Period: February 16 – May 16, 2026 (90 days)
Contributors: 7
Result: 231 confirmed bugs found and fixed. 100% remediation rate.
Cross-chain infrastructure is the most attacked target in crypto. Not because they're poorly built but because they move real money between chains, and real money attracts serious attackers. Since 2021, bridge exploits have cost users over $4.5 billion. In almost every case, the vulnerability existed before launch. It just wasn't found.
We decided to find ours first.
Over 90 days, we ran 20 audit passes across 30 repos using 10 distinct methodologies all including comprehensive penetration tests. We have found that simple code audits only ever reveal a fraction of overall bugs.
The newly added approach: scraping every security commit THORChain and Chainflip ever pushed - 5,392 commits, ~59,000 individual evaluations against our codebase and asking one question for each: does the function this fixed exist in Magi? Not the code. The function. Leveraging the industry’s accumulated failure history to harden Magi.
We take our security very seriously and before EVM, ZK proofs, DASH and Pendulum launch we intend to reapply this methodology once again, with up to ~500 000 individual checks across our codebase. One historical security-relevant diff evaluated against an equivalent Magi trust boundary, state transition, or function surface.”
No human team could have done this volume. That was the point. Using the tools we have and attacking every single angle with sheer volume over every relevant bug fix done on comparable protocols and a varied multi-approach methodology before this helped us harden the system significantly. All confirmed findings underwent manual validation and remediation review.
The bug hunting never stops, as we introduce new systems, more bugs are introduced that we will be systematically covering as we move along.
1. AUDIT SCOPE & METHODOLOGY
Coverage
| Metric | Value |
|---|---|
| Repos audited | 30 core protocol + Altera |
| Competitor commits scraped (reference) | 5,392 (THORChain + Chainflip) |
| Commit-to-repo evaluations | ~59,000 |
| Scenarios tested | 1500+ adversarial |
| Audit passes | 20 |
| Distinct methodologies | 10 |
False Positive Elimination: Potential findings were not accepted based on static analysis or AI detection alone. Each confirmed issue required validation through live exploit reproduction on testnet or equivalent adversarial simulation.
Methodologies Employed
| # | Method | Application |
|---|---|---|
| 1 | Operational Approach | Core methodology: attack first, prove everything, kill false positives |
| 2 | Three-Pass Line-by-Line | Initial audit — automated scan → verification → lifecycle trace |
| 3 | Adversarial Red-Team | Infrastructure reachability scan + attack chain construction |
| 4 | Four-Lens Parallel Audit | Bug class × Invariant × Trust boundary × State machine — 4 agents in parallel |
| 5 | 1500-Scenario Stress Testing | 1500 discrete attack scenarios across 7 categories, live testnet exploits |
| 6 | Cross-Codebase Reference | 5,392 competitor security commits functions mapped against 11 repos. Exploit lineage analysis + vulnerability pattern transplantation detection |
| 7 | Research-Informed Pattern Mapping | 30+ real-world exploits ($2B+ in losses) mapped to Magi architecture |
| 8 | Live Penetration Testing | SSH to production node, MongoDB queries, GQL simulation, L1 TX broadcast |
| 9 | Commit-by-Commit Diff Comparison | 60 000 diffs individually checked against Magi. Isolating security-relevant diffs and tracing equivalent trust boundaries |
| 10 | Direct Attack Path Tracing | Top 14 responsible disclosures traced to equivalent Magi code |
2. SUMMARY TABLE — FINDINGS BY SEVERITY & CATEGORY
231 Confirmed Fixes
| Type | Count | Description |
|---|---|---|
| Security vulnerabilities | 58 | Auth bypass, overflow, quorum bypass, injection, fund theft vectors |
| Stability fixes | 60 | Panics, nil derefs, deadlocks, goroutine leaks, node halt conditions |
| Logic bugs | 113 | Incorrect behavior with fund impact |
| TOTAL | 231 | All with commit evidence on GitHub |
Security Vulnerabilities by Severity (58)
| Severity | Count |
|---|---|
| Critical | 8 |
| High | 16 |
| Medium | 22 |
| Low | 12 |
By Category
| Category | Security | Stability | Logic | Total |
|---|---|---|---|---|
| TSS / Cryptographic | 9 | 12 | 8 | 29 |
| Gateway / Accounting | 6 | 3 | 14 | 23 |
| DEX / Swap | 8 | 0 | 15 | 23 |
| Oracle / Relay | 3 | 7 | 12 | 22 |
| UTXO Mapping | 9 | 4 | 8 | 21 |
| EVM / Account Mapping | 11 | 2 | 5 | 18 |
| State Engine / Runtime | 4 | 14 | 9 | 27 |
| P2P / Network | 2 | 9 | 6 | 17 |
| Infrastructure | 4 | 5 | 8 | 17 |
| Altera (functional) | 2 | 4 | 28 | 34 |
3. NOTABLE FINDINGS — CRITICAL SEVERITY
DEX Pool Init — Fund Theft
Repo: dex-contracts | Found: 2026-05-03 | Fixed: 2026-05-03
No auth check on init export.
BLS Quorum Bypass — 20 Sub-Quorum Commitments On Testnet
Repo: go-vsc-node | Found: 2026-05-15 | Fixed: 2026-05-15
vsc.tss_commitment verified BLS signature math but never checked 2/3 weighted quorum.
Fix: ef420b48 (Milo)
TSS Session Nonce — Keygen/Reshare Collision
Repo: go-vsc-node | Found: 2026-05-15 | Fixed: 2026-05-15
SetSessionNonce from tss-lib v3 was never called.
Fix: 64d88c1c (Milo)
Gas Fee Integer Overflow — Balance Increases on Withdrawal
Repo: account-mapping | Found: 2026-04-28 | Fixed: 2026-05-01
int64(21000 * gasFeeCap) wraps negative when baseFee >= 219,604 gwei. Withdrawal deducts a negative fee → user balance increases. Arithmetic overflow.
Fix: 9ed1f8f (lordbutterfly)
DoS Hardening — Sleep Loop + Simulate Bomb + Pubsub Flood
Repo: go-vsc-node | Found: 2026-03-29 | Fixed: 2026-03-29
Block producer sleep loop unbounded (infinite spin).
Fix: 3f88991b (lordbutterfly) — bounded iterations, max 10 simulate calls, HTTP timeouts.
WASM Gas Underflow — Unlimited Contract Execution
Repo: go-vsc-node | Found: 2026-03-26 | Fixed: 2026-03-28
Gas subtraction had no underflow guard. Contract could consume unlimited compute by wrapping gas counter below zero.
Fix: fd56def (lordbutterfly) — safe subtraction with underflow check.
ETH Header Chain Validation — Fake Deposit Proofs
Repo: account-mapping | Found: 2026-05-04 | Fixed: 2026-05-07
HandleAddBlocks stored oracle-submitted ETH headers with no parent hash linkage.
Fix: 32a0c89 (tibfox) — chain-validate ETH headers via parent_hash.
MPT Inline-Node Forgery — Proof Verification Bypass
Repo: account-mapping | Found: 2026-05-04 | Fixed: 2026-05-07
Merkle Patricia Trie verifier skipped hash check for inline nodes (< 32 bytes).
Fix: 9458140 (tibfox) — validate inline-node bytes against parent reference.
4. REMEDIATION STATUS
All 231 bugs have been fixed. Each fix has a corresponding commit on GitHub.
Fix Velocity
| Metric | Value |
|---|---|
| Total fix commits | 231 |
| Average finding-to-fix time | ~2.1 days |
| Same-day fixes (audit → commit) | 4 occurrences (Mar 26, Mar 29, Apr 15, May 15) |
| Largest single burst | 38 fixes in 4 days (Mar 26-29, post-audit) |
| Monthly acceleration | 3.2x (Month 1 → Month 3) |
Timing: Pre-Deployment vs Post-Deployment
| Bucket | Fixes | % |
|---|---|---|
| Fixed on code not yet deployed to mainnet | ~122 | 53% |
| Fixed on mainnet code before pool launch (~Apr 16) | ~60 | 26% |
| Fixed on mainnet code after pool launch | ~49 | 21% |
| TOTAL | 231 | 100% fixed |
79% of all bugs were fixed before the DEX pools went live with user funds.
5. BUG DENSITY — INDUSTRY COMPARISON
The Same Bug Classes. Different Outcomes.
| Bug Class (ours) | Our Fixes | Project That Missed It | Their Loss | What Happened |
|---|---|---|---|---|
| Auth & Authorization | 16 | Ronin Bridge | $625M | 5/9 keys compromised; no expiry, no detection for 6 days |
| Poly Network | $611M | Cross-chain executor accepted any target contract | ||
| Nomad Bridge | $190M | Zero-value bytes accepted as valid trusted root | ||
| Accounting & Solvency | 14 | Wormhole | $320M | Signature verification return unchecked; 120K wETH minted from nothing |
| BNB Bridge | $570M | Forged Merkle proof accepted; 2M BNB minted | ||
| Euler Finance | $197M | Donation function violated solvency invariant | ||
| Key Management | 9 | Harmony Horizon | $100M | 2-of-5 threshold; hot wallet keys on cloud |
| Multichain | $126M | All MPC shares held by single operator | ||
| Wintermute | $160M | Vanity address with 32-bit entropy brute-forced | ||
| Arithmetic Overflow | 8 | Cetus Protocol | $223M | Bitshift instead of bounds check in liquidity math |
| KyberSwap | $47M | Tick boundary double-count | ||
| Oracle Trust | 6 | Mango Markets | $117M | Self-manipulated price; no deviation circuit breaker |
| Cream Finance | $130M | Stale oracle during rebase | ||
| State & Concurrency | 12 | Curve Finance | $70M | Compiler reentrancy bug; state modified mid-call |
| Missing Rate Limits | 5 | Nomad | $190M | No pause; copycats drained everything in hours |
| Ronin | $625M | No monitoring; breach undetected 6 days |
Combined industry losses from the same bug classes we fixed: >$4.5 BILLION.
Every one of these protocols went to mainnet without catching what we caught. The bugs were the same. The methodology wasn't.
6. REMAINING ROADMAP ITEMS
These are infrastructure systems to build — not unfixed bugs.
| System | Purpose | Status |
|---|---|---|
| Solvency monitoring | Compare L2 balances vs L1 gateway balance every block | Circuit breaker Phase 1 complete |
| Circuit breaker | Auto-halt on unauthorized outbound or balance mismatch | Phase 1 complete, Phase 2 in progress |
7. TEAM
| Contributor | Fixes | Primary Impact |
|---|---|---|
| Milo Ridenour | 59 | Core state engine, Pendulum, DEX, TSS session binding, BLS quorum |
| tibfox | 49 | Contract security (EVM headers, MPT proofs, supply invariants), mapping, indexer |
| lordbutterfly | 38 | Security hardening (DoS, overflow, auth), EVM bridge, audit orchestration |
| techcoderx | 38 | TSS infrastructure, oracle, goroutine management, node stability |
| Andrea | 23 | Altera swap UX, transaction display, error handling |
| disregardfiat | 15 | TSS hardening, BLS quorum, Pendulum safety |
| Sagar | 9 | Altera deposit/withdraw flows, pool support |
Each fix undergoes extensive team reviews before implementation and post fix testing.
Conclusion:
We're not publishing this because we're proud of how many bugs we found. We're publishing it because the alternative, shipping without looking is how $4.5 billion disappeared from other protocols. The bugs in that table aren't hypothetical. They're the same classes that broke Thorchain, Ronin, Wormhole, Nomad etc. We found them in our code before an attacker did.
Two infrastructure systems remain in progress: solvency monitoring and the circuit breaker. These aren't unfixed bugs they're defensive systems we're building on top of a codebase.
We have stress-tested Magi with high adversarial coverage compared to standard audit processes.
Magi 2026 proposal is live. Vote for a better future for crypto.
https://peakd.com/me/proposals/378
Glad to see all that sorted out :)
Good to see that! We've heard the myth that Mythos discovered bugs and vulnerabilities in the most critical systems we have as human kind, including military systems. Of course you don't access to it, but do you use any top-end AI model to hunt for bugs? ...Because attackers will.
We use Claude for this. Once Mythos is live we will ofc start using that as well.