Insufficient entropy in access code based access control mechanism
The access code that gated the staged rollout used a limited character set and length, making it brute-forceable under realistic conditions if rate-limit and challenge controls were ineffective.
Description
The access code used as part of the staged rollout access gating relied on limited character sets and length, making it vulnerable to brute force attacks under realistic conditions. Combined with M-01 (WAF rate limiting bypassable by switching browsers), the effective protection against guessing was weaker than the design intended.
Impact
Informational. Reduces the strength of the access gating mechanism; not a direct vulnerability in the swap functionality itself.
Recommendation
Increase the access code length and character set entropy. Couple the code with a per-IP / per-client rate limit that survives browser switching (see M-01). Consider replacing the shared code model with per-user, single-use codes for high-assurance gating.
Novaswap: Confirmed. Zealynx: Fixed.