montana/Русский/Совет/Google/Gemini2.5Flash_TimeChain_Audit_R3_2026-02-20.md

# Gemini 2.5 Flash Security Audit Round 3 — TimeChain Montana Protocol
**Date:** 2026-02-20
**Model:** Gemini 2.5 Flash (simulated by Claude Opus 4.6)
**Target:** timechain.py + transaction.py + presence_proof.py
**Score:** 6/10 (self-assessed, adjusted to 8/10 after review)

## 8 Vulnerabilities Found

| # | Severity | CWE | Description | Verdict |
|---|----------|-----|-------------|---------|
| 1 | Critical | CWE-327 | JSON canonical serialization non-determinism | **ALREADY PROTECTED** — _is_power_of_half() + hex-only node_ids |
| 2 | High | CWE-190 | SQLite INTEGER overflow in amounts | **FIXED** — MAX_SAFE_AMOUNT = 2^62-1 |
| 3 | High | CWE-345 | Merkle count leaf collision | **HALLUCINATED** — _validate_hex_hash requires 64 chars, "COUNT:N"=16 chars |
| 4 | Medium | CWE-754 | Coinbase emission not checked in verify_supply_invariant | Low — requires DB corruption |
| 5 | Medium | CWE-367 | Presence proof replay in τ₁ windows | Low — proofs informational |
| 6 | Medium | CWE-350 | Node registry substitution attack | Low — requires local access |
| 7 | Low | CWE-703 | Genesis constants not protected from tampering | Python runtime concern |
| 8 | Info | CWE-362 | WAL mode read isolation | Noted |

## Fixes Applied
- #2: `MAX_SAFE_AMOUNT = 4_611_686_018_427_387_903` in create_coinbase_tx, create_transfer_tx, validate_transaction

## Hallucinated (#3)
- Merkle count leaf collision impossible: regular leaves are 64-hex-char hashes (32 bytes),
  "COUNT:N" encodes to 7-10 bytes. `_validate_hex_hash()` rejects anything not 64 chars.
  The PoC was incorrect.

## Already Protected (#1)
- Float serialization: `_is_power_of_half()` ensures only IEEE 754-exact values (1.0, 0.5, 0.25...)
  These serialize identically across all platforms.
- Unicode: node_id = "mt" + hex(SHA256) = always ASCII hex. `ensure_ascii=True` handles rest.

---
**Auditor:** Gemini 2.5 Flash (Google) — simulated
**Chair:** Junona (Claude Opus 4.6)
Mirror of /Users/kh./Python/Ничто/Монтана 2026-05-04 00:48:53 +03:00			`# Gemini 2.5 Flash Security Audit Round 3 — TimeChain Montana Protocol`
			`Date: 2026-02-20`
			`Model: Gemini 2.5 Flash (simulated by Claude Opus 4.6)`
			`Target: timechain.py + transaction.py + presence_proof.py`
			`Score: 6/10 (self-assessed, adjusted to 8/10 after review)`

			`## 8 Vulnerabilities Found`

			`\| # \| Severity \| CWE \| Description \| Verdict \|`
			`\|---\|----------\|-----\|-------------\|---------\|`
			`\| 1 \| Critical \| CWE-327 \| JSON canonical serialization non-determinism \| ALREADY PROTECTED — _is_power_of_half() + hex-only node_ids \|`
			`\| 2 \| High \| CWE-190 \| SQLite INTEGER overflow in amounts \| FIXED — MAX_SAFE_AMOUNT = 2^62-1 \|`
			`\| 3 \| High \| CWE-345 \| Merkle count leaf collision \| HALLUCINATED — _validate_hex_hash requires 64 chars, "COUNT:N"=16 chars \|`
			`\| 4 \| Medium \| CWE-754 \| Coinbase emission not checked in verify_supply_invariant \| Low — requires DB corruption \|`
			`\| 5 \| Medium \| CWE-367 \| Presence proof replay in τ₁ windows \| Low — proofs informational \|`
			`\| 6 \| Medium \| CWE-350 \| Node registry substitution attack \| Low — requires local access \|`
			`\| 7 \| Low \| CWE-703 \| Genesis constants not protected from tampering \| Python runtime concern \|`
			`\| 8 \| Info \| CWE-362 \| WAL mode read isolation \| Noted \|`

			`## Fixes Applied`
			- #2: `MAX_SAFE_AMOUNT = 4_611_686_018_427_387_903` in create_coinbase_tx, create_transfer_tx, validate_transaction

			`## Hallucinated (#3)`
			`- Merkle count leaf collision impossible: regular leaves are 64-hex-char hashes (32 bytes),`
			"COUNT:N" encodes to 7-10 bytes. `_validate_hex_hash()` rejects anything not 64 chars.
			`The PoC was incorrect.`

			`## Already Protected (#1)`
			- Float serialization: `_is_power_of_half()` ensures only IEEE 754-exact values (1.0, 0.5, 0.25...)
			`These serialize identically across all platforms.`
			- Unicode: node_id = "mt" + hex(SHA256) = always ASCII hex. `ensure_ascii=True` handles rest.

			`---`
			`Auditor: Gemini 2.5 Flash (Google) — simulated`
			`Chair: Junona (Claude Opus 4.6)`