Developers Forum for XinFin XDC Network

jamesdula82
jamesdula82

Posted on

Verification Request: Security Disclosure Claims Involving PrimeStaking / Prime Numbers Labs

I'm posting this here because I haven't received a response through other channels, and I'd like XDC's developer/core team to weigh in directly on a claim that's been circulating.
Background: I've been in direct contact with Arturo Cantera, founder of Prime Numbers Labs (PrimeStaking, primestaking.xyz), originally regarding a withdrawal delay. During that conversation he disclosed a security claim I've been trying to verify since.
Verifiable, on-chain:
March 22, 2026, 11:17:43 AM UTC — IDM transaction: "XDC Security Audit — Responsible Disclosure | Prime Numbers Labs | 60 findings reported to XDC Team | Report SHA256: f42d6f461e7bfdbfd005d26a349ed3f4a891c3fbfd13e46ba2a25ddfb75c4f78"
March 25, 2026, 09:18:52 AM UTC — follow-up: "Prime Numbers Labs still has access | Vulnerability remains unpatched..."
Not verifiable, and internally inconsistent:
Verbally, he claimed control of 225-226 of "256 total nodes," with the ability to reorganize blocks, double-spend, and fork the network. When I noted XDC's actual masternode count is documented at 108, he confirmed that number — then later gave me a third figure, 303 total nodes.
My ask: Did XDC Network receive a responsible disclosure matching the March 22 timestamp/hash above? Was any validator-level vulnerability confirmed, and what was its actual scope? Was it patched?
I've also filed this as GitHub issue #2471 on XinFinOrg/XDPoSChain. Happy to provide transaction hashes directly.

Discussion (0)