Validator / Infra Team — Action Items from Security Audit

Date: 2026-03-30 From: Dev Team Context: We've addressed all code-level findings from the security audit in our repo. The items below require infra team action — either infrastructure changes, access we don't have, or coordination with external services.

1. Deploy Status API Fixes to Production (from your DEV_TEAM_UPDATE.md)

Your endpoint sanitization and real block time fixes are committed but not yet deployed. Per your doc:

cd ansible
export ANSIBLE_ROLES_PATH=./roles ANSIBLE_HOST_KEY_CHECKING=False
ansible-playbook -i inventory/hosts.ini playbooks/deploy-explorer-sentry.yml \
  -e "postgres_password=<PW>" -e "redis_password=<PW>"

This rebuilds the network-status container with sanitized endpoints and real metrics on Sentry-1.

2. Finding #3 (High): Weak Decentralization Signal

What we did: Explorer already displays validator list with voting power and commission.

What we need from you:

Publish a seed node list (node IDs + addresses) that external validators can use to bootstrap
Confirm the active validator set size and current validator count so we can display it accurately
Provide sentry topology guidance — minimum recommended peers, geographic distribution recommendations
Clarify: should we label Makalu as "testnet" explicitly in the explorer UI and status API? The audit flagged that we're presenting testnet posture as mainnet.

3. Finding #4 (High): Binary Provenance

What we need from you:

Publish reproducible build instructions: exact repo URL, commit hash, Go compiler version, and build command for lithod
Publish signed release manifests with SHA256 digests for all official binaries
Document the exact Evmos upstream fork point and patch delta (which Evmos commit was forked, what was changed)
Host deterministic binaries at a single canonical release location (GitHub Releases on KaJLabs/Lithosphere, or a dedicated downloads page)
Generate and publish an SBOM (Software Bill of Materials) — this is planned for Phase 2/3 of the infrastructure roadmap

4. Finding #9 (Medium): NLB Environment Naming

The NLB is named litho-mainnet-rpc-* but serves Makalu testnet. Your doc says this requires downtime to rename.

Request: Schedule this for the next maintenance window. No rush — just don't forget it.

5. Finding #10 (Medium): Rate Limits and Anti-Spam

We've documented what we know in docs/network/chain-parameters.md. But we need authoritative numbers from you:

Minimum gas price enforced by validators (exact value in ulitho)
Mempool configuration: max mempool size, tx queue limits
Nginx/Cloudflare rate limits on rpc.litho.ai and api.litho.ai (requests per second per IP)
Pruning configuration: what's the pruning strategy on sentry nodes? What's the recommendation for indexers that need archive data?
WebSocket connection limits on the EVM WS endpoint

6. gRPC TLS Proxy (from your DEV_TEAM_UPDATE.md)

Your endpoint cleanup changed the default gRPC to grpc.litho.ai:9090. We've used this in our network-parameters.json. Is TLS actually configured on this endpoint now, or is it still direct/plaintext? If plaintext, we should note that in our docs.

Same question for EVM WebSocket — is wss:// available via Nginx, or still ws://54.163.248.63:8546 direct?

7. Open GitHub Issues on KaJLabs/Lithosphere

The audit flagged issue #3 ("[TESTNET] Deployment Failure") — it's now closed. But two issues remain open:

#5: "Fix grammatical error in 'What is Lithosphere?'" (opened 2026-03-24)
#4: "Update deploy-indexer-ec2.sh" (opened 2026-03-23)

Request: Triage these — close, assign, or comment with status. Open unattended issues on a public repo hurt credibility per the audit.

8. Network Parameters JSON

We've published a machine-readable docs/network/network-parameters.json with canonical chain config for wallets and operators. Please review it and confirm all values are correct — especially:

networkType: We set "testnet" — confirm this is correct for Makalu
apis.grpc address: grpc.litho.ai:9090
apis.evmJsonRpc: We pointed at https://rpc.litho.ai — is this the correct public EVM JSON-RPC endpoint?

9. Directory Rename: Makulu → Makalu (CRITICAL for next deploy)

We've renamed the monorepo directory from Makulu/ to Makalu/ to match the network name. All CI/CD pipelines, deploy scripts, and env files now reference /opt/lithosphere/Makalu.

Before the next deploy, you must rename the directory on the production server:

ssh ec2-user@<INDEXER_IP> -o ProxyJump="[email protected]"
sudo mv /opt/lithosphere/Makulu /opt/lithosphere/Makalu

If the deploy runs before this rename, it will create a new /opt/lithosphere/Makalu directory alongside the old one, and the existing containers under Makulu will keep running on stale code.

10. EVM RPC routing — diagnosis corrected (2026-04-23)

Original severity: High (raised 2026-04-22). Status: Dev-side root cause resolved; infra ask reduced.

Corrected diagnosis (per your reply dated 2026-04-22): Our original report had the diagnosis inverted. rpc.litho.ai IS the live EVM JSON-RPC for lithosphere_700777-2. The NLB serves the abandoned 700777-1 fork. The 0x returns we observed for eth_getCode on 0xEB6cfcC… were correct — that address does not exist on the live chain; it was deployed pre-reset on 700777-1.

Actual root cause (dev side): The SEEDED_TOKENS constant in Makalu/indexer/src/mappings.ts had all 10 pre-reset contract addresses. The explorer's /tokens page was displaying those stale addresses. When users pasted them into MetaMask, eth_getCode on rpc.litho.ai returned 0x because the contracts genuinely don't exist on 700777-2.

Dev-side fixes applied (2026-04-23):

Updated all 10 SEEDED_TOKENS to canonical 700777-2 addresses (deployer 0x10ed4F…)
Added migrateTokenAddresses() startup step to evict stale DB rows on next deploy
Updated EVM_RPC_URL and FAUCET_RPC_URL in .env.mainnet from NLB → https://rpc.litho.ai
WalletContext.tsx already used rpc.litho.ai — no change needed there

Remaining infra ask: evm-rpc.litho.ai as a dedicated EVM subdomain is still welcome for industry convention, but no longer blocking wallet UX. When you stand it up, please point it at mtest-sentry-01:8545 (live chain), not the NLB.

Verification (after our next deploy):

$ curl -sS -X POST https://rpc.litho.ai -H 'Content-Type: application/json' \
    -d '{"jsonrpc":"2.0","method":"eth_getCode","params":["0x599a7E135f1790ae117b4EdDc0422D24Bc766161","latest"],"id":1}'
# Must return ~2KB bytecode (active 2026-04-24 wLITHO deployment)

Summary

Item

Severity

Action

Rename /opt/lithosphere/Makulu → Makalu

Critical

Must happen before next deploy

Deploy status API fixes

Critical

Run ansible playbook on Sentry-1

Seed node list + topology guidance

High

Publish for external validators

Binary provenance (builds, SBOM, fork docs)

High

Publish reproducible build instructions

EVM wallet UX (token addresses)

~~High~~ Resolved

Dev-side fix: canonical addresses + EVM_RPC_URL updated

NLB decommission / re-target

Medium

Per your revised plan for item #4

Rate limit / anti-spam numbers

Medium

Provide authoritative config values

gRPC/WSS TLS status

Medium

Confirm endpoint TLS configuration

GitHub issue triage

Medium

Close or update #4 and #5

Review network-parameters.json

Low

Confirm values are correct

PreviousLithosphere Explorer & Indexer — Production Deployment Report Nextapi-reference

Last updated 1 month ago