File: crates/state/src/event.rs:452, crates/state/src/event.rs:426, crates/state/src/sync.rs:95
Severity: robustness — availability
Obvious? no
Several hot paths use bincode::serialize(&signable).expect("event serialization should not fail") and bincode::serialize(&input).expect("snapshot serialization should not fail").
While bincode of structs containing only owned Vec/String/integers cannot realistically fail, the attacker controls kind: EventKind content (e.g., a RotateChannelKey containing malformed UTF-8 String produced via unsafe).
Fix: defense-in-depth — replace expect with returning false from verify() so a malformed deserialized-then-reserialized round-trip cannot panic the entire receive loop.
Filed by /general-audit @ b901575 (2026-05-02). master: #513.
File:
crates/state/src/event.rs:452,crates/state/src/event.rs:426,crates/state/src/sync.rs:95Severity: robustness — availability
Obvious? no
Several hot paths use
bincode::serialize(&signable).expect("event serialization should not fail")andbincode::serialize(&input).expect("snapshot serialization should not fail").While bincode of structs containing only owned
Vec/String/integers cannot realistically fail, the attacker controlskind: EventKindcontent (e.g., aRotateChannelKeycontaining malformed UTF-8 String produced viaunsafe).Fix: defense-in-depth — replace
expectwith returningfalsefromverify()so a malformed deserialized-then-reserialized round-trip cannot panic the entire receive loop.Filed by
/general-audit@b901575(2026-05-02). master: #513.