Fair Casino Core Pentest

• Wallet authentication blocked by unstable challenge endpoint (H-01, fixed). The challenge endpoint returned HTTP 429 and 500 errors, blocking wallet login and effectively causing denial of service for legitimate users. Phantom never reached the signature step.
• Deposits credited to the wrong user via sender inference fallback (H-02, fixed). When the parsed token transfer returned an unknown sender, the deposit monitor fell back to the first signer in the transaction. In multi-instruction transactions (aggregators, multisig, relayers) the first signer was not the depositor, so credit landed on the wrong account.
• Provably-fair guarantees weakened when the client omits its seed (H-03, fixed). The session initialization allowed the server to generate both serverSeed and clientSeed when no client seed was provided, enabling cherry-picking of seed pairs that produced house-favorable outcomes while still passing verification.
• Server could choose serverSeed after seeing clientSeed (H-04, fixed). The commit-reveal order was breakable: the server could observe clientSeed before committing to serverSeedHash, enabling outcome manipulation without detection by a verifier.
• Six Medium findings covered client-seed validation (whitespace, low-entropy, no charset bounds), WebSocket crash events broadcast to all clients without subscription enforcement, WebSocket JWT validation bypassing centralized HTTP controls, verification logic using inconsistent hash/derivation vs gameplay, hexadecimal-string bet amount coercion, and a duplicate Mines start that desynchronized client/server state.
• Three Low findings covered Fairness "Verifier" producing "Verification Successful" results for games that never occurred (not bound to game history), insecure randomness in session ID generation, and a reflected request path in error responses (unnormalized route handling).

All thirteen issues were fixed by Fair Casino and verified by Zealynx during the validation pass.