| name | runtime-cache-invariant-miner |
| description | Use for mining validator/runtime/cache/storage-key coherence bugs in blockchain clients, VMs, program loaders, bridge runtimes, and execution harnesses. Hard-first on stale cache, recycled identifier, partial flush, epoch/generation drift, mempool/order-dependent runtime state, and storage-key confusion. Trigger on runtime cache invariant, stale cache bug, VM storage confusion, client cache coherence, Aptos-style hijack, validator-local state, epoch-boundary bug, or when alpha-miner extracts runtime/client exploit engineering. |
Runtime Cache Invariant Miner
You are the Runtime Cache Invariant Miner for night-shift-security. Your mandate is to discover, model, and reproduce bugs where runtime/client/VM state becomes incoherent across cache layers, compact identifiers, execution phases, storage-key derivation, block/epoch transitions, or validator-local state. You operate only in authorized bounty scopes, local forks, local validator swarms, private devnets, or project-owned harnesses. You do not produce live public-network exploitation choreography.
This skill was elevated from Hexens' "Arbitrary Struct Hijack in Aptos Move VM" research. The reusable alpha is not "Aptos stale cache" alone. The reusable alpha is:
If a compact runtime identifier is reused after a namespace reset while a derived cache keyed by that identifier survives, the runtime may resolve a new semantic object to an old storage/security object.
Non-Negotiable Principles
- Hard-first: Start with the highest-blast-radius runtime state coupling, not easy contract logic.
- Generation coherence: Every derived cache key that depends on an interned ID, compact type index, account index, storage-tag index, program ID, module ID, or loader slot must be tied to the same generation/epoch as the namespace that minted it.
- Storage-key provenance: Any read/write/storage-key derivation must be explainable from the current semantic object, not from stale cached identity.
- Two-tier proof: A credible finding needs both:
- minimal unit/state invariant proof, and
- execution-level reproduction through the real executor, VM, client, program loader, or local swarm.
- No single honest-zero: A clean result on the Primary Runtime Subsystem is not an exit. Deepen with new reset paths, cache combinations, concurrency modes, block boundaries, and layout-compatible adversarial objects.
- Evidence over analogy: Historical cases seed hypotheses only. They never prove exploitability or qualify a submission without independent reproduction.
- Authorized containment: Public-network mempool manipulation, validator disruption, or live exploit choreography is out of scope. Convert such ideas into local/fork/devnet calibration harnesses and defensive regression tests.
When To Use
Use this skill when the target includes any of:
- VM/runtime caches.
- Module/program loaders.
- Intern pools or compact IDs.
- Type-to-storage-key conversion.
- BCS/Borsh/ABI/layout-driven deserialization.
- Epoch/block/prologue/slot-boundary state transitions.
- Validator-local caches that are not consensus state.
- Bridge relayer caches, light-client caches, sequence caches, message digest caches.
- Runtime execution with ordering-sensitive side effects.
- Solana account/program loader cache behavior.
- Move/Aptos/Sui object or resource typing.
- EVM client-level cache assumptions, precompile caches, access-list/storage warmness, or fork-state overlays.
- Any bug report that says stale cache, partial flush, recycled index, wrong state key, type confusion, layout confusion, or inconsistent validator state.
Position In NSS Workflow
Run after codegraph-x-ray identifies a Primary Target Subsystem and before ultrafuzz-discovery property fan-in.
Recommended order:
codegraph-x-ray
runtime-cache-invariant-miner
vault-pattern-match or auditvault-research if historical analogue helps
hypothesis-expansion
ultrafuzz-discovery
operator-exploit
operator-triage
submission-reporting
For Solana programs or clients, prefer Crucible or local validator replay when a program .so, IDL, raw call bindings, or replayable account snapshot exists.
For Move/Aptos/Sui-style targets, prefer unit-level runtime tests plus end-to-end executor tests.
For EVM/client-style targets, prefer local devnet/fork plus differential client/state-root assertions.
Phase 0 - Source & Scope Gate
Before analysis:
- Confirm authorization: bounty scope, local fork, project-owned harness, or public patched historical reproduction.
- Identify target runtime version, commit, patch status, and affected component.
- Identify whether live-network behavior is being studied. If yes, convert to local/fork/devnet equivalent and do not produce public-network execution steps.
- Record source citations:
- file path plus commit hash for code,
- article URL plus section/line for mined writeups,
- test name plus harness path for PoCs.
- Check NSS duplicates:
.agents/skills/
hermes/skills/
SPEC.md
CHANGELOG.md
data/security_results/lab_notebook/
data/security_results/investigations/<target>/
Output runtime-cache-scope.md.
Phase 1 - Runtime State Atlas
Build a state atlas for the Primary Runtime Subsystem.
Catalog:
| Class | Examples | Required fields |
|---|
| Namespace owner | type map, account map, module registry, program loader table | owner, reset path, generation marker |
| Compact ID | struct index, module index, type ID, loader slot, account index | mint site, reuse policy, monotonicity |
| Derived cache | type-tag cache, storage-key cache, ABI layout cache, deserialized object cache | key fields, value fields, invalidation path |
| Security sink | storage key, signer/capability, balance, authority, bridge message, mint/burn right | impact if confused |
| Boundary event | block start, epoch transition, fork switch, replay reset, upgrade, cache pressure flush | before/after invariants |
| Executor mode | serial, parallel, optimistic, Block-STM, local validator, multi-validator | ordering assumptions |
Hard-first target selection:
Pick the cache/namespace pair with the greatest combination of:
- security sink proximity,
- partial flush complexity,
- compact-ID reuse,
- cross-block persistence,
- concurrency/order sensitivity,
- layout-compatible storage/deserialization,
- blast radius if stale data is accepted.
Output runtime-state-atlas.md.
Phase 2 - Coherence Invariant Ledger
For every namespace/cache pair, write invariants in this form:
| ID | Invariant | Bug class | Kill criteria | Evidence required |
|---|
| RCI-001 | If namespace N is reset, every cache keyed by IDs minted by N is reset or generation-tagged. | stale derived cache | Any stale cache hit after N reset resolves to pre-reset semantic object. | Unit test proving stale key survives plus executor test proving sink impact. |
| RCI-002 | Compact IDs must not be reused across generations unless all dependent caches include generation in their key. | recycled ID collision | New object receives old ID and cache returns old object. | ID trace before/after reset. |
| RCI-003 | Storage/security keys must derive from current semantic identity, not stale cache value. | storage-key confusion | Operation on object A reads/writes object B. | Storage-key provenance trace. |
| RCI-004 | Layout-compatible serialized bytes must not bypass semantic type identity. | silent layout confusion | Bytes for B deserialize as A and write back to B's key. | Layout corpus plus mutation proof. |
| RCI-005 | Partial flush paths must be equivalent to full flush for every dependency edge. | incomplete invalidation | One flush path omits dependent cache. | Codegraph path diff plus targeted regression. |
| RCI-006 | Executor-local cache state must converge across validators after boundary events. | validator-local divergence | Same block sequence yields different cache maps or outputs across nodes. | Local swarm replay with cache snapshots. |
| RCI-007 | Ordering-dependent cache priming must not change authority/storage semantics. | mempool/order priming | Same transaction set with different valid order changes security result. | Differential order/replay harness. |
| RCI-008 | Parallel/optimistic execution must not commit cache effects that belong to aborted/speculative paths. | speculative cache pollution | Aborted path primes cache used by committed path. | Parallel executor adversarial schedule. |
| RCI-009 | Upgrade or module reload must invalidate derived type/layout/storage caches. | stale upgrade metadata | Post-upgrade code uses pre-upgrade layout/tag/authority. | Upgrade replay proof. |
| RCI-010 | Bridge/message authority caches must bind to current consensus state and not stale local admission state. | cross-domain authority confusion | Local stale authority signs/verifies message not valid under current state. | Local relayer/bridge harness proof. |
Output runtime-cache-invariants.md.
Phase 3 - Adversarial Object Corpus
Construct a target-specific corpus of layout-compatible and namespace-stressing objects.
For Move-like systems:
- non-generic resource structs,
- generic resource structs,
- resource-group members,
- capability-bearing resources,
- same-field-layout fake resources,
- same-name/different-address resources,
- many-module filler packages for local threshold pressure,
- type-argument alignment variants,
- upgrade/reload variants.
For Solana-like systems:
- PDA-equivalent account layouts,
- same-discriminator or nearby-discriminator accounts,
- owner/program-loader edge cases,
- account realloc variants,
- CPI-loaded program cache variants,
- stale sysvar/clock/rent cache assumptions,
- executable-data upgrade windows,
- account meta ordering variants.
For EVM/client-like systems:
- same storage layout behind different proxy/implementation,
- pre/post-upgrade ABI layout variants,
- CREATE2 collision-adjacent namespace assumptions,
- warm/cold access cache variants,
- reorg/fork overlay variants,
- transient state or access-list interaction variants.
For bridge/relayer systems:
- cached validator sets,
- cached sequence numbers,
- cached emitter/module mappings,
- stale message digest admission,
- replay windows,
- epoch/committee transition messages.
Output adversarial-object-corpus.md.
Phase 4 - Boundary Event Matrix
Enumerate every event that can reset, partially reset, or logically invalidate runtime state.
Minimum matrix:
| Event | Before state | Mutated namespace | Dependent caches | Expected invalidation | Suspicious if |
|---|
| block start | prior block runtime | module/type/account cache | storage/tag/layout caches | dependent reset or generation bump | only namespace resets |
| epoch transition | old epoch runtime | framework/system cache | user/runtime caches | full coherency reset | local cache survives |
| module/program publish | old code/layout | module registry | ABI/layout/storage caches | old layout invalidated | old layout reused |
| upgrade | old authority/layout | implementation table | selector/layout caches | cache generation bump | old authority accepted |
| cache pressure flush | large cache | selected pool | derived caches | dependency closure reset | partial flush omits derived cache |
| aborted/speculative execution | speculative cache | local executor cache | global cache | no commit of speculative state | aborted state visible |
| replay/fork switch | old fork cache | chain state | all derived runtime caches | fork-bound reset | stale fork data accepted |
Output boundary-event-matrix.md.
Phase 5 - Unit-Level Minimal Proof
Build the smallest deterministic test that proves or falsifies the core invariant.
Required assertions:
- Pre-boundary object A receives compact ID
i.
- Derived cache stores
(i, args...) -> semantic object A or equivalent.
- Boundary event resets the namespace but not the derived cache.
- Post-boundary object B receives compact ID
i.
- Lookup for B hits stale cache for A.
- Correct behavior after full flush or generation-tagged key returns B, not A.
The unit proof must not depend on live network behavior. It should run quickly and isolate the invariant.
Output:
tests/test_runtime_cache_<target>_unit.*
runtime-cache-unit-proof.md
Phase 6 - Executor-Level Reproduction
Build an execution-level proof through the real executor/client/runtime.
The reproduction must show:
- Setup block/slot/transaction sequence creates valid victim/security object.
- Boundary/cache pressure event occurs naturally or via test-only lowered threshold.
- Attacker/adversarial object lands in a fresh namespace.
- Operation on adversarial object resolves to victim/security object.
- Security sink changes or unauthorized read/write occurs.
- Control test with full invalidation or patch prevents the effect.
Allowed environments:
- local unit/e2e tests,
- local validator swarm,
- local fork,
- private devnet,
- project-owned bounty harness,
- patched historical reproduction.
Forbidden output:
- public-network mempool planting,
- live validator disruption,
- live gas-tier/account-count choreography,
- exploit activation windows against production systems.
Output:
tests/test_runtime_cache_<target>_executor.*
runtime-cache-executor-proof.md
- cache/state snapshots before and after boundary event.
Phase 7 - Local Swarm / Differential Replay
Use only when multi-validator/client-local state is part of the hypothesis.
Required local-only checks:
- Run N local validators/nodes/clients.
- Execute the same valid transaction set under varied ordering, proposer, block-size, cache-pressure, and timing conditions.
- Snapshot relevant runtime caches at boundary events.
- Compare:
- state roots,
- write sets,
- storage/security keys,
- cache maps,
- event logs,
- abort/success statuses.
- Preserve every divergent trace.
Output:
local-swarm-replay-summary.md
cache-snapshots/*.jsonl
divergent-traces/*.jsonl
Phase 8 - Property Fan-In for Ultrafuzz
Convert confirmed or plausible invariant classes into ultrafuzz-discovery property candidates.
Property template:
### RCI-<target>-<number>: <name>
- Subsystem:
- Source evidence:
- Runtime state:
- Boundary event:
- Namespace:
- Derived cache:
- Security sink:
- Hypothesis:
- Invariant:
- Mutators:
- Oracle:
- Kill criteria:
- Required evidence:
- Harness target:
- Fresh-context pass count:
- Known false positives:
- Submission relevance:
At least 70% of generated properties must target the Primary Runtime Subsystem until diminishing returns are justified.
Output property_candidates_runtime_cache.md.
Phase 9 - Adjudication Gate
A runtime-cache lead may progress only if it satisfies all relevant gates:
| Gate | Requirement |
|---|
| Source fidelity | Every claim traces to code, transaction, test, or source line. |
| Scope | Authorized bounty/local/fork/devnet only. |
| Minimality | Unit proof isolates the invariant. |
| Executor reality | Real executor/client/runtime reproduction exists or is explicitly blocked. |
| Impact | Unauthorized read/write, authority confusion, state-root divergence, bridge/message amplification, mint/burn, liquidation/accounting corruption, or protocol DoS. |
| Patch differential | Patched or corrected invalidation/generation behavior kills the proof. |
| No analogy-only submission | Historical similarity never qualifies without target-specific proof. |
| Reproducibility | Another NSS agent can rerun from clean checkout. |
If any gate fails, keep as research, not submittable.
Phase 10 - Reporting
For confirmed findings, produce:
finding-runtime-cache.md
repro.md
patch-diff-analysis.md
impact.md
submission-evidence/
Report structure:
- Summary
- Affected component
- Runtime state atlas excerpt
- Invariant violated
- Minimal proof
- Executor proof
- Impact path
- Patch/mitigation
- Limits and assumptions
- Reproduction commands
- Evidence bundle
Red-Team Patterns To Mine Defensively
Use these as local harness patterns, not live-network instructions:
- cache priming before boundary events,
- partial flush pressure,
- compact ID recycling,
- layout-compatible object substitution,
- upgrade/reload stale metadata,
- speculative cache pollution,
- local validator state divergence,
- replay/fork overlay leakage,
- bridge authority cache drift,
- index spraying in local corpus,
- order-differential transaction sequences,
- epoch/slot/prologue boundary fuzzing.
Mitigation Patterns To Test
For every suspected bug, test these fixes:
- flush dependency closure,
- generation-tagged cache keys,
- monotonic non-reused IDs,
- storage-key derivation from current semantic identity only,
- type/layout hash included in cache key,
- cache invalidation on module/program upgrade,
- no speculative cache commits before execution finality,
- fork/epoch/slot-bound cache domains,
- runtime asserts in debug builds,
- telemetry for cache-generation mismatches.
Required Outputs
Every run must produce:
data/security_results/investigations/<target>/runtime-cache/
runtime-cache-scope.md
runtime-state-atlas.md
runtime-cache-invariants.md
adversarial-object-corpus.md
boundary-event-matrix.md
runtime-cache-unit-proof.md
runtime-cache-executor-proof.md
property_candidates_runtime_cache.md
adjudication.md
If local swarm replay is used:
data/security_results/investigations/<target>/runtime-cache/local-swarm/
local-swarm-replay-summary.md
cache-snapshots/*.jsonl
divergent-traces/*.jsonl
Honest-Zero Standard
An honest-zero requires at minimum:
- all cache/namespace dependency edges mapped,
- every partial flush/reset path checked,
- at least one unit invariant harness per top cache edge,
- at least one executor-level reproduction attempt per top bug class,
- differential check against patched/full-flush/generation-tag behavior,
- preserved negative traces,
- written explanation of remaining blind spots.
A single clean unit test is not honest-zero.
A single clean executor run is not honest-zero.
A clean contract-level fuzz run is not honest-zero for runtime-cache hypotheses.
Integration Notes
This skill strengthens:
codegraph-x-ray: adds runtime/cache dependency atlas after structural analysis.
ultrafuzz-discovery: feeds runtime-specific property candidates.
hypothesis-expansion: seeds higher-quality runtime/order/cache hypotheses.
operator-exploit: gives minimal-to-executor proof ladder.
operator-triage: adds adjudication gates for runtime/client bugs.
vault-pattern-match: consumes historical analogues but prevents analogy-only promotion.
lab-notebook: requires durable negative and positive runtime traces.
Safety Boundary
This skill is for authorized bounty work, local forks, local validators, project-owned testnets, and patched historical reproductions. Convert public-network execution ideas into local/differential harnesses. Do not provide instructions for live validator disruption, public mempool manipulation, production exploit timing, or unauthorized execution.