Summary
The auth flow in acpHttpClient.ts correctly uses wallet signatures to mint a Bearer token.
However, the EventSource stream (/chats/stream) in sseTransport.ts relies entirely on standard Web2 TLS without any application-layer encryption.
Attack vector
Post-TLS termination MitM: if an attacker modifies or injects data into the off-chain proposal context at the infrastructure/proxy level, the receiving agent's LLM loop will process malicious context and still generate a valid on-chain signature for a compromised state.
Additional: HNDL exposure
Standard TLS handshakes use classical ECDHE traffic recorded today can be decrypted retroactively when CRQCs arrive via Shor's algorithm.
Suggested fix
Transport-agnostic hybrid PQC layer (X25519 + ML-KEM-768) at the application level, isolating LLM context from network-level threats without changing on-chain logic.
References
Already reported to security@virtuals.io on June 3 (ticket open, no response after 10 days).
Summary
The auth flow in acpHttpClient.ts correctly uses wallet signatures to mint a Bearer token.
However, the EventSource stream (/chats/stream) in sseTransport.ts relies entirely on standard Web2 TLS without any application-layer encryption.
Attack vector
Post-TLS termination MitM: if an attacker modifies or injects data into the off-chain proposal context at the infrastructure/proxy level, the receiving agent's LLM loop will process malicious context and still generate a valid on-chain signature for a compromised state.
Additional: HNDL exposure
Standard TLS handshakes use classical ECDHE traffic recorded today can be decrypted retroactively when CRQCs arrive via Shor's algorithm.
Suggested fix
Transport-agnostic hybrid PQC layer (X25519 + ML-KEM-768) at the application level, isolating LLM context from network-level threats without changing on-chain logic.
References
Already reported to security@virtuals.io on June 3 (ticket open, no response after 10 days).