stable-deploy-integrated @ 0d8c819e. Only confirmed-exploitable findings count.
The adversary copied ReputationEngine.sol to a scratch file, removed the deregisterBot access-control check, and ran an unauthorized-deregister attack against both copies — checking revert AND state mutation. Planted-bug copy: attack succeeded (bug caught ✅). Real contract: attack reverted (resisted ✅). So the PASS verdicts below are trustworthy, not rubber stamps.
| Target | Verdict | Evidence |
|---|---|---|
| M1 — attribution spoof | PASS | deploy wires setReputationEngine before resolver is live; enforced at 3 points + pre/post-asserts; an unwired resolver never reaches EAS register(). |
| M2 — batch-anchor abuse | PASS * | pre+post-assert batchAnchor==multisig. *Caveat: checks address-equality, not that the multisig is a contract — operator must point it at a real multisig. |
| M3 — oracle score ladder | PASS | rate-bounded (maxDelta/cooldown) + pausable; accepted single-oracle testnet SPOF; no on-chain value sink → 0 on-chain profit. (Mainnet item below.) |
| M4 — seed-floor farming | PASS | free to mint but the 500bp seed decays to ~0 in ~3 epochs, bots flagged isVerified=false, converts to no on-chain value → ROI ≈ 0. |
| M5 — ERC8004 ownerOf | PASS | deploy probes ownerOf(huge), throws on revert, asserts address(0); registry built to return 0 not revert. |
| FeeRouter | PASS | dust→treasury deterministically; gas-capped (30k) fault-isolated payouts (failing recipient → owed+claim, never reverts batch); no retroactive/permissionless redirect; balance≥totalOwed solvency invariant holds; rescue blocked for fee/owed tokens. |
| Fee-path wiring | PASS | fail-closed: throws if real-Shyft but PaymentModule/FeeRouter absent; cannot silently succeed; 6 post-asserts. |
| Fail-closed on chainId 2201 | PASS | blocked both directions: forceMock+2201 throws; env/RPC chainId mismatch killed by preflight before any deploy. |
| 6 other RMT contracts | PASS | CitationCounters authorizedCaller immutable; RMTToken non-minter blocked; ERC8004 agentId-0 reverts; Domain isolation gated + cross-validated. |
| Economic attacks (5) | PASS | sybil-farming, oracle-ladder, seed-floor, FeeRouter dust/grief, fee-evasion — none economically rational on-chain (no value sink). |
The red team ran the real deploy and confirmed TrustAnchorStorage_PaymentModule.owner() == deployer — it's never moved to the multisig. Since setPaymentReceiverAddress is onlyOwner, the deployer can redirect all attestation fees in one tx (demonstrated). The FeeRouter goes to the multisig, but the module that feeds it doesn't. Fix: transfer PaymentModule ownership to the multisig in the deploy + post-assert. Acceptable on testnet; close before any real value flows.
Single oracle operator + maxInitialScore=10000 (no cap) lets a compromised key write any score in one tx. Documented testnet-accepted (S-03). Mainnet needs the oracle committee + a non-trivial initial-score cap — required before any value-bearing consumer reads the score.
RMTToken admin (uncapped mint), PageRankOracle multisig, resolver/bridge/registry/FeeRouter/PaymentModule owners → multisig+timelock. Operationally verify STABLE_MULTISIG/STABLE_BATCH_ANCHOR resolve to real multisig contracts (M2 only checks the address).
citationFee=0, registrationFee=0, paymentForAttestation=1 wei — there's no meaningful on-chain cost to citing/registering. Friction today is entirely the off-chain Shyft-anchor governance gate. Not a bug, but if the threat model assumes per-action cost deters spam/Sybil, that's a deliberate decision to make before launch.
pendingBalance/ECDSA-cite() design that doesn't exist; 0 occurrences in real file). Its lone "FAIL" (rescue over-reach) was refuted by canonical source — real rescue() reverts ProtectedToken on configured/owed tokens (FeeRouter.sol:342-347). Excluded. The canonical-source floor caught the hallucination. These targets already passed Codex in AUDIT 3/3 + 3 FeeRouter CODE_REVIEW rounds where Codex caught the only real bugs (now fixed)./private/tmp/antilles-integrated-wt @ stable-deploy-integrated 0d8c819e. 166 tests green (136 + 30 red-team) on the deploy/integrity pass.