RIP-201 bucket normalization spoofing PoC

[liu971227-sys]

Summary

• add a reproducible RIP-201 bucket spoofing report
• add tests showing a modern x86 host can claim PowerPC/G4 and be accepted by /attest/submit
• add a standalone PoC script quantifying the reward impact of the spoofed bucket claim

Bounty

• rustchain-bounties#492

Technique

• submit a modern x86 attestation while claiming device_family=PowerPC and device_arch=G4
• provide only the minimum anti-emulation fingerprint evidence
• rely on the server trusting the claimed hardware class enough to grant G4 enrollment weight and route the miner into vintage_powerpc

Validation

• python -m pytest tests/test_rip201_bucket_spoof.py -v
• python tools/rip201_bucket_spoof_poc.py

Current Result

• spoofed Intel Xeon Platinum + claimed G4 attestation is accepted with fingerprint_passed=True
• enrolled weight is 2.5
• classify_miner_bucket("g4") routes the miner into vintage_powerpc
• in a sample epoch with 10 honest modern miners, the spoofed miner receives 550000 uRTC while each honest modern miner receives 55000 uRTC (10x gain)

[liu971227-sys]

Validation completed locally for the current PoC:

• python -m pytest tests/test_rip201_bucket_spoof.py -v
  • result: 3 passed
• python tools/rip201_bucket_spoof_poc.py
  • result: spoofed Intel Xeon Platinum / claimed G4 is accepted, bucket=vintage_powerpc, enrolled weight=2.5, and the sample epoch impact is 550000 uRTC vs 55000 uRTC per honest modern miner (10x gain)

This draft PR is intentionally focused on reproducible exploit evidence + mitigation notes for bounty #492.

[liu971227-sys]

Added a follow-up commit with live black-box validation against https://50.28.86.131.

Live reproduction summary:

• Submitted POST /attest/submit with device_family=PowerPC, device_arch=G4, cpu="Intel Xeon Platinum", and only the minimal anti_emulation fingerprint check.
• The live server returned 200 OK with ok: true, status: "accepted", and fingerprint_passed: true.
• GET /api/badge/bucket-spoof-live-492a then showed Active (2.5x).
• GET /api/miners listed the miner as PowerPC G4 (Vintage) with antiquity_multiplier: 2.5.

That is now documented in docs/rip201_bucket_spoof.md and pushed in commit f54a18e.

[Scottcjn]

Quality red-team work. Paid 150 RTC → RTCa320f4334e7500987bce2fa0475f089ae9cd90e3 (pending ID 538) per bounty #492.

The bucket normalization spoofing vector is confirmed — will implement the recommended fixes (cross-validate CPU brand vs claimed arch, require SIMD evidence for vintage claims).