security: Epoch Settlement red team report — Bounty #56

[B1tor]

Red Team: Epoch Settlement Manipulation — Bounty #56

Summary

Security audit of the RustChain epoch settlement system (RIP-200) revealing 6 vulnerabilities in reward distribution, claim processing, and API security.

Findings

#	Severity	Finding
1	CRITICAL	Race condition in settle_epoch_rip200() — BEGIN IMMEDIATE lock bypassed when anti-double-mining delegates to new DB connection
2	HIGH	/rewards/settle endpoint has zero authentication (compare to /admin/fleet/report which checks X-Admin-Key)
3	HIGH	Auto-approve of claims stuck in 'verifying' status — no real verification
4	MEDIUM	Future epoch settlement — user-supplied epoch not validated against current time
5	MEDIUM	10% random failure in sign_and_broadcast_transaction() — testing code in production path
6	LOW	No balance cap on amount_i64 accumulation

Deliverables

• security/epoch-settlement-report.md — Full report (269 lines)
• security/epoch-poc/settlement_race_poc.py — Working PoC (4 demos)

PoC Demonstrates

1. Unauthenticated settlement trigger
2. Race condition allowing double-distribution of epoch rewards
3. Future epoch manipulation
4. Random 10% failure rate in production settlement code

Closes #56

RTC Wallet: RTC2fe3c33c77666ff76a1cd0999fd4466ee81250ff

[github-actions]

Welcome to RustChain! Thanks for your first pull request.

Before we review, please make sure:

• Your PR has a BCOS-L1 or BCOS-L2 label
• New code files include an SPDX license header
• You've tested your changes against the live node

Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150)

A maintainer will review your PR soon. Thanks for contributing!