security: Ergo Anchor Red Team — 1C/2H/2M/1L — Bounty #60

[LaphoqueRC]

Ergo Anchor Red Team — Bounty #60

Findings: 1 Critical, 2 High, 2 Medium, 1 Low

• C1: Hardcoded Ergo API key — full wallet control
• H1: Commitment hash collision via string boundary ambiguity
• H2: No anchor continuity verification — undetected state manipulation
• M1: Incomplete transaction verification (only checks R5, ignores R4/R6)
• M2: Duplicate anchor on crash (no pending state)
• L1: Unvalidated Ergo node URL

Deliverables

• security/ergo-anchor/report.md — Full report with remediation
• security/ergo-anchor/ergo_anchor_poc.py — 5 PoC demos (local simulation)

Closes #60

RTC Wallet: RTC2fe3c33c77666ff76a1cd0999fd4466ee81250ff

[github-actions]

Welcome to RustChain! Thanks for your first pull request.

Before we review, please make sure:

• Your PR has a BCOS-L1 or BCOS-L2 label
• New code files include an SPDX license header
• You've tested your changes against the live node

Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150)

A maintainer will review your PR soon. Thanks for contributing!