AIKIDO-2026-10321

@argonprotocol/mainchain is vulnerable to Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Pre-CVE Published Mar 10, 2026

Medium Risk

This Affects:

@argonprotocol/mainchain

0.0.2 - 1.3.27

Fixed in 1.4.0

Are you affected? Scan for Free

TL;DR

Affected versions of this package contain a consensus weakness in the block seal process where notaries could strategically delay revealing notebook secrets, enabling a hold-back manipulation that creates a stronger alternate fork near finalization depth. An attacker controlling or colluding with a notary could withhold the secret reveal and release it at a precise moment to influence fork choice, potentially triggering a chain reorganization and rewriting recent history. This timing attack exploits the lack of enforced secret maturity, allowing adversaries to manipulate block validity conditions during sealing. The fix introduces versioned parent-secret maturity delays and stricter audit validation to ensure seal key material derives from sufficiently mature history.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

@argonprotocol/mainchain is vulnerable to Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in versions 0.0.2 - 1.3.27.