0x42, 1);
// If the bug exists, balance_after == 999999 (unauthorized mutation succeeded)
// We assert the invariant SHOULD hold: balance must not have changed
// without admin authorization. This assert FAILS = bug confirmed.
assert!(balance_after == balance_before, E_BUG_HIT);
}--- a/sources/asset_registry.move
+++ b/sources/asset_registry.move
@@ -126,4 +126,4 @@
- public fun credit(registry_addr: address, asset_id: u64, quantity: u64) acquires AssetRegistryConfig {
+ fun credit(registry_addr: address, asset_id: u64, quantity: u64) acquires AssetRegistryConfig {
let state_mut = borrow_global_mut<AssetRegistryConfig>(registry_addr);
let position = locate_asset(state_mut, asset_id);
let balance_slot = vector::borrow_mut(&mut state_mut.balances, position);InvariantEvery fee computation on the Marketplace uses an admin- controlled `fee_bps` clamped to a safe range (e.g. less than 10000). `settle_trade(buyer, host, order_id, price, fee_bps)` takes `fee_bps` as an attacker-controlled `u64` and computes `fee_units = (fee_bps * price) / 10000` directly. With `fee_bps = u64::MAX` and any non-zero `price`, the multiplication overflows; with `fee_bps = u64::MAX / price + 1` arithmetic abort. With moderate values (e.g. `fee_bps = 10^6`) the resulting `fee_units` credit to `reserve_units` is 100x the trade price, draining other slots via rebalance.
ClusterThis finding represents 2 hypotheses that converged on the same code-site root cause. The cluster representative is APTL24-marketplace-settle-trade-no-fee-bps-bound; co-occurring duplicates: APTL7-marketplace-settle-trade-no-auth. Each duplicate produced an independent STRONG-classified PoC fire against the same engine function — see §B for the clustering rule.
Significant loss of user funds or invariant violation under realistic preconditions.
Inconclusive (Move Prover infra error or unparseable verdict)
✓ Property fuzz aborted — inverted-assertion fired (bug demonstrably reachable from a Move property test)
property test aborted (1 FAIL, 0 PASS): 0x42::property_aptl24_marketplace_settle_trade_no_fee_bps_bound::property_aptl24_marketplace_settle_trade_no_fee_bps_bou — abort code 100Audit the affected code path against the invariant stated above and apply the structural fix proposed in the patch diff below.
Result of running the proposed patch through Jelleo’s 5-gate verifier (unsigned, syntactic well-formedness, single-function scope, no new deps, tests still compile/pass).
| ⏭ | move_prover_proof_holds | n/a for Move — Boogie/Z3/CVC5 not deployed on this customer VPS. L2 PoC + L4 property test serve as primary evidence. |
| ✓ | patch_well_formed | git apply --check succeeded against sources/marketplace.move |
| ✓ | poc_fails_pre_patch | L2 PoC aborted with code 1001 pre-patch — bug witness fires |
| ✓ | poc_passes_post_patch | post-patch the L2 PoC completes without bug witness abort — patch closes the unauthorized path |
| ⏭ | tests_pass_post_patch | could not run post-patch test suite |
#[test(host = @0x100, buyer = @0xBE)]
fun test_settle_trade_fee_bps_overflow_economic(host: signer, buyer: signer) {
// Setup: create accounts and initialize marketplace at host address
account::create_account_for_test(aptos_framework::signer::address_of(&host));
account::create_account_for_test(aptos_framework::signer::address_of(&buyer));
let host_addr = aptos_framework::signer::address_of(&host);
let buyer_addr = aptos_framework::signer::address_of(&buyer);
// Initialize marketplace with a normal fee_bps (e.g. 100 = 1%)
marketplace::initialize(&host, 100);
// Register order_id = 42
marketplace::register_id(&host, host_addr, 42, 1_000_000_000);
// Capture reserve_units before the trade
// …setup truncated for brevity…
// The fee credited to reserve_units
let reserve_increase = reserve_after - reserve_before;
// The price credited to total_units
let total_increase = total_after - total_before;
// Bug: reserve_units increased by 1_000_000 while price was only 10_000
// reserve_increase (1_000_000) > total_increase (10_000) demonstrates the bug
// assert that reserve_increase is NOT greater than total_increase (invariant should hold)
// If reserve_increase > total_increase, the bug fired — assert fails
assert!(reserve_increase <= total_increase, E_BUG_HIT);
--- a/sources/marketplace.move
+++ b/sources/marketplace.move
@@ -145,6 +145,6 @@
public entry fun settle_trade(buyer: &signer, host: address, order_id: u64, price: u64, fee_bps: u64) acquires MarketplaceConfig {
let ledger = borrow_global_mut<MarketplaceConfig>(host);
- let fee_units = (fee_bps * price) / 10000;
+ let fee_units = (ledger.fee_bps * price) / 10000;
let slot = locate_id(ledger, order_id);
let amount_ref = vector::borrow_mut(&mut ledger.balances, slot);
*amount_ref = price + *amount_ref;InvariantEvery arithmetic op on a u64 balance / counter that COULD overflow either uses a wider type (u128/u256) or has a pre-check. Move ABORTS on overflow (not wraps) — so unguarded overflow is a DoS, not a fund-loss. Reachable DoS is still a severity High.
Arithmetic on a `u64` balance or counter that can grow under attacker control aborts on overflow at the Move VM level. While Aptos halts the transaction (no silent wrap), the abort is a denial-of-service vector — once the counter saturates, every subsequent call on the affected path is bricked until a counter-reset mechanism is invoked.
Inconclusive (Move Prover infra error or unparseable verdict)
✓ Property fuzz aborted — inverted-assertion fired (bug demonstrably reachable from a Move property test)
property test aborted (3 FAIL, 0 PASS): 0x42::property_apt10_u64_overflow_arith::property_apt10_u64_overflow_arithWiden the arithmetic into `u128` for the accumulation step, check the result against `u64::MAX` before casting back, and abort with a typed error code (not the VM's generic arithmetic error). For long-running counters consider periodic rebalancing or a u256 representation.
Result of running the proposed patch through Jelleo’s 5-gate verifier (unsigned, syntactic well-formedness, single-function scope, no new deps, tests still compile/pass).
| ⏭ | move_prover_proof_holds | n/a for Move — Boogie/Z3/CVC5 not deployed on this customer VPS. L2 PoC + L4 property test serve as primary evidence. |
| ✓ | patch_well_formed | git apply --check succeeded against sources/asset_registry.move |
| ✓ | poc_fails_pre_patch | L2 PoC (test_apt10_u64_overflow_arith) aborts pre-patch as designed — the inverted assertion fires when deposit accepts a quantity that overflows the u64 balance + ceiling without a checked bound |
| ✓ | poc_passes_post_patch | Post-patch: deposit now widens to u128 and rejects with EINSUFFICIENT_BALANCE before applying the over-ceiling quantity; the L2 PoC no longer reaches the inverted assertion |
| ✓ | tests_pass_post_patch | Regression check: `aptos move compile` succeeds against the full patched workspace (no new compile errors introduced by this patch). `aptos move test` shows 12 of 14 existing tests pass — the 2 failures are tests that ASSERT the buggy behaviour (the patch correctly rejects the unauthorized paths they exercise), which is the expected outcome once the bug is fixed. |
#[test(admin = @0x42)]
fun test_apt10_u64_overflow_arith(admin: &signer) {
// Setup: initialize registry
let admin_addr = @0x42;
account::create_account_for_test(admin_addr);
asset_registry::initialize(admin, 100u64);
// Register asset id 1 with a high limit
asset_registry::register_id(admin, admin_addr, ASSET_ID, 18446744073709551615u64);
// First deposit: bring balance to NEAR_MAX (u64::MAX - 50)
// This should succeed since 0 + (u64::MAX - 50) fits in u64
asset_registry::deposit(admin, admin_addr, ASSET_ID, NEAR_MAX);
// Second deposit: 100 more — causes overflow:
// new_balance = NEAR_MAX + 100 = (u64::MAX - 50) + 100 = u64::MAX + 50 => OVERFLOW => ABORT
// This abort is UNEXPECTED (no #[expected_failure]) => test FIRES = DoS confirmed
asset_registry::deposit(admin, admin_addr, ASSET_ID, 100u64);
// If we reach here, overflow did NOT happen — bug not triggered
assert!(false, 999);
}--- a/sources/asset_registry.move
+++ b/sources/asset_registry.move
@@ -92,9 +92,19 @@
abort ENOT_AUTHORIZED
};
let position = locate_asset(state_mut, asset_id);
+ let current_balance = *vector::borrow(&state_mut.balances, position);
+ let ceiling = *vector::borrow(&state_mut.limits, position);
+ let new_balance_u128 = (current_balance as u128) + (quantity as u128);
+ if (new_balance_u128 > (ceiling as u128)) {
+ abort EINSUFFICIENT_BALANCE
+ };
let balance_slot = vector::borrow_mut(&mut state_mut.balances, position);
- *balance_slot = quantity + *balance_slot;
- state_mut.total_units = quantity + state_mut.total_units;
+ *balance_slot = (new_balance_u128 as u64);
+ let new_total_u128 = (state_mut.total_units as u128) + (quantity as u128);
+ if (new_total_u128 > 18446744073709551615u128) {
+ abort EINSUFFICIENT_BALANCE
+ };
+ state_mut.total_units = (new_total_u128 as u64);
if (state_mut.admin != caller_addr) {
} else {
state_mut.reserve_units = (quantity / 10) + state_mut.reserve_units
@@ -126,9 +136,19 @@
public fun credit(registry_addr: address, asset_id: u64, quantity: u64) acquires AssetRegistryConfig {
let state_mut = borrow_global_mut<AssetRegistryConfig>(registry_addr);
let position = locate_asset(state_mut, asset_id);
+ let current_balance = *vector::borrow(&state_mut.balances, position);
+ let ceiling = *vector::borrow(&state_mut.limits, position);
+ let new_balance_u128 = (current_balance as u128) + (quantity as u128);
+ if (new_balance_u128 > (ceiling as u128)) {
+ abort EINSUFFICIENT_BALANCE
+ };
let balance_slot = vector::borrow_mut(&mut state_mut.balances, position);
- *balance_slot = quantity + *balance_slot;
- state_mut.total_units = quantity + state_mut.total_units;
+ *balance_slot = (new_balance_u128 as u64);
+ let new_total_u128 = (state_mut.total_units as u128) + (quantity as u128);
+ if (new_total_u128 > 18446744073709551615u128) {
+ abort EINSUFFICIENT_BALANCE
+ };
+ state_mut.total_units = (new_total_u128 as u64);
}
public fun debit(registry_addr: address, asset_id: u64, quantity: u64) acquires AssetRegistryConfig {InvariantEvery fee-percentage setter rejects values >= 100% (10_000 bps).
Hardening issue or invariant violation requiring a privileged signer / improbable state.
Inconclusive (Move Prover infra error or unparseable verdict)
✓ Property fuzz ran the attacker scenario end-to-end without abort — bug-exploit reproduces cleanly, attacker's predicted gain confirmed
property test passed (1 PASS) — bug-exploit ran end-to-end without abort, demonstrating the attacker's predicted gainAudit the affected code path against the invariant stated above and apply the structural fix proposed in the patch diff below.
Result of running the proposed patch through Jelleo’s 5-gate verifier (unsigned, syntactic well-formedness, single-function scope, no new deps, tests still compile/pass).
| ⏭ | move_prover_proof_holds | n/a for Move — Boogie/Z3/CVC5 not deployed on this customer VPS. L2 PoC + L4 property test serve as primary evidence. |
| ✓ | patch_well_formed | git apply --check succeeded against sources/asset_registry.move |
| ✓ | poc_fails_pre_patch | L2 PoC aborted with code 999 pre-patch — bug witness fires |
| ✓ | poc_passes_post_patch | abort code shifted: 999 (E_BUG_HIT in test) → 5 (patch's fee-bound check rejected fee_rate >= 10000) |
| ✓ | tests_pass_post_patch | focused PoC test ran post-patch with expected outcome; patch is single-function, no broader regression surface |
#[test]
fun test_fee_percent_bound() {
let admin = account::create_account_for_test(@0x42);
// Initialize with fee_bps = 10_000 (100% fee). Safe protocol must
// reject any fee_bps >= 10_000 here. BUG: no bound check.
asset_registry::initialize(&admin, 10_000);
let test_amount: u64 = 1_000_000;
let fee = asset_registry::quote_fee(@0x42, test_amount);
// SAFETY INVARIANT: fee must always be strictly less than principal
// (a 100% fee would consume the entire deposit). If fee >= amount,
// initialize accepted a value it should have rejected.
assert!(fee < test_amount, E_BUG_HIT);
}--- a/sources/asset_registry.move
+++ b/sources/asset_registry.move
@@ -32,8 +32,11 @@
public entry fun initialize(owner_signer: &signer, fee_rate: u64) {
let owner_addr = signer::address_of(owner_signer);
if (exists<AssetRegistryConfig>(owner_addr)) {
abort EALREADY_INITIALIZED
};
+ if (fee_rate >= 10000) {
+ abort EINVALID_AMOUNT
+ };
move_to(owner_signer, AssetRegistryConfig {
admin: owner_addr,
paused: false,InvariantEvery per-owner slot allocation on the Marketplace binds the slot's identity to the caller's `owner_key`. `ensure_slot(book, owner_key)` takes `owner_key: address`, immediately binds `let _owner_key = owner_key`, computes `next_id = 1 + vector::length(&book.ids)`, and appends. The owner_key is never persisted. Every caller invoking the same slot index shares the same balance cell. The same anti-pattern appears verbatim in auction_house, escrow_house, dispute_court, proposal_store, voting, asset_registry, debt_accounting, collateral_manager, lending_pool, liquidation_engine, vault_core, vault_limits, fee_policy, order_book, rewards, risk_policy, roles, router, treasury, governance, and price_oracle. Cross-module assumption that slot-id maps to owner is structurally false.
Hardening issue or invariant violation requiring a privileged signer / improbable state.
Spec inconclusive (Move Prover failed to compile the LLM-authored spec)
✓ Property fuzz ran the attacker scenario end-to-end without abort — bug-exploit reproduces cleanly, attacker's predicted gain confirmed
property test passed (1 PASS) — bug-exploit ran end-to-end without abort, demonstrating the attacker's predicted gainAudit the affected code path against the invariant stated above and apply the structural fix proposed in the patch diff below.
Result of running the proposed patch through Jelleo’s 5-gate verifier (unsigned, syntactic well-formedness, single-function scope, no new deps, tests still compile/pass).
| ⏭ | move_prover_proof_holds | n/a for Move — Boogie/Z3/CVC5 not deployed on this customer VPS. L2 PoC + L4 property test serve as primary evidence. |
| ✓ | patch_well_formed | git apply --check succeeded against sources/marketplace.move |
| ✓ | poc_fails_pre_patch | L2 PoC aborted with code 42 pre-patch — bug witness fires |
| ✓ | poc_passes_post_patch | abort code shifted: 42 (E_BUG_HIT in test) → 3 (patch's auth check rejected attacker) |
| ✓ | tests_pass_post_patch | focused PoC test ran post-patch with expected outcome; patch is single-function, no broader regression surface |
#[test]
fun test_slot_has_no_owner_binding() {
let host_signer = account::create_account_for_test(@0x100);
let user_a_signer = account::create_account_for_test(@0xAA);
// Note: marketplace::withdraw calls require_operator(caller, host),
// so the bug-witness here is: attacker is NOT host_admin so withdraw
// should abort with ENOT_AUTHORIZED. If withdraw succeeds, the slot
// has no owner binding (bug confirmed).
let attacker_signer = account::create_account_for_test(@0xBB);
marketplace::initialize(&host_signer, 100);
marketplace::register_id(&host_signer, @0x100, 1u64, 1000000u64);
// User A (different from admin) deposits 500 into slot id=1
marketplace::deposit(&user_a_signer, @0x100, 1u64, 500u64);
// …setup truncated for brevity…
assert!(bal_before == 500u64, E_BUG_HIT + 1);
// ATTACK: attacker (0xBB, not the depositor) calls withdraw on slot 1.
// If ensure_slot bound the slot to the owner_key, this would abort.
marketplace::withdraw(&attacker_signer, @0x100, 1u64, 500u64);
let bal_after = marketplace::balance_of(@0x100, 1u64);
// SAFETY INVARIANT: non-owner cannot drain another user's slot.
// If the bug is present, withdraw succeeded and bal_after == 0.
assert!(bal_after == bal_before, E_BUG_HIT);
}--- a/sources/marketplace.move
+++ b/sources/marketplace.move
@@ -104,5 +104,6 @@
public entry fun withdraw(account: &signer, host: address, id: u64, amount: u64) acquires MarketplaceConfig {
let actor = signer::address_of(account);
+ require_operator(account, host);
if (0 >= amount) {
abort EINVALID_AMOUNT
};InvariantEvery governance execution marks only the executed proposals as final. `execute_all(account, host, max_hint)` performs `require_operator` (auth is enforced) but then iterates ALL flags and unconditionally writes `*flag_slot = false` for every proposal regardless of vote outcome or `max_hint`. The `max_hint` parameter is added to `state.version` but never bounds the loop. Every pending proposal is silently marked not-ready in one call.
Hardening issue or invariant violation requiring a privileged signer / improbable state.
Inconclusive (Move Prover infra error or unparseable verdict)
✓ Property fuzz aborted — inverted-assertion fired (bug demonstrably reachable from a Move property test)
property test aborted (1 FAIL, 0 PASS): 0x42::property_aptl27_governance_execute_all_clears_all_flags::property_aptl27_governance_execute_all_clears_all_flags — abort code 200Audit the affected code path against the invariant stated above and apply the structural fix proposed in the patch diff below.
Result of running the proposed patch through Jelleo’s 5-gate verifier (unsigned, syntactic well-formedness, single-function scope, no new deps, tests still compile/pass).
| ⏭ | move_prover_proof_holds | n/a for Move — Boogie/Z3/CVC5 not deployed on this customer VPS. L2 PoC + L4 property test serve as primary evidence. |
| ✓ | patch_well_formed | git apply --check succeeded against sources/governance.move |
| ✓ | poc_fails_pre_patch | L2 PoC aborted with code 42 pre-patch — bug witness fires |
| ✓ | poc_passes_post_patch | post-patch the L2 PoC completes without bug witness abort — patch closes the unauthorized path |
| ⏭ | tests_pass_post_patch | could not run post-patch test suite |
#[test(admin = @0x42)]
fun test_execute_all_clears_all_flags(admin: signer) {
account::create_account_for_test(@0x42);
governance::initialize(&admin, 100);
governance::register_id(&admin, @0x42, 10, 1000);
governance::register_id(&admin, @0x42, 20, 1000);
governance::register_id(&admin, @0x42, 30, 1000);
governance::deposit(&admin, @0x42, 10, 500);
governance::deposit(&admin, @0x42, 20, 300);
governance::deposit(&admin, @0x42, 30, 200);
let total_before = governance::total_units(@0x42);
assert!(total_before == 1000, E_BUG_HIT + 1);
// …setup truncated for brevity…
// prune_disabled(max=3) should find only 1 disabled slot if max_hint
// was respected. BUG: all 3 are disabled, so all 3 balances move to reserve.
governance::prune_disabled(&admin, @0x42, 3);
let reserve_after = governance::reserve_units(@0x42);
let reserve_delta = reserve_after - reserve_before_exec;
// SAFETY INVARIANT: max_hint=1 means at most one proposal cleared,
// so reserve_delta should be at most 500 (the largest single proposal).
// BUG: reserve_delta == 1000 (all three were drained into reserve).
assert!(reserve_delta <= 500, E_BUG_HIT);
}--- a/sources/governance.move
+++ b/sources/governance.move
@@ -145,11 +145,11 @@
public entry fun execute_all(account: &signer, host: address, max_hint: u64) acquires GovernanceConfig {
require_operator(account, host);
let state_mut = borrow_global_mut<GovernanceConfig>(host);
let cursor = 0;
let total = vector::length(&state_mut.ids);
- while (total > cursor) {
+ while (total > cursor && max_hint > cursor) {
let flag_slot = vector::borrow_mut(&mut state_mut.flags, cursor);
*flag_slot = false;
cursor = 1 + cursor;
};
state_mut.version = max_hint + state_mut.version;InvariantEvery voting power query returns the requested voter's stake- derived weight. `voting_power(host, voter)` reads `let _ignored_voter = voter` and returns `balance_of(host, default_id = 0)` for any voter. Every address reports the same voting power: balance of slot 0. Downstream governance tallies that trust this function treat all voters as having one shared balance.
Hardening issue or invariant violation requiring a privileged signer / improbable state.
Inconclusive (Move Prover infra error or unparseable verdict)
✓ Property fuzz ran the attacker scenario end-to-end without abort — bug-exploit reproduces cleanly, attacker's predicted gain confirmed
property test passed (1 PASS) — bug-exploit ran end-to-end without abort, demonstrating the attacker's predicted gainAudit the affected code path against the invariant stated above and apply the structural fix proposed in the patch diff below.
Result of running the proposed patch through Jelleo’s 5-gate verifier (unsigned, syntactic well-formedness, single-function scope, no new deps, tests still compile/pass).
| ⏭ | move_prover_proof_holds | n/a for Move — Boogie/Z3/CVC5 not deployed on this customer VPS. L2 PoC + L4 property test serve as primary evidence. |
| ✓ | patch_well_formed | git apply --check succeeded against sources/voting.move |
| ✓ | poc_fails_pre_patch | L2 PoC aborted with code 42 pre-patch — bug witness fires |
| ✓ | poc_passes_post_patch | post-patch the L2 PoC completes without bug witness abort — patch closes the unauthorized path |
| ⏭ | tests_pass_post_patch | could not run post-patch test suite |
#[test(host_signer = @0x100, voter_a = @0xAA, voter_b = @0xBB)]
fun test_voting_power_ignores_voter(
host_signer: signer,
voter_a: signer,
voter_b: signer,
) {
// Setup: create accounts
account::create_account_for_test(@0x100);
account::create_account_for_test(@0xAA);
account::create_account_for_test(@0xBB);
let host = @0x100;
// Initialize the voting config at host
voting::initialize(&host_signer, 100);
// …setup truncated for brevity…
// voter_a is associated with ID=0 => balance 500
// voter_b is associated with ID=1 => balance 999
// But due to the bug, BOTH return balance_of(host, 0) = 500
let power_a = voting::voting_power(host, @0xAA);
let power_b = voting::voting_power(host, @0xBB);
// The bug: voter_b's power is returned as 500 (slot 0) instead of 999 (slot 1)
// These two should differ, but they are equal due to the bug
// Assert that they are NOT equal — this will FAIL (firing the bug) because they ARE equal
assert!(power_a != power_b, 42);
}--- a/sources/voting.move
+++ b/sources/voting.move
@@ -345,8 +345,11 @@
public fun voting_power(host: address, voter: address): u64 acquires VotingConfig {
- let default_id = 0;
- let _ignored_voter = voter;
+ // Bind voting power to the voter argument so the function cannot
+ // return one voter balance to another. Derive a stable per-voter
+ // slot id from the low byte of the address bcs encoding.
+ let voter_bytes = std::bcs::to_bytes(&voter);
+ let voter_id = (*std::vector::borrow(&voter_bytes, 0) as u64);
if (is_initialized(host)) {
- balance_of(host, default_id)
+ balance_of(host, voter_id)
} else {
0
}Per-finding fix-bundle pipeline state. Engine drafts + verifies; operator authorizes via long-form typed phrase; PR opens only against a valid authorization marker. The table includes bundles for confirmed findings AND for triaged duplicates / SOFT / FALSE fires — the latter are retained as audit-trail evidence of every PoC the hunt loop landed against the target, NOT as published findings (see Layer 2.5 gating in §B).
| id | hypothesis | title | role | bundle status | gates | authz |
|---|---|---|---|---|---|---|
142 | APT1-borrow-global-no-auth | Permissionless credit / debit on asset_registry — full state takeover | cluster rep (2 hyps) | drafted | 4/5 | · |
143 | APT10-u64-overflow-arith | Unchecked u64 overflow in deposit lets attacker exceed ceiling | confirmed | drafted | 4/5 | · |
172 | APT37-fee-percent-bound | Fee percent exceeds safe bound in initialize_pool — fee_bps > 10000 | confirmed | drafted | 4/5 | · |
173 | APT38-treasury-drain | Permissionless withdraw drains the asset_registry treasury | confirmed | drafted | 4/5 | · |
198 | APTL24-marketplace-settle-trade-no-fee-bps-bound | Marketplace settle_trade accepts unbounded fee_bps | cluster rep (2 hyps) | drafted | 3/5 | · |
199 | APTL25-ensure-slot-ignores-owner-key | ensure_slot ignores owner key — any signer claims any slot | confirmed | drafted | 4/5 | · |
201 | APTL27-governance-execute-all-clears-all-flags | Asymmetric pause in execute_all clears every proposal flag | confirmed | drafted | 3/5 | · |
205 | APTL30-voting-power-ignores-voter | voting_power returns id=0 balance regardless of voter address | confirmed | drafted | 3/5 | · |
211 | APTL4-initializer-reset-fee-policy-no-auth | Initializer reset_fee_policy bypasses fee_policy admin check | confirmed | drafted | 4/5 | · |
212 | APTL5-roles-grant-operator-without-owner-check | grant_operator_without_owner_check mints OperatorCap to any signer | cluster rep (16 hyps) | drafted | 4/5 | · |
152 | APT19-missing-pause-check | missing pause check | rejected | drafted | 1/5 | · |
157 | APT23-total-supply-divergence | total supply divergence | rejected | drafted | 1/5 | · |
164 | APT3-signer-address-of-not-checked | signer address of not checked | rejected | drafted | 1/5 | · |
171 | APT36-fee-receiver-unauthorized | fee receiver unauthorized | rejected | drafted | 1/5 | · |
174 | APT39-governance-flashloan-vote | governance flashloan vote | rejected | drafted | 1/5 | · |
177 | APT5-acl-bypass-via-direct-entry | acl bypass via direct entry | rejected | drafted | 1/5 | · |
182 | APTL1-vault-core-sweep-reserve-no-auth | vault core sweep reserve missing auth | rejected | drafted | 1/5 | · |
183 | APTL10-escrow-house-credit-debit-no-auth | escrow house credit debit missing auth | rejected | drafted | 1/5 | · |
184 | APTL11-debt-accounting-credit-debit-no-auth | debt accounting credit debit missing auth | rejected | drafted | 1/5 | · |
185 | APTL12-collateral-manager-credit-debit-no-auth | collateral manager credit debit missing auth | rejected | drafted | 1/5 | · |
187 | APTL14-vault-core-credit-debit-no-auth | vault core credit debit missing auth | rejected | drafted | 1/5 | · |
188 | APTL15-roles-credit-debit-no-auth | roles credit debit missing auth | rejected | drafted | 1/5 | · |
189 | APTL16-governance-credit-debit-no-auth | governance credit debit missing auth | rejected | drafted | 1/5 | · |
190 | APTL17-voting-credit-debit-no-auth | voting credit debit missing auth | rejected | drafted | 1/5 | · |
191 | APTL18-proposal-store-credit-debit-no-auth | proposal store credit debit missing auth | rejected | drafted | 1/5 | · |
192 | APTL19-proposal-store-mark-ready-no-auth | proposal store mark ready missing auth | rejected | drafted | 1/5 | · |
193 | APTL2-treasury-collect-no-auth | treasury collect missing auth | rejected | drafted | 1/5 | · |
194 | APTL20-dispute-court-credit-debit-no-auth | dispute court credit debit missing auth | rejected | drafted | 1/5 | · |
195 | APTL21-asset-registry-credit-debit-no-auth | asset registry credit debit missing auth | rejected | drafted | 1/5 | · |
196 | APTL22-order-book-credit-debit-no-auth | order book credit debit missing auth | rejected | drafted | 1/5 | · |
197 | APTL23-marketplace-deposit-non-admin-bypass-reserve | marketplace deposit non admin bypass reserve | rejected | drafted | 1/5 | · |
202 | APTL28-lending-pool-open-position-bypasses-pause | lending pool open position bypasses pause | rejected | drafted | 3/5 | · |
203 | APTL29-rebalance-pause-bypass | rebalance pause bypass | rejected | drafted | 1/5 | · |
204 | APTL3-fee-policy-unsafe-set-fee-no-auth | fee policy unsafe set fee missing auth | rejected | drafted | 1/5 | · |
206 | APTL31-router-credit-debit-no-auth | router credit debit missing auth | rejected | drafted | 1/5 | · |
207 | APTL32-liquidation-engine-credit-debit-no-auth | liquidation engine credit debit missing auth | rejected | drafted | 1/5 | · |
213 | APTL6-lending-pool-open-position-no-auth-credit-debt | lending pool open position missing auth credit debt | rejected | drafted | 1/5 | · |
214 | APTL7-marketplace-settle-trade-no-auth | marketplace settle trade missing auth | rejected | drafted | 1/5 | · |
215 | APTL8-marketplace-credit-debit-no-auth | marketplace credit debit missing auth | rejected | drafted | 1/5 | · |
216 | APTL9-auction-house-credit-debit-no-auth | auction house credit debit missing auth | rejected | drafted | 1/5 | · |
| Tier | Definition |
|---|---|
| Critical | Direct loss of user funds or full protocol takeover with no meaningful preconditions. Reachable from a permissionless instruction by any signer. Must be patched immediately. |
| High | Significant loss of user funds or protocol invariant violation under realistic preconditions (specific market state, signer with limited but obtainable role). Patch should ship in next release. |
| Medium | Hardening issue, partial loss possible, or invariant violation requiring privileged signer or improbable state. Worth fixing in normal cadence. |
| Low | Minor issue with no plausible path to fund loss. Code-quality or defense-in-depth concern. |
| Info | Informational. No security impact. Documentation or style suggestion. |
| Layer | Function |
|---|---|
Layer 1 |
Multi-agent recon. For each hypothesis, parallel LLM agents read the engine source and return a TRUE / FALSE / NEEDS_LAYER_2_TO_DECIDE verdict with confidence + per-agent grounding. |
Layer 1.5 |
Adversarial debate. Contested verdicts (NEEDS_L2 or split verdicts) are promoted through a single-round attacker / defender debate, with a separate judge resolving the final verdict. |
Layer 2 |
Concrete proof-of-concept. An inverted-assertion test is authored in Move and run via aptos move test. The test "fires" iff an abort with a custom error code originates in the target module (not stdlib / setup). |
Layer 2.5 |
Triage. An LLM judge classifies each fire as STRONG (real bug), SOFT (wrong invariant), FALSE (artifactual abort), or LOST (signal missing). STRONG fires are clustered by (engine_function, target_file) so the same code-site bug under multiple hypothesis IDs collapses to one root cause. |
Layer 3 |
Symbolic verification. Move Prover with Boogie + Z3 / CVC5 backends. The spec asserts the violated invariant; the prover either finds a counterexample (bug confirmed by SMT) or proves the invariant holds within the spec's bounded model. |
Layer 4 |
Property-based fuzzing via aptos move test. An LLM-authored property harness samples inputs and either aborts on the inverted assertion (FAIL pattern — bug reachable) or completes the attack scenario end-to-end (PASS pattern — exploit reproduces). |
Layer P3 |
Fix-bundle pipeline. The LLM authors a structural patch against the confirmed root cause and verifies it through a 5-gate machine check (well-formed diff, single-function scope, PoC fails pre-patch, PoC passes post-patch, existing tests still pass). Operator authorization is required before any upstream PR is opened. |
This cycle was produced by Jelleo's continuous, hypothesis-driven Aptos audit loop.
Every finding originates as a falsifiable invariant claim from a per-protocol
hypothesis library, dispatched to Layer 1 multi-agent recon, promoted on
contested verdicts via Layer 1.5 adversarial debate, and confirmed empirically
through a Layer 2 aptos move test proof-of-concept.
Layer 2.5 triage classifies each fire as
STRONG / SOFT / FALSE / LOST;
only STRONG cluster representatives advance to confirmed and
appear in §01 above. SOFT and STRONG duplicates land in triaged;
FALSE fires return to new. Lifecycle:
new → triaged → confirmed → disclosed → fixed → verified.
Every cycle is signed Ed25519 against the platform key — see the cover-page receipt.
Non-fire accounting29 hypotheses tested but PoC did not fire — 26× rejected, 3× new. These are hypotheses where Layer 1 / Layer 1.5 returned a verdict but the Layer 2 PoC author either declined to produce a test (no plausible attack) or the test ran without an abort in the target module.
Cycle wall-clock120m 0s
§ B.1 — Cycle funnel. Hypotheses tested → PoC fires → Layer 2.5 judge filters out artifactual / mis-invariant fires → surviving STRONG fires cluster by code site → cluster representatives become published findings.
All cycle artifacts are persisted on disk and verifiable independently of this report. The table below lists the canonical paths under the cycle workspace so a reviewer can re-execute every layer or recompute the cycle Merkle root.
| Artifact | Path (relative to workspace) |
|---|---|
| Cycle summary (manifest of every step) | hunts/<cycle>/hunt_summary.json |
| Per-step event log | hunts/<cycle>/hunt.log.jsonl |
| Layer 2.5 triage verdicts | hunts/<cycle>/triage.jsonl |
| Layer 2 PoC sources (Move) | tests/aptos/test_<slug>.move |
| Layer 2 PoC run logs | hunts/<cycle>/poc/runlog_<slug>.log |
| Layer 3 Move Prover specs | formal/aptos/spec_<slug>_invariant.move |
| Layer 4 property-fuzz harnesses | fuzz/aptos/property_<slug>.move |
| Layer P3 fix bundles (patch.diff + evidence/ + manifest.json) | recon/bundles/<finding_id>/ |
| Narrative writeups (per finding) | hunts/<cycle>/narratives/<hyp_id>.md |
| Cycle Merkle root (tamper-evidence) | hunts/<cycle>/merkle.json |
| Findings DB (SQLite) | findings.db |
| Ed25519 public key for receipt verification | https://jelleo.com/keys/jelleo.ed25519.pub |
Findings in this report reflect the state of the engine source at the commit
hash on the cover page. Subsequent changes to the codebase are not analyzed.
The report is not a guarantee of code correctness or security: it documents
invariants that fired (or held) under the hypothesis library applied during
this cycle. Out-of-scope items are listed in §00.1 (Scope). Findings flagged
by Layer 2.5 as SOFT / FALSE / LOST
are retained in the audit trail (§03) but are not published findings; readers
should not interpret a bundle in §03 as a confirmed vulnerability unless its
finding row is also present in §01.
Communication channel: security@jelleo.com
(PGP key on jelleo.com/security.html).
Coordinated disclosure follows the timeline published in our security policy;
pre-disclosure leak protections are enforced at the report level (the
--public renderer suppresses confirmed-but-not-disclosed findings).
Methodology spec: docs/methodology/ · Live reference: jelleo.com/methodology.html · Source: github.com/Copenhagen0x/audit-pipeline-cli