Dev Update | Neptune & Triton Projects

1. Last Week by the Numbers

neptune-core

• Pull Requests: 2 opened, 1 merged
• Issues: 2 raised
• Commits: 4 merged into master

triton-vm

• Pull Requests: 1 merged
• Commits: 2 merged into master

twenty-first

• Commits: 6 merged into master

tasm-lib

• Pull Requests: 1 opened
• Commits: 3 merged into master
  (Note: Active data compiled from internal repository activity logs for the last 7 days).

2. Stand-up Summary

Alan Szepieniec

• Last Week: Reviewed and implemented patches over the weekend for a newly discovered critical vulnerability. Implemented a dependency upgrade in neptune-core for the upcoming “gamma” hard fork, enabling the system to roll back to the latest canonical block upon startup.
• Coming Week: Focusing on high-level technical reviews and commentary, with an absolute priority on addressing and finalizing the codebase changes for the latest security vulnerability.

Thorkil Værge

• Last Week: Investigated the TASM lib vulnerability and discussed optimal placement for the fix. Worked on neptune-wallet debugging to address user feedback regarding balance discrepancies between the wallet and neptune-core (verified local instances matched correctly, but using the feedback to refine endpoint requirements). Onboarded a new contributor, Seokim, to the neptune-core codebase.
• Coming Week: Re-verifying the TASM lib vulnerability to reach absolute logical certainty (“three nines”), helping implement the patch, coordinating the public announcement timeline, and maintaining strict focus on executing the “gamma” hard fork deployment.

Ferdinand Sauer

• Last Week: Resolved bugs related to univariate batching and advanced the implementation of Tip 10. Performed essential software maintenance, including fixing bugs in the Triton assembly tutorial and updating Triton CLI dependencies flagged by Dependabot.
• Coming Week: Synching with Alan Szepieniec to review the pending univariate batching pull request and continuing development from the office.

3. Technical Discussion

TASM Lib Critical Vulnerability Fix

A critical vulnerability was identified in TASM lib via an external audit. The vulnerability involves input validation during the Fiat-Shamir sponge absorption phase. Specifically, a malicious actor could declare a digest length of zero, allowing them to bypass absorbing elements into the sponge state while still skipping over the digest. This enables manipulation of Merkle roots and proof challenges.

The fix will introduce an explicit assertion within the absorption functions (targeting DQ next or DQ nexts) to guarantee that the provided length indicator strictly matches the expected static size.

A secondary, lower-severity vulnerability was identified in the nondeterministic size indicator integrity verification. Here, list sizes were asserted only after multiplication, risking an unexploited integer wraparound modulo P. Assertions will be reordered to validate boundaries pre-multiplication.

Program Hash Stability Strategy

Modifying the underlying verification mechanics inherently shifts the resulting program hashes, which would trigger breaking changes to existing time locks and native currency architectures in the UTXO accumulation scheme. To preserve complete backwards compatibility, the team decided to leave the existing verification logic active for historical items committed to the UTXO accumulation scheme. A brand new verification function—verify nondeterministic input—will be introduced to apply the updated, secure logic strictly to all new inputs moving forward.

4. Updates and Announcements

• Vulnerability Disclosure: A coordinated public security announcement regarding the TASM lib vulnerability and its corresponding patch is scheduled for release today, delayed by at least four hours from the stand-up time to ensure all network operators are prepared.
• Gamma Hard Fork Preparation: Node operators, mining pools, and core service endpoints are being coordinated to deploy the “gamma” hard fork patch simultaneously to prevent nodes from falling off-chain.