| name | security-review |
| description | Security review for blockchain and cryptographic code. Use when reviewing PRs, auditing code, checking for vulnerabilities, or when security is mentioned. |
| allowed-tools | Read, Grep, Glob |
Security Review
Checklist for reviewing ZChain code for security issues.
Cryptographic Security
Hash Function Usage
var hashInput = $"{block.Height}{block.ParentHash}{block.Transaction}{nonce}";
var hashInput = $"{nonce}";
Random Number Generation
using var rng = RandomNumberGenerator.Create();
byte[] bytes = new byte[32];
rng.GetBytes(bytes);
var random = new Random();
Blockchain Integrity
Block Validation
State Machine Security
Concurrency Issues
Thread Safety
lock (_minedLock)
{
if (State == BlockState.Mined) return;
_hash = hash;
_nonce = nonce;
State = BlockState.Mined;
}
Cancellation
Input Validation
Public API Boundaries
public Block(T transaction, int difficulty)
{
ArgumentNullException.ThrowIfNull(transaction);
ArgumentOutOfRangeException.ThrowIfNegativeOrZero(difficulty);
}
Sensitive Data
Logging and Output
Serialization
JsonConvert.DeserializeObject<Block>(json, new JsonSerializerSettings {
TypeNameHandling = TypeNameHandling.All
});
JsonConvert.DeserializeObject<Block<MoneyTransferTransaction>>(json);
Dependency Security
Review Commands
grep -r "Random()" src/
grep -r "MD5\|SHA1" src/
grep -r "TypeNameHandling" src/
grep -r "Process.Start\|Shell" src/
grep -r "password\|secret\|key\|token" src/ --include="*.cs"
Severity Levels
| Level | Description | Action |
|---|
| Critical | Exploitable vulnerability | Block merge, fix immediately |
| High | Security weakness | Should fix before merge |
| Medium | Defense in depth issue | Track for future fix |
| Low | Best practice deviation | Note in review |