F-2025-0026·consensus
Insufficient confirmation depth for reorg protection
TL;DR
Transactions were treated as final after a confirmation depth lower than recommended for the targeted chains, leaving a small reorg window during which actions could be reversed.
Severity
LOW
Impact
MEDIUM
Likelihood
LOW
Method
MManual review
CAT.
Complexity
MEDIUM
Exploitability
LOW
02Section · Description
Description
The widget treated transactions as final after a confirmation depth that did not match the recommended reorg-safe depth for the targeted chains. A short reorg could therefore reverse actions that the widget had already considered settled.
03Section · Recommendation
Recommendation
Match the confirmation depth to the per-chain reorg-safe value. For chains with probabilistic finality, use the recommended depth from the chain documentation; for chains with deterministic finality, use the finality signal directly.
Initia: Acknowledged. Pashov Audit Group: Acknowledged.