ava-labs · maru-ava · Oct 31, 2025 · Sep 10, 2025 · Sep 10, 2025 · Sep 11, 2025
@@ -61,7 +61,7 @@ linters:
     - goconst
     - gocritic
     - goprintffuncname
-    # - gosec
+    - gosec
     - govet
     - importas
     - ineffassign
@@ -244,3 +244,12 @@ linters:
       - common-false-positives
       - legacy
       - std-error-handling
+    rules:
+      # Exclude some linters from running on test files.
+      # 1. Exclude the top level tests/ directory.
+      # 2. Exclude any file prefixed with test_ in any directory.
+      # 3. Exclude any directory suffixed with test.
+      # 4. Exclude any file suffixed with _test.go.
+      - path: "(^tests/)|(^(.*/)*test_[^/]*\\.go$)|(.*test/.*)|(.*_test\\.go$)"
+        linters:
+          - gosec
@@ -14,6 +14,8 @@ import (
 	"github.com/ava-labs/libevm/log"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
+
+	"github.com/ava-labs/coreth/rpc"
 )
 
 type Metrics struct {
@@ -66,7 +68,8 @@ func (m *Metrics) Serve(ctx context.Context, metricsPort string, metricsEndpoint
 	ctx, cancel := context.WithCancel(ctx)
 	// Create a prometheus server to expose individual tx metrics
 	server := &http.Server{
-		Addr: ":" + metricsPort,
+		Addr:              ":" + metricsPort,
+		ReadHeaderTimeout: rpc.DefaultHTTPTimeouts.ReadHeaderTimeout,
 	}
 
 	// Start up go routine to listen for SIGINT notifications to gracefully shut down server

@@ -1678,7 +1678,7 @@ func ReexecCorruptedStateTest(t *testing.T, create ReexecTestFunc) {
 	require.NoError(t, blockchain.Accept(chain[0]))
 
 	// Simulate a crash by updating the acceptor tip
-	blockchain.writeBlockAcceptedIndices(chain[1])
+	require.NoError(t, blockchain.writeBlockAcceptedIndices(chain[1]))
 	blockchain.Stop()
 
 	// Restart blockchain with existing state

@@ -311,7 +311,7 @@ func (fs *fuzzState) deleteStorage(accountIndex int, storageIndexInput uint64) {
 func FuzzTree(f *testing.F) {
 	f.Fuzz(func(t *testing.T, randSeed int64, byteSteps []byte) {
 		fuzzState := newFuzzState(t)
-		rand := rand.New(rand.NewSource(randSeed))
+		rand := rand.New(rand.NewSource(randSeed)) // this isn't a good fuzz test, but it is reproducible.
 
 		for range 10 {
 			fuzzState.createAccount()

@@ -177,7 +177,11 @@ func (n *network) SendAppRequestAny(ctx context.Context, minVersion *version.App
 
 	n.lock.Lock()
 	defer n.lock.Unlock()
-	if nodeID, ok := n.peers.GetAnyPeer(minVersion); ok {
+	nodeID, ok, err := n.peers.GetAnyPeer(minVersion)
+	if err != nil {
+		return ids.EmptyNodeID, err
+	}
+	if ok {
 		return nodeID, n.sendAppRequest(ctx, nodeID, request, handler)
 	}
 

@@ -5,7 +5,6 @@ package network
 
 import (
 	"math"
-	"math/rand"
 	"time"
 
 	"github.com/ava-labs/avalanchego/ids"
@@ -14,6 +13,8 @@ import (
 	"github.com/ava-labs/libevm/log"
 	"github.com/ava-labs/libevm/metrics"
 
+	"github.com/ava-labs/coreth/utils/rand"
+
 	safemath "github.com/ava-labs/avalanchego/utils/math"
 )
 
@@ -66,17 +67,21 @@ func NewPeerTracker() *peerTracker {
 
 // shouldTrackNewPeer returns true if we are not connected to enough peers.
 // otherwise returns true probabilistically based on the number of tracked peers.
-func (p *peerTracker) shouldTrackNewPeer() bool {
+func (p *peerTracker) shouldTrackNewPeer() (bool, error) {
 	numResponsivePeers := p.responsivePeers.Len()
 	if numResponsivePeers < desiredMinResponsivePeers {
-		return true
+		return true, nil
 	}
 	if len(p.trackedPeers) >= len(p.peers) {
 		// already tracking all the peers
-		return false
+		return false, nil
 	}
 	newPeerProbability := math.Exp(-float64(numResponsivePeers) * newPeerConnectFactor)
-	return rand.Float64() < newPeerProbability
+	randomValue, err := rand.SecureFloat64()
+	if err != nil {
+		return false, err
+	}
+	return randomValue < newPeerProbability, nil
 }
 
 // getResponsivePeer returns a random [ids.NodeID] of a peer that has responded
@@ -94,8 +99,12 @@ func (p *peerTracker) getResponsivePeer() (ids.NodeID, safemath.Averager, bool)
 	return nodeID, peer.bandwidth, true
 }
 
-func (p *peerTracker) GetAnyPeer(minVersion *version.Application) (ids.NodeID, bool) {
-	if p.shouldTrackNewPeer() {
+func (p *peerTracker) GetAnyPeer(minVersion *version.Application) (ids.NodeID, bool, error) {
+	shouldTrackNewPeer, err := p.shouldTrackNewPeer()
+	if err != nil {
+		return ids.NodeID{}, false, err
+	}
+	if shouldTrackNewPeer {
 		for nodeID := range p.peers {
 			// if minVersion is specified and peer's version is less, skip
 			if minVersion != nil && p.peers[nodeID].version.Compare(minVersion) < 0 {
@@ -106,7 +115,7 @@ func (p *peerTracker) GetAnyPeer(minVersion *version.Application) (ids.NodeID, b
 				continue
 			}
 			log.Debug("peer tracking: connecting to new peer", "trackedPeers", len(p.trackedPeers), "nodeID", nodeID)
-			return nodeID, true
+			return nodeID, true, nil
 		}
 	}
 	var (
@@ -115,18 +124,23 @@ func (p *peerTracker) GetAnyPeer(minVersion *version.Application) (ids.NodeID, b
 		random   bool
 		averager safemath.Averager
 	)
-	if rand.Float64() < randomPeerProbability {
+	randomValue, err := rand.SecureFloat64()
+	switch {
+	case err != nil:
+		return ids.NodeID{}, false, err
+	case randomValue < randomPeerProbability:
 		random = true
 		nodeID, averager, ok = p.getResponsivePeer()
-	} else {
+	default:
 		nodeID, averager, ok = p.bandwidthHeap.Pop()
 	}
 	if ok {
 		log.Debug("peer tracking: popping peer", "nodeID", nodeID, "bandwidth", averager.Read(), "random", random)
-		return nodeID, true
+		return nodeID, true, err
 	}
 	// if no nodes found in the bandwidth heap, return a tracked node at random
-	return p.trackedPeers.Peek()
+	nodeID, ok = p.trackedPeers.Peek()
+	return nodeID, ok, nil
 }
 
 func (p *peerTracker) TrackPeer(nodeID ids.NodeID) {

@@ -28,7 +28,8 @@ func TestPeerTracker(t *testing.T) {
 
 	// Expect requests to go to new peers until we have desiredMinResponsivePeers responsive peers.
 	for i := 0; i < desiredMinResponsivePeers+numExtraPeers/2; i++ {
-		peer, ok := p.GetAnyPeer(nil)
+		peer, ok, err := p.GetAnyPeer(nil)
+		require.NoError(err)
 		require.True(ok)
 		require.NotNil(peer)
 
@@ -54,7 +55,8 @@ func TestPeerTracker(t *testing.T) {
 	// Expect requests to go to responsive or new peers, so long as they are available
 	numRequests := 50
 	for i := 0; i < numRequests; i++ {
-		peer, ok := p.GetAnyPeer(nil)
+		peer, ok, err := p.GetAnyPeer(nil)
+		require.NoError(err)
 		require.True(ok)
 		require.NotNil(peer)
 
@@ -78,7 +80,8 @@ func TestPeerTracker(t *testing.T) {
 	}
 
 	// Requests should fall back on non-responsive peers when no other choice is left
-	peer, ok := p.GetAnyPeer(nil)
+	peer, ok, err := p.GetAnyPeer(nil)
+	require.NoError(err)
 	require.True(ok)
 	require.NotNil(peer)
 

@@ -142,7 +142,7 @@ func allFieldsSet[T interface {
 				if fieldValue.Kind() == reflect.Ptr {
 					require.Falsef(t, fieldValue.IsNil(), "field %q is nil", field.Name)
 				}
-				fieldValue = reflect.NewAt(fieldValue.Type(), unsafe.Pointer(fieldValue.UnsafeAddr())).Elem() //nolint:gosec
+				fieldValue = reflect.NewAt(fieldValue.Type(), unsafe.Pointer(fieldValue.UnsafeAddr())).Elem()
 			}
 
 			switch f := fieldValue.Interface().(type) {

@@ -47,13 +47,10 @@ func TestMarshalBlockResponse(t *testing.T) {
 		_, err := rand.Read(blocksBytes[i])
 		require.NoError(t, err)
 	}
-
 	blockResponse := BlockResponse{
 		Blocks: blocksBytes,
 	}
-
 	base64BlockResponse := "AAAAAAAgAAAAIU8WP18PmmIdcpVmx00QA3xNe7sEB9HixkmBhVrYaB0NhgAAADnR6ZTSxCKs0gigByk5SH9pmeudGKRHhARdh/PGfPInRumVr1olNnlRuqL/bNRxxIPxX7kLrbN8WCEAAAA6tmgLTnyLdjobHUnUlVyEhiFjJSU/7HON16nii/khEZwWDwcCRIYVu9oIMT9qjrZo0gv1BZh1kh5migAAACtb3yx/xIRo0tbFL1BU4tCDa/hMcXTLdHY2TMPb2Wiw9xcu2FeUuzWLDDtSAAAAO12heG+f69ehnQ97usvgJVqlt9RL7ED4TIkrm//UNimwIjvupfT3Q5H0RdFa/UKUBAN09pJLmMv4cT+NAAAAMpYtJOLK/Mrjph+1hrFDI6a8j5598dkpMz/5k5M76m9bOvbeA3Q2bEcZ5DobBn2JvH8BAAAAOfHxekxyFaO1OeseWEnGB327VyL1cXoomiZvl2R5gZmOvqicC0s3OXARXoLtb0ElyPpzEeTX3vqSLQAAACc2zU8kq/ffhmuqVgODZ61hRd4e6PSosJk+vfiIOgrYvpw5eLBIg+UAAAAkahVqnexqQOmh0AfwM8KCMGG90Oqln45NpkMBBSINCyloi3NLAAAAKI6gENd8luqAp6Zl9gb2pjt/Pf0lZ8GJeeTWDyZobZvy+ybJAf81TN4AAAA8FgfuKbpk+Eq0PKDG5rkcH9O+iZBDQXnTr0SRo2kBLbktGE/DnRc0/1cWQolTu2hl/PkrDDoXyQKL6ZFOAAAAMwl50YMDVvKlTD3qsqS0R11jr76PtWmHx39YGFJvGBS+gjNQ6rE5NfMdhEhFF+kkrveK4QAAADhRwAdVkgww7CmjcDk0v1CijaECl13tp351hXnqPf5BNqv3UrO4Jx0D6USzyds2a3UEX479adIq5QAAADpBGUfLVbzqQGsy1hCL1oWE9X43yqxuM/6qMmOjmUNwJLqcmxRniidPAakQrilfbvv+X1q/RMzeJjtWAAAAKAZjPn05Bp8BojnENlhUw69/a0HWMfkrmo0S9BJXMl//My91drBiBVYAAAAqMEo+Pq6QGlJyDahcoeSzjq8/RMbG74Ni8vVPwA4J1vwlZAhUwV38rKqKAAAAOyzszlo6lLTTOKUUPmNAjYcksM8/rhej95vhBy+2PDXWBCxBYPOO6eKp8/tP+wAZtFTVIrX/oXYEGT+4AAAAMpZnz1PD9SDIibeb9QTPtXx2ASMtWJuszqnW4mPiXCd0HT9sYsu7FdmvvL9/faQasECOAAAALzk4vxd0rOdwmk8JHpqD/erg7FXrIzqbU5TLPHhWtUbTE8ijtMHA4FRH9Lo3DrNtAAAAPLz97PUi4qbx7Qr+wfjiD6q+32sWLnF9OnSKWGd6DFY0j4khomaxHQ8zTGL+UrpTrxl3nLKUi2Vw/6C3cwAAADqWPBMK15dRJSEPDvHDFAkPB8eab1ccJG8+msC3QT7xEL1YsAznO/9wb3/0tvRAkKMnEfMgjk5LictRAAAAJ2XOZAA98kaJKNWiO5ynQPgMk4LZxgNK0pYMeWUD4c4iFyX1DK8fvwAAADtcR6U9v459yvyeE4ZHpLRO1LzpZO1H90qllEaM7TI8t28NP6xHbJ+wP8kij7roj9WAZjoEVLaDEiB/CgAAADc7WExi1QJ84VpPClglDY+1Dnfyv08BUuXUlDWAf51Ll75vt3lwRmpWJv4zQIz56I4seXQIoy0pAAAAKkFrryBqmDIJgsharXA4SFnAWksTodWy9b/vWm7ZLaSCyqlWjltv6dip3QAAAC7Z6wkne1AJRMvoAKCxUn6mRymoYdL2SXoyNcN/QZJ3nsHZazscVCT84LcnsDByAAAAI+ZAq8lEj93rIZHZRcBHZ6+Eev0O212IV7eZrLGOSv+r4wN/AAAAL/7MQW5zTTc8Xr68nNzFlbzOPHvT2N+T+rfhJd3rr+ZaMb1dQeLSzpwrF4kvD+oZAAAAMTGikNy/poQG6HcHP/CINOGXpANKpIr6P4W4picIyuu6yIC1uJuT2lOBAWRAIQTmSLYAAAA1ImobDzE6id38RUxfj3KsibOLGfU3hMGem+rAPIdaJ9sCneN643pCMYgTSHaFkpNZyoxeuU4AAAA9FS3Br0LquOKSXG2u5N5e+fnc8I38vQK4CAk5hYWSig995QvhptwdV2joU3mI/dzlYum5SMkYu6PpM+XEAAAAAC3Nrne6HSWbGIpLIchvvCPXKLRTR+raZQryTFbQgAqGkTMgiKgFvVXERuJesHU="
-
 	blockResponseBytes, err := Codec.Marshal(Version, blockResponse)
 	require.NoError(t, err)
 	require.Equal(t, base64BlockResponse, base64.StdEncoding.EncodeToString(blockResponseBytes))

@@ -37,6 +37,7 @@ func TestMarshalCodeResponse(t *testing.T) {
 	// generate some random code data
 	// set random seed for deterministic random
 	rand := rand.New(rand.NewSource(1))
+
 	codeData := make([]byte, 50)
 	_, err := rand.Read(codeData)
 	require.NoError(t, err)
@@ -46,7 +47,6 @@ func TestMarshalCodeResponse(t *testing.T) {
 	}
 
 	base64CodeResponse := "AAAAAAABAAAAMlL9/AchgmVPFj9fD5piHXKVZsdNEAN8TXu7BAfR4sZJgYVa2GgdDYbR6R4AFnk5y2aU"
-
 	codeResponseBytes, err := Codec.Marshal(Version, codeResponse)
 	require.NoError(t, err)
 	require.Equal(t, base64CodeResponse, base64.StdEncoding.EncodeToString(codeResponseBytes))

@@ -119,7 +119,7 @@ func StateSyncToggleEnabledToDisabledTest(t *testing.T, testSetup *SyncTestSetup
 	require := require.New(t)
 	reqCount := 0
 	test := SyncTestParams{
-		SyncableInterval:   256,
+		SyncableInterval:   vmsync.BlocksToFetch,
 		StateSyncMinBlocks: 50, // must be less than [syncableInterval] to perform sync
 		SyncMode:           block.StateSyncStatic,
 		responseIntercept: func(syncerVM extension.InnerVM, nodeID ids.NodeID, requestID uint32, response []byte) {
@@ -251,7 +251,7 @@ func VMShutdownWhileSyncingTest(t *testing.T, testSetup *SyncTestSetup) {
 	)
 	reqCount := 0
 	test := SyncTestParams{
-		SyncableInterval:   256,
+		SyncableInterval:   vmsync.BlocksToFetch,
 		StateSyncMinBlocks: 50, // must be less than [syncableInterval] to perform sync
 		SyncMode:           block.StateSyncStatic,
 		responseIntercept: func(syncerVM extension.InnerVM, nodeID ids.NodeID, requestID uint32, response []byte) {

@@ -0,0 +1,32 @@
+// Copyright (C) 2019-2025, Ava Labs, Inc. All rights reserved.
+// See the file LICENSE for licensing terms.
+
+package rand
+
+import (
+	"crypto/rand"
+	"math/big"
+)
+
+// Credit to Brandur Leach (@Brandur) for this implementation.
+// https://brandur.org/fragments/crypto-rand-float64
+
+// Intn is a shortcut for generating a random integer between 0 and
+// n using crypto/rand.
+func Intn(n int64) (int64, error) {
+	nBig, err := rand.Int(rand.Reader, big.NewInt(n))
+	if err != nil {
+		return 0, err
+	}
+	return nBig.Int64(), nil
+}
+
+// SecureFloat64 is a shortcut for generating a random float between 0 and
+// 1 using crypto/rand.
+func SecureFloat64() (float64, error) {
+	n, err := Intn(1 << 53)
+	if err != nil {
+		return 0, err
+	}
+	return float64(n) / (1 << 53), nil
+}