hjnormey/siloqy
Public Access
1
0
Fork 0
Code Issues 7 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

PINK: E2E trace analysis — Pass 15 resource leaks/trust boundaries/security (R1-R14)

Browse Source 
Fifteenth pass: exchange REST/WS data parsed without schema validation (R7
Critical), restore_state() deserializes arbitrary JSON full kernel takeover
(R9 Critical), ThreadPoolExecutor never shut down 3 threads leak (R1 High),
BingxVenueAdapter no close() HTTP client unreleasable (R2 High),
_intent_cache unbounded growth (R3 High), shared memory JSON no integrity
check (R8 High), env-based mainnet switch (R10 High), .env secrets exposure
(R11 High), listenKey in WS URL f-string MITM injection (R13 High).
289 total flaws across 15 passes.

Co-authored-by: CommandCodeBot <noreply@commandcode.ai>
This commit is contained in:
Codex
2026-06-02 12:54:02 +02:00
parent 062b929caf
commit a4c1ec6139
2 changed files with 361 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
PINK_DITAv2_FLAW_ANALYSIS_2026-05-31.md
View File

@@ -29,7 +29,8 @@
| O | Pass 12 (Sync/Async Wider Scope) | 11 | 0 | 3 | 7 | 1 | 0 |
| P | Pass 13 (FFI Safety/Dangling Pointers/Coverage) | 9 | 1 | 3 | 3 | 1 | 1 |
| Q | Pass 14 (Serde Edges/Backup Diffs/Market Data) | 12 | 0 | 4 | 3 | 2 | 3 |
| **Total** | | **275** | **21** | **77** | **79** | **64** | **34** |
| R | Pass 15 (Resource Leaks/Trust Boundaries/Security) | 14 | 2 | 6 | 3 | 2 | 1 |
| **Total** | | **289** | **23** | **83** | **82** | **64** | **37** |
---
@@ -388,6 +389,29 @@
---
## R-Series: Resource Leaks, Trust Boundaries, Security (Pass 15)
*Full detail in TRACE doc under "PASS 15 — RESOURCE LEAKS, TRUST BOUNDARIES, SECURITY."*
| # | Flaw | Layer | Severity |
|---|------|-------|----------|
| R1 | `ThreadPoolExecutor` never shut down 3 threads leak | Venue | **High** |
| R2 | `BingxVenueAdapter` no `close()` backend HTTP client unreleasable | Venue | **High** |
| R3 | `real_zinc_plane._intent_cache` grows unboundedly | Plane | **High** |
| R4 | `RealZincPlane`/`ControlPlane` partial-construction SharedRegion leak | Plane | Medium |
| R5 | `BingxUserStream.ClientSession` no `__del__` connection pool leak | Venue | Medium |
| R6 | `test_alpha_blue_untouched_g7.py` open() without context manager | Test | Low |
| R7 | All exchange REST/WS data parsed without schema validation | Venue | **Critical** |
| R8 | Shared memory JSON deserialization without integrity check | Plane | **High** |
| R9 | `restore_state()` deserializes arbitrary JSON full kernel takeover | Bridge | **Critical** |
| R10 | `DOLPHIN_BINGX_ENV` + `ALLOW_MAINNET` mainnet switch via env | Config | **High** |
| R11 | `.env` file loaded from project root secrets exposure | Config | **High** |
| R12 | Unvalidated `int()` on env vars recv_window, leverage extremes | Config | Medium |
| R13 | `listenKey` from exchange in WS URL f-string MITM injection | Venue | **High** |
| R14 | `mock_venue._exchange_event_queue` unbounded growth | Test | Low |
---
## H-Series: Edge Domains — Dependencies, Error Handling, Types, Contracts (Pass 5)
*Full detail in TRACE doc under "PASS 5 — EDGE DOMAINS."*