# Scan Notes: Cosmos `gaia`

Date: 2026-02-15  
Repo: https://github.com/cosmos/gaia  
Program: HackerOne Cosmos (top-paying export)

## Quick Results

Semgrep (`p/security-audit` + `p/owasp-top-ten`):
- 18 findings total
- Mostly non-app findings:
  - Terraform public IP / IMDS / provisioner exec warnings
  - JS `postMessage` wildcard configuration warnings (docs/tools)
  - Python `subprocess(..., shell=True)` warnings (scripts)
  - 1 Go `math/rand` usage (non-crypto RNG)

Trufflehog (filesystem, filtered, no verification):
- 1 detection: Algolia key in `docs/docusaurus.config.js` (appears to be a public/search key, not an admin key)

## Next Places To Look (Manual)

- Any RPC or REST surfaces exposed by the node, and input parsing around them
- Key management and signing boundaries