{"uuid": "ccecf65d-273e-40a9-8f19-f72eff847482", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-rv6j-5jc6-w6p5", "type": "seen", "source": "https://gist.github.com/Nexory/f6bb07c8203741740b7413e3fb5b5c3e", "content": "# Crypto SDK Contributions Sprint -- May 28-29, 2026\n\nTwo-day open-source contribution sprint across 10 crypto SDK orgs. All work as Nexory.\n\nStatus as of 2026-05-29 03:30 UTC.\n\n## Polymarket SDKs\n\nts-sdk (5 OPEN + 3 maintainer-merged):\n- Issues OPEN: #68, #73, #74, #75, #76\n- Maintainer-fixed: #64, #65 (via PR #72), #66 (via PR #71)\n\npy-sdk (9 OPEN + 1 maintainer-merged + 1 beta-policy closed PR):\n- Issues OPEN: #51, #55, #56, #57, #59, #60, #61, #62, #63\n- Maintainer-fixed: #52\n- PR #58 closed per beta policy\n\nclob-client-v2: PR #78 OPEN\n\n## base/* (Coinbase L2, Superchain)\n\naccount-sdk: Issues #324, #325, #326 OPEN | PRs #327, #328 OPEN\nskills: Issue #54 OPEN | PR #55 OPEN\ndocs: PR #1503 scope-expansion comment posted\nbase (core monorepo): PRs #3031, #3032 closed by vouch bot. Follow-up comment on Issue #2791 requesting vouching.\n\n## megaeth-labs\n\nmega-tokenlist: Issue #52 OPEN | PR #51 closed per external-only-data policy. Recovery comment offering reopen after maintainer review-request signal.\nterminal-auth-sdk: Issue #28 OPEN (HIGH: handleRedirectCallback security invariant gap)\nstateless-validator: Issue #139 OPEN (set_validated_blocks no timeout)\nmega-evm: Issue #302 OPEN (rex/mini_rex OnceBox aliasing)\n\n## MetaMask HackerOne\n\nReport #3768762 -- ERC20PeriodTransferEnforcer missing value==0 guard allows ETH drain alongside ERC20 transfer.\nCVSS 3.1 5.3 Medium, CWE-20 Improper Input Validation.\nPassed preliminary bot review. In human triage queue.\n\n## Other orgs\n\n0xPolygon/lxly.js: Issue #64 OPEN (HIGH) | PR #65 OPEN\nConsensys/linea-attestation-registry: Issue #1081 OPEN (HIGH)\ninitia-labs/initia.js: Issue #167 closed | **PR #168 MERGED**\nburnt-labs/xion.js: Issue #377 OPEN | PR #378 OPEN\ncandidelabs/abstractionkit: Issue #188 OPEN | PR #189 silent-closed\nacross-protocol/sdk: Issue #1449 OPEN\n\n## Private (GHSA)\n\n0xPolygon/polygon-agent-cli: GHSA-7hpg-fw6g-w3qj triage\nburnt-labs/mob: GHSA-rv6j-5jc6-w6p5 triage\n\n## Methodology\n\n- Multi-modal parallel audit (audit angles per repo)\n- 3-lens adversarial verify pipeline (correctness, security, repro). 2-of-3 confirmation required\n- Pre-submission scope-validation, contribution-policy, dup-check gauntlets\n- 4 new persistent feedback rules from this sprint:\n  - verify-api-auth-model-before-credential-claims\n  - verify-program-scope-before-submitting\n  - verify-contribution-policy-before-pr\n  - check-maintainer-engagement-before-closing-pr\n\n## Reporter\n\nGitHub: [Nexory](https://github.com/Nexory)\n", "creation_timestamp": "2026-05-29T01:01:28.000000Z"}