Vulnerability Types

Consensus manipulation, evidence handling bypass, state sync corruption, mempool panic recovery failure, DoS via bit array overflow, block sync spoofing

Vendor Response

7 additional CVEs filed by Whitenbaker. Zero acknowledged by vendor. Silent patch merged via ghost account (“mattac21”) 13 days post-disclosure with zero attribution. Fix bundled into v0.39.2 release with no security advisory.

Current Status

MITRE filings active. Vendor’s own patch introduced 2 new vulnerabilities (evidence suppression + guaranteed DoS). 50+ downstream chains affected. Vendor engaged in active evidence suppression.

Regulatory relevance: Infrastructure securing $50B+ in delegated assets across 50+ blockchain networks. Silent patching violates coordinated disclosure norms and leaves downstream forks exposed.

Vulnerability Types

Race conditions in payment processing, authentication bypass, SSRF in proxy layer, cryptographic implementation flaws, webhook validation failures

Vendor Response

Race condition PoC confirmed: $130 refunded on a $50 charge. 70+ security patches applied silently with zero CVE filings. Report submitted May 2026.

Current Status

70+ silent patches documented and banked. 3 watermark findings planted for attribution tracking. Active monitoring for silent patch incorporation.

Regulatory relevance: PCI DSS-scoped payment processor. Silent patching of payment logic vulnerabilities raises compliance concerns for merchants using this open-source payment infrastructure.

Vulnerability Types

GMP module critical vulnerabilities (2 Critical + 1 Medium), AuthZ privilege escalation, lockup module authentication bypass, rate-limiting bypass

Vendor Response

3 CVEs filed by Whitenbaker and accepted by MITRE. Remaining 23+ security patches lack corresponding disclosures. AuthZ privilege escalation initially triaged on HackerOne.

Current Status

Additional critical findings banked pending tagged releases. Lockup module bypass ($50K estimated bounty) held. Same development team as CometBFT (3 commit authors across both repos).

Regulatory relevance: Core framework for 50+ production blockchain networks managing billions in user funds. Undisclosed patches propagate silently to downstream chains.

Vulnerability Types

SSRF, privilege escalation, SQL injection, missing authentication on sensitive endpoints, secrets management bypass

Vendor Response

Vendor initially denied vulnerabilities existed. Subsequently admitted in writing that the denial was false. Zero CVEs filed for any of the 18+ silently patched security issues.

Current Status

MITRE filing active. All 18+ patches documented with commit evidence. Vendor’s written admission of false denial preserved as evidence.

Regulatory relevance: Secrets management platform used in CI/CD pipelines. Organizations relying on Infisical for credential storage have no visibility into patched vulnerabilities affecting their security posture.

Vulnerability Types

Authentication bypass, session management flaws, token validation failures, privilege escalation in multi-tenant configurations

Vendor Response

13 CVEs sent to vendor. 5 additional CVEs ready to file. Zero CVEs issued by vendor for any patched security issue to date.

Current Status

Active CVE filing process. 18 total findings documented. Vendor has not issued any security advisories.

Regulatory relevance: Authentication platform handling user identity and session management. Undisclosed auth vulnerabilities directly impact every application using SuperTokens for login and access control.

Vulnerability Types

Inherited CometBFT consensus vulnerabilities, BEX exploit class ($12M impact), auto-synced upstream patches without independent security review

Vendor Response

Auto-syncs upstream CometBFT patches without security review or disclosure. $206K in owed bounties at vendor’s own published rates. Zero independent security advisories issued.

Current Status

13+ silent patches documented. $12M BEX exploit class missed during auto-sync process. Bounty obligations unmet. Asymmetric Research conflict of interest documented (audits code AND triages bounties).

Regulatory relevance: L1 blockchain with active DeFi ecosystem. Blind upstream syncing without disclosure creates systemic risk for validators and liquidity providers.

Vulnerability Types

Inherited CometBFT consensus vulnerabilities, storage protocol security flaws, authentication bypass in decentralized storage layer

Vendor Response

Used researcher’s exact finding numbers in PR #554 without attribution. Claimed to have stopped maintaining the protocol when confronted with findings. Ghosted all further communication.

Current Status

PR #554 provides public evidence that findings were received and acted upon. Protocol still operational despite vendor claims of abandonment. Zero CVEs or security advisories issued.

Regulatory relevance: Decentralized storage protocol holding user data. Using researcher findings without attribution while denying maintenance sets a dangerous precedent for disclosure norms.

Vulnerability Types

CometBFT fork vulnerability: missing return in detector.go enabling 800/800 evidence bypass, consensus manipulation affecting 508M TIA

Vendor Response

Patched upstream finding in January 2026 without any disclosure or security advisory. No CVE filed. No acknowledgment of the vulnerability or the researcher who reported it.

Current Status

Vulnerability patched but never disclosed. 508M TIA was at risk prior to silent patch. CVE filing in progress with MITRE.

Regulatory relevance: Modular blockchain with 508M TIA in staked value. Silent patching of a critical consensus vulnerability denied validators the ability to assess and respond to risk.

Vulnerability Types

Inherited CometBFT consensus vulnerabilities via private fork, cross-chain bridge security implications

Vendor Response

Private CometBFT fork deployed January 13 through February 17, 2026. Triager claimed “no fork” on April 22, contradicted by public commit 9ac677707f85. Zero security advisories issued.

Current Status

Public commit evidence preserved. Triager’s false claim documented. Private fork deployment timeline established through git history.

Regulatory relevance: Cross-chain bridge protocol. False statements from security triagers about fork status undermine the integrity of the vulnerability disclosure process for critical bridge infrastructure.