Executive summary
Distilled from the full technical report (Report 4626-FABLE-2026-06, June 2026). Severity reflects exploitability and trust-boundary assumptions at the time of review.
Conclusion: No remotely exploitable unauthenticated RCE or fund-drain was identified in the web tier. Material risk concentrated in impairment side-pocket v1 (semi-trusted manager/keeper roles), x402 payment ordering, and CI guard enforcement gaps.
For evidence, architecture context, medium/low findings, and remediation guidance, continue to the full report.
Risk landscape
Finding register
Severity classification
| Level | Definition |
|---|---|
| Critical | Credible path to fund loss, auth bypass, or integrity failure under documented trust assumptions |
| High | Serious correctness or security gap that could become critical under realistic conditions, or breaks release/CI guarantees |
| Medium | Material hardening, data-integrity, or operational issue without direct anonymous exploit |
| Low | Defense-in-depth, informational, or backlog-quality item |
Critical findings
x402 payment settles before entitlement validation
Strategy activation broadcasts an on-chain USDC transfer before confirming no live activation exists. A subsequent database failure can leave a settled on-chain payment with no corresponding entitlement record.
Impairment claims lack cumulative supply cap enforcement
On-chain logic does not enforce that cumulative minted claims remain within totalClaimSupply. Shared escrow holds multiple epochs; over-claim in one epoch can drain tokens reserved for another.
Impairment root persists after false-alarm resolution
clearImpairmentTrip marks an epoch resolved but leaves snapshot root and claim supply active, preserving a claim surface inconsistent with public impairment disclosures.
High findings
Impairment recovery may double-count creator coin in totalAssets
When recovery asset equals creator coin, the transfer path does not decrement tracked coin balance until the next sync, temporarily overstating share price. No keeper amount cap is enforced.
Live deploy not blocked during dry-run
The deploy flow can submit a live transaction while a dry-run is in progress — the dryRunBusy guard is missing from submit logic and button disabled state.
Swap auto-quote can interrupt review/submit
Background re-quoting during review or quote states invalidates in-flight work and can abort submission after partial signing steps.
CI enforcement gaps
Semgrep may be non-blocking due to shell pipe behavior; repository boundary guards are not fully wired into gating CI; a control-plane cron workflow fails at install due to lockfile toolchain mismatch.
Positive observations
| Area | Assessment |
|---|---|
| Anonymous web-tier exploit surface | No unauthenticated RCE or fund-drain identified |
| Profile merge atomicity | Verified sound |
| Keeper job claim semantics | Verified sound |
| Telegram link-token replay | Verified sound |
| Canonical CSW policy guard | Passing in baseline |
| Migration RLS posture | Verified sound |
Additional findings
The full report registers 9 medium and 12 low findings covering cron database access patterns, x402 nonce persistence, Stripe webhook body handling, CSP configuration, alias resolution gaps, and related items. See Section 4 — Prioritized findings.
Evidence & appendices
Lead review session: Full-codebase review (eight parallel workstreams). Independent security pass: c603521c…. Full session register: Appendix A.
Was this page helpful?