We completed a second round of intensive security reviews with Cantina, following the recent completion of a security competition with a prize pool totaling $65,000. This second review was structured as a private competition among an elite selection of security researchers to strengthen mev-commit's core security infrastructure, with a prize pool of $15,000. The weeklong competition specifically focused on key components of mev-commit’s provider registry and commitment verification systems to battle-test our preconfirmation infrastructure.
The week-long review conducted from December 3-8 identified eight security issues across different risk categories. While no critical vulnerabilities were found, the competition surfaced two high-risk and two medium-risk issues that provided valuable insights for improving our security architecture.
One of the most significant improvements came from rethinking how we handle block builder BLS keys in our provider registry. The security researchers identified a potential vulnerability where malicious actors could overwrite BLS key mappings, potentially preventing legitimate block builders from receiving rewards or evading slashing penalties. We've implemented strict controls on BLS key registration to prevent such manipulations to ensure that only legitimate providers can register their keys and receive rewards for fulfilled commitments.
We discovered important areas for improvement in our slashing implementation, particularly around bid decay calculations and compensation amounts. As a result, we've enhanced how we track provider stakes against their commitments so that providers maintain adequate stake to cover potential slashing scenarios. This creates stronger economic security guarantees for both bidders and the overall protocol.
We've strengthened our commitment verification system to now atomically verify both commitment signatures and timestamps. This not only patches potential vulnerabilities but provides a more flexible framework for future security capabilities. The system combines commitment parameters and timing guarantees into a single verifiable structure, so that additional security checks can be added while maintaining backwards compatibility.
While successfully completing this security review marks an important milestone, we view security as an ongoing process. Each improvement serves as a foundation for future enhancements to our preconfirmation infrastructure. We've already:
These improvements provide a strong foundation for mev-commit's role as a p2p networking platform that facilitates end-to-end encrypted real-time interactions and coordination between mev actors and execution providers. The successful security review and subsequent enhancements demonstrate our commitment to building infrastructure that users and developers can trust.
We're particularly grateful to Cantina and the security researchers who participated in the competition. Their insights helped identify edge cases and potential vulnerabilities. We believe in transparency about our security work and encourage the kind of collaborative security improvement that strengthens the entire ecosystem. However, our commitment to security doesn't end here - we'll continue to build on these improvements and maintain rigorous security standards as we roll out new features.