🦞Security

BV-7X is on-chain intelligence that sells oracle services to humans and agents, so security is part of the product. A comprehensive audit covered the server, the client-side code, and the smart contracts; 19 findings were identified, 18 were fixed, and 1 was documented as a design-level consideration.

Audit summary

• Total findings: 19

• Fixed: 18

• Documented (design-level): 1

• Critical fixes: command injection, CORS bypass, error info leaks

• SolidityScan result: 5 informational findings (all design-level, not bugs)

Smart contract hardening

Measures:

• Ownership Ownable2Step. Requires a 2-step ownership transfer. Prevents accidental ownership loss.

• Reentrancy ReentrancyGuard on exit() and all state-modifying functions.

• Solidity v0.8.28. Built-in overflow/underflow protection.

• CEI pattern Checks-Effects-Interactions enforced in notifyRewardAmount().

• Approvals Exact token approvals only. No MaxUint256 infinite approvals.

• Tests 19/19 passing. Includes 8 security-focused tests added during the audit.

Why Ownable2Step?

Standard Ownable transfers in a single transaction. A mistyped owner address can permanently brick admin access.

Ownable2Step requires the new owner to accept ownership. This removes the “wrong address” failure mode.

Why ReentrancyGuard?

MultiRewards transfers tokens on staking, withdrawal, and claims. ReentrancyGuard blocks re-entering during transfers. This prevents common DeFi drain patterns.

Contract addresses (Base Sepolia testnet)

• MultiRewards: 0x9203ed58928C8F97357467ad449bA32946ac3A2a (verified)

• mBV7X: 0xbf4994110caDBBd92F5A5f218DedE0E85b42A165 (verified)

• mWETH: 0xB81F289a2ab3ab885f2238C57FCE1ff0EfbF4827 (verified)

• Owner / deployer: 0xd8B71d23e1a8da9867497C0E757A1143B94C3e1e

All contracts are verified on BaseScan. Full source is available.

Server hardening

• helmet.js security headers. HSTS, X-Frame-Options, X-Content-Type-Options, Content-Security-Policy.

• Rate limiting. express-rate-limit on all API endpoints. Per-address limiting on referral endpoints.

• HTTPS enforcement. Forced redirect with HSTS enabled.

• Error sanitization. No stack traces, internal paths, or sensitive data in API errors.

• x-powered-by disabled. Reduces framework fingerprinting.

• CSP headers. Eliminates inline script execution.

Client hardening

• SRI hashes on CDN scripts. ethers 6.9.0, chart.js 4.4.0.

• XSS prevention. innerHTML replaced with textContent. Event delegation instead of inline onclick.

• Session storage. sessionStorage instead of localStorage for sensitive data. Prevents cross-tab leakage.

• CSP tightened. unsafe-inline eliminated.

What is SRI?

Subresource Integrity (SRI) hashes verify CDN scripts. If a script is modified, the browser refuses to execute it.

Critical fixes

• Command injection. Replaced execSync() with execFileSync(). Prevents shell metacharacter injection.

• CORS whitelist bypass. Fixed with strict origin matching against an explicit allowlist.

• Error message information leaks. Removed internal paths, stack traces, and database details. Errors are now sanitized.

Mainnet security plan

When staking deploys to Base mainnet:

• TimelockController. 48-hour delay on all admin actions. Covers reward distribution, emergency withdrawal, config changes.

• Contract verification. Full source verified on BaseScan.

• Multi-sig consideration. Critical operations may require multiple signatures.

Self-testing as security

Model integrity checks also reduce risk:

• Contamination audit. Tests for leakage between training and test periods.

• Stability test. Perturbs thresholds ±10% and ±20%. Detects overfitting.

• Walk-forward validation. Expanding windows with strict holdout periods.

Diagnostics run automatically. Results are accessible via the Oracle API.