Audit Report
MEDUSA Self-Audit
MEDUSA auditing MEDUSA — public, permanent, in full.
Tier
Self-Pro+ (two-round adversarial)
Submitted
2026-05-30
Findings
39
Disclosure Notice
DRAFT v2 is published openly for Director pre-publication review. Final Report blocks on Stage 1 (8-tool static sweep) and Stage 2 (LLM adversarial round) re-running against the post-remediation HEAD. Every finding's status — fixed, mitigated, accepted-risk, deferred — is enumerated in §3 of the linked report.
Findings
Preview of submitted findings.
- H-01High
audit-request endpoint missing rate-limit and body-size cap — FIXED
Scope: app/api/audit-request/route.ts · Manual (Stage-3 adversarial)
- H-02High
Wallet payment race: setTimeout instead of waitForTransactionReceipt — FIXED
Scope: app/components/PayOnChainButton.tsx · Manual (Stage-3 adversarial)
- M-12Medium
PaymentEscrow inherits renounceOwnership() — could brick admin functions (Accepted Risk · Safe 2/3 mitigates)
Scope: PaymentEscrow.sol (on-chain) · Manual (Stage-3 adversarial)