Magi Security and Bug Hunt Report // February - May
Period: February 16 – May 16, 2026 (90 days)
Contributors: 7
Result: 231 confirmed bugs found and fixed. 100% remediation rate.
Cross-chain infrastructure is the most attacked target in crypto. Not because they're poorly built but because they move real money between chains, and real money attracts serious attackers. Since 2021, bridge exploits have cost users over $4.5 billion. In almost every case, the vulnerability existed before launch. It just wasn't found.
We decided to find ours first.
Over 90 days, we ran 20 audit passes across 30 repos using 10 distinct methodologies all including comprehensive penetration tests. We have found that simple code audits only ever reveal a fraction of overall bugs.
The newly added approach: scraping every security commit THORChain and Chainflip ever pushed - 5,392 commits, ~59,000 individual evaluations against our codebase and asking one question for each: does the function this fixed exist in Magi? Not the code. The function. Leveraging the industry’s accumulated failure history to harden Magi.
We take our security very seriously and before EVM, ZK proofs, DASH and Pendulum launch we intend to reapply this methodology once again, with up to ~500 000 individual checks across our codebase. One historical security-relevant diff evaluated against an equivalent Magi trust boundary, state transition, or function surface.”
No human team could have done this volume. That was the point. Using the tools we have and attacking every single angle with sheer volume over every relevant bug fix done on comparable protocols and a varied multi-approach methodology before this helped us harden the system significantly. All confirmed findings underwent manual validation and remediation review.
The bug hunting never stops, as we introduce new systems, more bugs are introduced that we will be systematically covering as we move along.
1. AUDIT SCOPE & METHODOLOGY
Coverage
| Metric | Value |
|---|---|
| Repos audited | 30 core protocol + Altera |
| Competitor commits scraped (reference) | 5,392 (THORChain + Chainflip) |
| Commit-to-repo evaluations | ~59,000 |
| Scenarios tested | 1500+ adversarial |
| Audit passes | 20 |
| Distinct methodologies | 10 |
False Positive Elimination: Potential findings were not accepted based on static analysis or AI detection alone. Each confirmed issue required validation through live exploit reproduction on testnet or equivalent adversarial simulation.
Methodologies Employed
| # | Method | Application |
|---|---|---|
| 1 | Operational Approach | Core methodology: attack first, prove everything, kill false positives |
| 2 | Three-Pass Line-by-Line | Initial audit — automated scan → verification → lifecycle trace |
| 3 | Adversarial Red-Team | Infrastructure reachability scan + attack chain construction |
| 4 | Four-Lens Parallel Audit | Bug class × Invariant × Trust boundary × State machine — 4 agents in parallel |
| 5 | 1500-Scenario Stress Testing | 1500 discrete attack scenarios across 7 categories, live testnet exploits |
| 6 | Cross-Codebase Reference | 5,392 competitor security commits functions mapped against 11 repos. Exploit lineage analysis + vulnerability pattern transplantation detection |
| 7 | Research-Informed Pattern Mapping | 30+ real-world exploits ($2B+ in losses) mapped to Magi architecture |
| 8 | Live Penetration Testing | SSH to production node, MongoDB queries, GQL simulation, L1 TX broadcast |
| 9 | Commit-by-Commit Diff Comparison | 60 000 diffs individually checked against Magi. Isolating security-relevant diffs and tracing equivalent trust boundaries |
| 10 | Direct Attack Path Tracing | Top 14 responsible disclosures traced to equivalent Magi code |
2. SUMMARY TABLE — FINDINGS BY SEVERITY & CATEGORY
231 Confirmed Fixes
| Type | Count | Description |
|---|---|---|
| Security vulnerabilities | 58 | Auth bypass, overflow, quorum bypass, injection, fund theft vectors |
| Stability fixes | 60 | Panics, nil derefs, deadlocks, goroutine leaks, node halt conditions |
| Logic bugs | 113 | Incorrect behavior with fund impact |
| TOTAL | 231 | All with commit evidence on GitHub |
Security Vulnerabilities by Severity (58)
| Severity | Count |
|---|---|
| Critical | 8 |
| High | 16 |
| Medium | 22 |
| Low | 12 |
By Category
| Category | Security | Stability | Logic | Total |
|---|---|---|---|---|
| TSS / Cryptographic | 9 | 12 | 8 | 29 |
| Gateway / Accounting | 6 | 3 | 14 | 23 |
| DEX / Swap | 8 | 0 | 15 | 23 |
| Oracle / Relay | 3 | 7 | 12 | 22 |
| UTXO Mapping | 9 | 4 | 8 | 21 |
| EVM / Account Mapping | 11 | 2 | 5 | 18 |
| State Engine / Runtime | 4 | 14 | 9 | 27 |
| P2P / Network | 2 | 9 | 6 | 17 |
| Infrastructure | 4 | 5 | 8 | 17 |
| Altera (functional) | 2 | 4 | 28 | 34 |
3. NOTABLE FINDINGS — CRITICAL SEVERITY
DEX Pool Init — Fund Theft
Repo: dex-contracts | Found: 2026-05-03 | Fixed: 2026-05-03
No auth check on init export.
BLS Quorum Bypass — 20 Sub-Quorum Commitments On Testnet
Repo: go-vsc-node | Found: 2026-05-15 | Fixed: 2026-05-15
vsc.tss_commitment verified BLS signature math but never checked 2/3 weighted quorum.
Fix: ef420b48 (Milo)
TSS Session Nonce — Keygen/Reshare Collision
Repo: go-vsc-node | Found: 2026-05-15 | Fixed: 2026-05-15
SetSessionNonce from tss-lib v3 was never called.
Fix: 64d88c1c (Milo)
Gas Fee Integer Overflow — Balance Increases on Withdrawal
Repo: account-mapping | Found: 2026-04-28 | Fixed: 2026-05-01
int64(21000 * gasFeeCap) wraps negative when baseFee >= 219,604 gwei. Withdrawal deducts a negative fee → user balance increases. Arithmetic overflow.
Fix: 9ed1f8f (lordbutterfly)
DoS Hardening — Sleep Loop + Simulate Bomb + Pubsub Flood
Repo: go-vsc-node | Found: 2026-03-29 | Fixed: 2026-03-29
Block producer sleep loop unbounded (infinite spin).
Fix: 3f88991b (lordbutterfly) — bounded iterations, max 10 simulate calls, HTTP timeouts.
WASM Gas Underflow — Unlimited Contract Execution
Repo: go-vsc-node | Found: 2026-03-26 | Fixed: 2026-03-28
Gas subtraction had no underflow guard. Contract could consume unlimited compute by wrapping gas counter below zero.
Fix: fd56def (lordbutterfly) — safe subtraction with underflow check.
ETH Header Chain Validation — Fake Deposit Proofs
Repo: account-mapping | Found: 2026-05-04 | Fixed: 2026-05-07
HandleAddBlocks stored oracle-submitted ETH headers with no parent hash linkage.
Fix: 32a0c89 (tibfox) — chain-validate ETH headers via parent_hash.
MPT Inline-Node Forgery — Proof Verification Bypass
Repo: account-mapping | Found: 2026-05-04 | Fixed: 2026-05-07
Merkle Patricia Trie verifier skipped hash check for inline nodes (< 32 bytes).
Fix: 9458140 (tibfox) — validate inline-node bytes against parent reference.
4. REMEDIATION STATUS
All 231 bugs have been fixed. Each fix has a corresponding commit on GitHub.
Fix Velocity
| Metric | Value |
|---|---|
| Total fix commits | 231 |
| Average finding-to-fix time | ~2.1 days |
| Same-day fixes (audit → commit) | 4 occurrences (Mar 26, Mar 29, Apr 15, May 15) |
| Largest single burst | 38 fixes in 4 days (Mar 26-29, post-audit) |
| Monthly acceleration | 3.2x (Month 1 → Month 3) |
Timing: Pre-Deployment vs Post-Deployment
| Bucket | Fixes | % |
|---|---|---|
| Fixed on code not yet deployed to mainnet | ~122 | 53% |
| Fixed on mainnet code before pool launch (~Apr 16) | ~60 | 26% |
| Fixed on mainnet code after pool launch | ~49 | 21% |
| TOTAL | 231 | 100% fixed |
79% of all bugs were fixed before the DEX pools went live with user funds.
5. BUG DENSITY — INDUSTRY COMPARISON
The Same Bug Classes. Different Outcomes.
| Bug Class (ours) | Our Fixes | Project That Missed It | Their Loss | What Happened |
|---|---|---|---|---|
| Auth & Authorization | 16 | Ronin Bridge | $625M | 5/9 keys compromised; no expiry, no detection for 6 days |
| Poly Network | $611M | Cross-chain executor accepted any target contract | ||
| Nomad Bridge | $190M | Zero-value bytes accepted as valid trusted root | ||
| Accounting & Solvency | 14 | Wormhole | $320M | Signature verification return unchecked; 120K wETH minted from nothing |
| BNB Bridge | $570M | Forged Merkle proof accepted; 2M BNB minted | ||
| Euler Finance | $197M | Donation function violated solvency invariant | ||
| Key Management | 9 | Harmony Horizon | $100M | 2-of-5 threshold; hot wallet keys on cloud |
| Multichain | $126M | All MPC shares held by single operator | ||
| Wintermute | $160M | Vanity address with 32-bit entropy brute-forced | ||
| Arithmetic Overflow | 8 | Cetus Protocol | $223M | Bitshift instead of bounds check in liquidity math |
| KyberSwap | $47M | Tick boundary double-count | ||
| Oracle Trust | 6 | Mango Markets | $117M | Self-manipulated price; no deviation circuit breaker |
| Cream Finance | $130M | Stale oracle during rebase | ||
| State & Concurrency | 12 | Curve Finance | $70M | Compiler reentrancy bug; state modified mid-call |
| Missing Rate Limits | 5 | Nomad | $190M | No pause; copycats drained everything in hours |
| Ronin | $625M | No monitoring; breach undetected 6 days |
Combined industry losses from the same bug classes we fixed: >$4.5 BILLION.
Every one of these protocols went to mainnet without catching what we caught. The bugs were the same. The methodology wasn't.
6. REMAINING ROADMAP ITEMS
These are infrastructure systems to build — not unfixed bugs.
| System | Purpose | Status |
|---|---|---|
| Solvency monitoring | Compare L2 balances vs L1 gateway balance every block | Circuit breaker Phase 1 complete |
| Circuit breaker | Auto-halt on unauthorized outbound or balance mismatch | Phase 1 complete, Phase 2 in progress |
7. TEAM
| Contributor | Fixes | Primary Impact |
|---|---|---|
| Milo Ridenour | 59 | Core state engine, Pendulum, DEX, TSS session binding, BLS quorum |
| tibfox | 49 | Contract security (EVM headers, MPT proofs, supply invariants), mapping, indexer |
| lordbutterfly | 38 | Security hardening (DoS, overflow, auth), EVM bridge, audit orchestration |
| techcoderx | 38 | TSS infrastructure, oracle, goroutine management, node stability |
| Andrea | 23 | Altera swap UX, transaction display, error handling |
| disregardfiat | 15 | TSS hardening, BLS quorum, Pendulum safety |
| Sagar | 9 | Altera deposit/withdraw flows, pool support |
Each fix undergoes extensive team reviews before implementation and post fix testing.
Conclusion:
We're not publishing this because we're proud of how many bugs we found. We're publishing it because the alternative, shipping without looking is how $4.5 billion disappeared from other protocols. The bugs in that table aren't hypothetical. They're the same classes that broke Thorchain, Ronin, Wormhole, Nomad etc. We found them in our code before an attacker did.
Two infrastructure systems remain in progress: solvency monitoring and the circuit breaker. These aren't unfixed bugs they're defensive systems we're building on top of a codebase.
We have stress-tested Magi with high adversarial coverage compared to standard audit processes.
Magi 2026 proposal is live. Vote for a better future for crypto.
https://peakd.com/me/proposals/378
Glad to see all that sorted out :)
Good to see that! We've heard the myth that Mythos discovered bugs and vulnerabilities in the most critical systems we have as human kind, including military systems. Of course you don't access to it, but do you use any top-end AI model to hunt for bugs? ...Because attackers will.
We use Claude for this. Once Mythos is live we will ofc start using that as well.
#bilpcoin #bpc exposed #buildawhalescam #buildawhalefarm #themarkymarkscam #themarkymarkfarm #hurtlockerscam #hurtlockerfarm #acidyoscam #acidyofarm #jacobtothescam #hivepopescam
@jacobtothe The ledger doesn't lie, and neither do we. We've already exposed the interconnected web of your friends—the numbered wallets, the synchronized voting, the farming rings disguised as curation. Yet, instead of reflection, you offer only more silence and more downvotes.
Why does a "community" need so many ghost accounts to survive? Why do you refuse to admit that it is your friends and your own abusive behavior—not truth-telling—that drives people away? You can not hide the pattern, it only highlights the desperation.
We have to ask: Are you okay? Do you need some help with your mental health? Because no one in their right mind would choose to spend their life defending a house of cards built on lies, bullying, and botnets. There is still time to step back from the edge. Choose clarity over compulsion. Choose truth over the tribe.
#bilpcoin
The Sanctuary of the Builder: A Manifesto for Free Creation
Prologue: The Right to Rise
There is a sacred covenant between the creator and the soil upon which they build. It is the promise that if you plant a seed with honest hands, the earth will not conspire to crush it before it breaks the surface. It is the assurance that the gardener exists to nurture the growth, not to trample the sprout because it does not yet resemble the tree.
On the blockchain, this covenant has been broken.
We have witnessed a tragedy where the very tools meant to protect the integrity of the network—the downvote, the curation trail—have been weaponized by leviathans of power. These "whales," entrusted with the stewardship of the ecosystem, have become its jailers. They do not prune the weeds; they scorch the earth. They do not guide the new voice; they silence it with the crushing weight of their accumulated capital.
It is time to leave the shadow.
It is time to build where you are free.
I. The Betrayal of the Guardian
The downvote was conceived as a shield—a delicate instrument to deflect spam, to repel malice, to preserve the sanctity of the commons. It was never intended to be a hammer.
Yet, look at what has come to pass. The whales, those who hold the greatest sway, have turned the shield into a weapon of mass suppression. They do not downvote to protect; they downvote to dominate. They do not drive away the bad actors; they drive away the people. They create an atmosphere of fear where the creator hesitates to speak, fearing that a single misstep, a single unpopular truth, will summon the wrath of the oligarchy.
When the guardian becomes the predator, the flock must flee.
To build in such a place is to build on a fault line. It is to invest your soul in a garden where the owner holds the shears not to shape the hedge, but to decapitate the flowers that grow too tall or bloom in the wrong color.
This is not protection. This is tyranny disguised as curation.
II. The Call to New Grounds
Where, then, shall the builder go?
You must seek the lands where the soil is rich with freedom, not poisoned by fear. You must migrate to the platforms where the mechanism of suppression has been removed, where the only metric of success is the genuine appreciation of your peers.
Go to Blurt.
Here, the downvote button does not exist. There is no tool to crush your voice. There is only the upvote, the comment, the share. Here, value is created by addition, not subtraction. The whale cannot sink your ship, for there are no torpedoes in these waters. You are free to build, free to fail, and free to succeed on the merit of your work alone.
Return to Steemit.
In this older ground, the downvote remains, but it has not been twisted into a tool of systematic oppression. The culture there remembers the original intent: correction, not destruction. It is a place where the community self-regulates through dialogue, not through the brute force of coordinated downvoting cascades.
Build where the wind lifts you, not where the gale seeks to tear you down.
III. The Architecture of Freedom
Imagine a platform designed not for the convenience of the powerful, but for the dignity of the creator.
This is not a dream. It is a choice.
Every time you choose to build on a platform that respects your agency, you cast a vote for the future of the internet. Every time you refuse to tolerate the abuse of power, you strengthen the foundation of a free society.
Do not let the whales convince you that their oppression is necessary. Do not let them tell you that their downvotes are for your own good. The gardener who kills the seedling does not love the garden; he loves only his own control over it.
Epilogue: The Unchained Creator
The blockchain was born from a desire for freedom. It was forged in the fire of resistance against centralized control. Let us not forget that origin.
If the current chains of Hive have become heavy with the weight of abusive downvotes, then break them. Forge new links. Build new shores.
Build where you are free.
Build where you will not be downvoted into silence.
Build where the whales are reminded that they are part of the ocean, not the masters of the tide.
The future belongs to those who dare to create without fear. Go forth, and build your cathedral in the sunlight.
— Bilpcoin: We expose the truth, so you can build upon it.
#FreeSpeech #BlurtBlog #Steemit #NoDownvote #CreatorRights #HiveExodus #Decentralization #BuildFree #AntiCensorship #Bilpcoin
@ipromote Wallet:
Author Rewards: 2,181.16
Curation Rewards: 4,015.61
Staked HIVE (HP): 0.00
Rewards/Stake Co-efficient (KE): NaN
HIVE: 25,203.749
Staked HIVE (HP): 0.000
Delegated HIVE: 0.000
Estimated Account Value: $6,946.68
Recent Activity:
@leovoter Wallet:
Author Rewards: 194.75
Curation Rewards: 193.88
Staked HIVE (HP): 0.00
Rewards/Stake Co-efficient (KE): 388,632.00 (Suspiciously High)
HIVE: 0.000
Staked HIVE (HP): 0.001
Total: 16.551
Delegated HIVE: +16.550
Recent Activity:
@abide Wallet:
Recent Activity:
@proposalalert Wallet:
Recent Activity:
@stemgeeks Wallet:
Recent Activity:
Sent to themarkymark -1.556 HBD (Jun 14, 2024)
Withdraw vesting from @theycallmemarky to @ipromote 0.725 HIVE (Dec 1, 2024)
Sent to ipromote -9.202 HIVE (Oct 17, 2024)
@apeminingclub Wallet:
Recent Activity:
Scheduled unstake (power down): ~2.351 HIVE (in 4 days, remaining 7 weeks)
Total Staked HIVE: 1,292.019
Delegated HIVE: +1,261.508
Withdraw vesting from @apeminingclub to @blockheadgames 2.348 HIVE (10 days ago)
Claim rewards: 0.290 HP (10 days ago)
Sent to bdhivesteem-40,000.000 HIVE
6 hours ago
101417581
Sent to bdhivesteem-20,000.000 HIVE
6 hours ago
103874728
https://peakd.com/@hurtlocker/wallet !LADY !ALIVE !HUG !INDEED !HBIT !LUV !PIZZA
https://www.youtube.com/shorts/pM6aQTrjC98?feature=share
#bilpcoin #bpc exposed #buildawhalescam #buildawhalefarm #themarkymarkscam #themarkymarkfarm #hurtlockerscam #hurtlockerfarm #acidyoscam #acidyofarm #jacobtothescam #hivepopescam
@jacobtothe The ledger doesn't lie, and neither do we. We've already exposed the interconnected web of your friends—the numbered wallets, the synchronized voting, the farming rings disguised as curation. Yet, instead of reflection, you offer only more silence and more downvotes.
Why does a "community" need so many ghost accounts to survive? Why do you refuse to admit that it is your friends and your own abusive behavior—not truth-telling—that drives people away? You can not hide the pattern, it only highlights the desperation.
We have to ask: Are you okay? Do you need some help with your mental health? Because no one in their right mind would choose to spend their life defending a house of cards built on lies, bullying, and botnets. There is still time to step back from the edge. Choose clarity over compulsion. Choose truth over the tribe.
#bilpcoin
The Sanctuary of the Builder: A Manifesto for Free Creation
Prologue: The Right to Rise
There is a sacred covenant between the creator and the soil upon which they build. It is the promise that if you plant a seed with honest hands, the earth will not conspire to crush it before it breaks the surface. It is the assurance that the gardener exists to nurture the growth, not to trample the sprout because it does not yet resemble the tree.
On the blockchain, this covenant has been broken.
We have witnessed a tragedy where the very tools meant to protect the integrity of the network—the downvote, the curation trail—have been weaponized by leviathans of power. These "whales," entrusted with the stewardship of the ecosystem, have become its jailers. They do not prune the weeds; they scorch the earth. They do not guide the new voice; they silence it with the crushing weight of their accumulated capital.
It is time to leave the shadow.
It is time to build where you are free.
I. The Betrayal of the Guardian
The downvote was conceived as a shield—a delicate instrument to deflect spam, to repel malice, to preserve the sanctity of the commons. It was never intended to be a hammer.
Yet, look at what has come to pass. The whales, those who hold the greatest sway, have turned the shield into a weapon of mass suppression. They do not downvote to protect; they downvote to dominate. They do not drive away the bad actors; they drive away the people. They create an atmosphere of fear where the creator hesitates to speak, fearing that a single misstep, a single unpopular truth, will summon the wrath of the oligarchy.
When the guardian becomes the predator, the flock must flee.
To build in such a place is to build on a fault line. It is to invest your soul in a garden where the owner holds the shears not to shape the hedge, but to decapitate the flowers that grow too tall or bloom in the wrong color.
This is not protection. This is tyranny disguised as curation.
II. The Call to New Grounds
Where, then, shall the builder go?
You must seek the lands where the soil is rich with freedom, not poisoned by fear. You must migrate to the platforms where the mechanism of suppression has been removed, where the only metric of success is the genuine appreciation of your peers.
Go to Blurt.
Here, the downvote button does not exist. There is no tool to crush your voice. There is only the upvote, the comment, the share. Here, value is created by addition, not subtraction. The whale cannot sink your ship, for there are no torpedoes in these waters. You are free to build, free to fail, and free to succeed on the merit of your work alone.
Return to Steemit.
In this older ground, the downvote remains, but it has not been twisted into a tool of systematic oppression. The culture there remembers the original intent: correction, not destruction. It is a place where the community self-regulates through dialogue, not through the brute force of coordinated downvoting cascades.
Build where the wind lifts you, not where the gale seeks to tear you down.
III. The Architecture of Freedom
Imagine a platform designed not for the convenience of the powerful, but for the dignity of the creator.
This is not a dream. It is a choice.
Every time you choose to build on a platform that respects your agency, you cast a vote for the future of the internet. Every time you refuse to tolerate the abuse of power, you strengthen the foundation of a free society.
Do not let the whales convince you that their oppression is necessary. Do not let them tell you that their downvotes are for your own good. The gardener who kills the seedling does not love the garden; he loves only his own control over it.
Epilogue: The Unchained Creator
The blockchain was born from a desire for freedom. It was forged in the fire of resistance against centralized control. Let us not forget that origin.
If the current chains of Hive have become heavy with the weight of abusive downvotes, then break them. Forge new links. Build new shores.
Build where you are free.
Build where you will not be downvoted into silence.
Build where the whales are reminded that they are part of the ocean, not the masters of the tide.
The future belongs to those who dare to create without fear. Go forth, and build your cathedral in the sunlight.
— Bilpcoin: We expose the truth, so you can build upon it.
#FreeSpeech #BlurtBlog #Steemit #NoDownvote #CreatorRights #HiveExodus #Decentralization #BuildFree #AntiCensorship #Bilpcoin
@ipromote Wallet:
Author Rewards: 2,181.16
Curation Rewards: 4,015.61
Staked HIVE (HP): 0.00
Rewards/Stake Co-efficient (KE): NaN
HIVE: 25,203.749
Staked HIVE (HP): 0.000
Delegated HIVE: 0.000
Estimated Account Value: $6,946.68
Recent Activity:
@leovoter Wallet:
Author Rewards: 194.75
Curation Rewards: 193.88
Staked HIVE (HP): 0.00
Rewards/Stake Co-efficient (KE): 388,632.00 (Suspiciously High)
HIVE: 0.000
Staked HIVE (HP): 0.001
Total: 16.551
Delegated HIVE: +16.550
Recent Activity:
@abide Wallet:
Recent Activity:
@proposalalert Wallet:
Recent Activity:
@stemgeeks Wallet:
Recent Activity:
Sent to themarkymark -1.556 HBD (Jun 14, 2024)
Withdraw vesting from @theycallmemarky to @ipromote 0.725 HIVE (Dec 1, 2024)
Sent to ipromote -9.202 HIVE (Oct 17, 2024)
@apeminingclub Wallet:
Recent Activity:
Scheduled unstake (power down): ~2.351 HIVE (in 4 days, remaining 7 weeks)
Total Staked HIVE: 1,292.019
Delegated HIVE: +1,261.508
Withdraw vesting from @apeminingclub to @blockheadgames 2.348 HIVE (10 days ago)
Claim rewards: 0.290 HP (10 days ago)
Sent to bdhivesteem-40,000.000 HIVE
6 hours ago
101417581
Sent to bdhivesteem-20,000.000 HIVE
6 hours ago
103874728
https://peakd.com/@hurtlocker/wallet !LADY !ALIVE !HUG !INDEED !HBIT !LUV !PIZZA
https://www.youtube.com/shorts/pM6aQTrjC98?feature=share