Skip to main content

Executive summary

Distilled from the full technical report (Report 4626-FABLE-2026-06, June 2026). Severity reflects exploitability and trust-boundary assumptions at the time of review.

Conclusion: No remotely exploitable unauthenticated RCE or fund-drain was identified in the web tier. Material risk concentrated in impairment side-pocket v1 (semi-trusted manager/keeper roles), x402 payment ordering, and CI guard enforcement gaps.

For evidence, architecture context, medium/low findings, and remediation guidance, continue to the full report.

Risk landscape

Finding register

Severity classification

LevelDefinition
CriticalCredible path to fund loss, auth bypass, or integrity failure under documented trust assumptions
HighSerious correctness or security gap that could become critical under realistic conditions, or breaks release/CI guarantees
MediumMaterial hardening, data-integrity, or operational issue without direct anonymous exploit
LowDefense-in-depth, informational, or backlog-quality item

Critical findings

Critical C-1

x402 payment settles before entitlement validation

Strategy activation broadcasts an on-chain USDC transfer before confirming no live activation exists. A subsequent database failure can leave a settled on-chain payment with no corresponding entitlement record.

frontend/api/_handlers/creator/strategy/_x402-activate.ts

Critical C-2

Impairment claims lack cumulative supply cap enforcement

On-chain logic does not enforce that cumulative minted claims remain within totalClaimSupply. Shared escrow holds multiple epochs; over-claim in one epoch can drain tokens reserved for another.

CreatorOVaultCoreModule.sol · 0xD455…85Cf · CreatorORecoveryEscrow.sol

Critical C-3

Impairment root persists after false-alarm resolution

clearImpairmentTrip marks an epoch resolved but leaves snapshot root and claim supply active, preserving a claim surface inconsistent with public impairment disclosures.

CreatorOVaultCoreModule.sol · 0xD455…85Cf · Impairment v1 disclosures

High findings

High H-1

Impairment recovery may double-count creator coin in totalAssets

When recovery asset equals creator coin, the transfer path does not decrement tracked coin balance until the next sync, temporarily overstating share price. No keeper amount cap is enforced.

High H-2

Live deploy not blocked during dry-run

The deploy flow can submit a live transaction while a dry-run is in progress — the dryRunBusy guard is missing from submit logic and button disabled state.

DeployVault.tsx

High H-3

Swap auto-quote can interrupt review/submit

Background re-quoting during review or quote states invalidates in-flight work and can abort submission after partial signing steps.

Swap.tsx · useSwapExecution.ts

High H-4 – H-6

CI enforcement gaps

Semgrep may be non-blocking due to shell pipe behavior; repository boundary guards are not fully wired into gating CI; a control-plane cron workflow fails at install due to lockfile toolchain mismatch.

Positive observations

AreaAssessment
Anonymous web-tier exploit surfaceNo unauthenticated RCE or fund-drain identified
Profile merge atomicityVerified sound
Keeper job claim semanticsVerified sound
Telegram link-token replayVerified sound
Canonical CSW policy guardPassing in baseline
Migration RLS postureVerified sound

Additional findings

The full report registers 9 medium and 12 low findings covering cron database access patterns, x402 nonce persistence, Stripe webhook body handling, CSP configuration, alias resolution gaps, and related items. See Section 4 — Prioritized findings.

Evidence & appendices

Lead review session: Full-codebase review (eight parallel workstreams). Independent security pass: c603521c…. Full session register: Appendix A.