## Critical Vulnerabilities Exposed in RTC Protocol: Unlimited Minting, OTC Funds Locked, Epoch Crash
A red team bug bounty submission has surfaced multiple critical vulnerabilities in the RTC protocol, with researchers flagging unlimited coin minting and stranded OTC bridge funds as the highest-severity findings. The audit, conducted under Mythos-style methodology, identified eight distinct security issues spanning critical to medium severity, placing approximately 550 RTC in bounties at stake.

Bug #1 represents the most severe exposure: the absence of per-block coinbase limits in `apply_transaction()` allows unlimited minting. The external API hardcodes tx_type='transfer' while the utxo_db.py layer lacks enforcement mechanisms. Bug #5—also rated critical—flags OTC bridge funds stuck in worker wallet due to a flaw in `confirm_order()`. A HIGH-severity crash condition emerges when `UtxoDB()` initializes without the `db_path` argument on line 2882 of the server, specifically when UTXO_DUAL_WRITE=1, disrupting epoch settlement entirely.

Medium-severity issues include orphaned mempool claims, where entries fail to clean up after main-chain spends, and unvalidated data inputs that accept phantom box IDs without UTXO set verification. The combined findings expose systemic gaps in transaction validation, state management, and bridge fund custody. The severity profile—two critical findings, one high, and several medium—indicates architectural weaknesses rather than isolated defects. These vulnerabilities carry particular weight given the OTC bridge exposure, where user funds face direct at-risk conditions pending remediation.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: blockchain, smart-contract, vulnerability, bug-bounty, crypto
- **Credibility**: unverified
- **Published**: 2026-05-08 02:31:38
- **ID**: 80418
- **URL**: https://whisperx.ai/en/intel/80418