# Scan Notes: Cosmos `iavl`

Date: 2026-02-15  
Repo: https://github.com/cosmos/iavl  
Program: HackerOne Cosmos (top-paying export)

## Quick Results

Semgrep (`p/security-audit` + `p/owasp-top-ten`):
- 7 findings
- 4 `unsafe` blocks in Go
- 2 `math/rand` usage (non-crypto RNG)
- 1 `use-tls` warning

Trufflehog (filesystem, filtered, no verification):
- 0 results