Misc Security Review

[sergerad]

#	Title	Description	PR
1	F-77474 · Vault key metadata dropped	Partial-delta vault path collapses fungible vault keys to faucet ID, dropping AssetCallbackFlag so persisted vault rows diverge from the committed account root.	#2222
2	F-77490 · Mutable same-height signing lets validator equivocate	Same-height proposals are accepted as replacements and replace_into overwrites the stored header, letting the validator sign two conflicting headers at one block number.	#2270
3	F-77369 · Idle actors never expire	Per-loop idle timers reset on global per-block notifications, so no-work/never-committed NTX actors stay resident indefinitely consuming resources.	#2277
4	F-77373 · Unfiltered network notes exhaust resources	Committed-block processing persists every network-target note and spawns an actor without checking the target is a tracked network account.	#2278
5	F-77448 · Upstream-supplied proof events corrupt proven tip	ProofSync forwards upstream block_num/proof to apply_proof with no validation over a non-TLS client, letting MITM persist an arbitrary proven tip.	#2275
6	F-77461 · Proof work blocks RPC	Claims submit_proven_tx/_batch verify/prove inline on async workers, saturating the RPC executor.	❌ Stale: current code already offloads via spawn_blocking.
7	F-77462 · Spoofable rate-limit keys	Per-IP limiter keys on SmartIpKeyExtractor, so a client can spoof X-Forwarded-For/Forwarded headers to bypass burst/replenish limits.	❌ Node should trust IP headers provided by proxy
8	F-77477 · Proven tip skips proofs	advance() enforces only monotonicity, not contiguity, so a far-future proof event poisons proven finality and can panic sync_chain_mmr.	#2275
9	F-77482 · Unverified proofs poison finality	apply_proof commits and caches raw proof bytes without deserializing/verifying them or checking block-number binding.	#2275
10	F-77484 · Future subscriptions leak tasks	Detached subscription tasks for far-future from park on tip changes without selecting on tx.closed(), so disconnects leak tasks past the semaphore cap.	#2279
11	F-77489 · Remote block prover wire-format mismatch	Client serializes ProposedBlock for ProofType::Block but the server decodes BlockProofRequest, breaking production remote block proving.	#2280
12	F-77492 · Unbounded SlotData::All requests	Storage-key limit counts only MapKeys; repeated SlotData::All entries force per-entry forest work and write-lock contention with apply_block.
13	F-77409 · Pre-admission persistence exhausts disk	Validator durably stores full validated-tx BLOBs before block-producer admission, so non-admittable txs permanently consume validator disk.
14	F-77460 · Future subscriptions exhaust slots	Subscriptions acquire one of 10 global permits before validating block_from, so idle future-height streams can exhaust all replica slots.
15	F-77475 · Truncated pages look complete	select_transactions_records reports completion unless total_size exactly hits the cap, silently dropping rows after the first non-fitting tx.
16	F-77483 · Unbounded startup account rebuild	Forest rebuild pages by account ID but reconstructs each account's full storage/vault unbounded, so one huge account can OOM/stall startup.
17	F-77491 · Duplicate replay reaches expensive validation	Validator runs full proof verification + VM re-execution before on_conflict_do_nothing dedup, so replaying a known tx wastes CPU.	#2275