--- issue: 077 title: "Scanner: caller can override confirmation threshold down to 1 — reorg safety bypass" severity: high domain: Scanner labels: [security, scanner, reorg] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Scanner: caller can override confirmation threshold down to 1 — reorg safety bypass **Severity:** high **Domain:** Scanner **Labels:** security, scanner, reorg ## Description `scanner/api.go:170` accepts a caller-supplied `confirmations` value and uses it as-is without enforcing the chain-config threshold as a floor. A caller can set `confirmations: 1` on a chain that requires 12 confirmations, bypassing reorg safety and causing premature payment confirmation. ## Options 1. Clamp confirmations to `max(callerValue, chainConfigThreshold)` — config is a floor. 2. Ignore caller value entirely; always use chain config. 3. Allow override only above the chain threshold. ## Recommendation Treat the chain config threshold as a hard floor (`max` of caller and config). Changes reorg-safety semantics. ## Affected Files - `scanner/api.go:170` - `scanner/config.go` — chain threshold definition ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-58