Researching the failure modes of decentralised infrastructure

Decentralised networks still fail at the protocol boundary.

NullRabbit investigates how hostile or malformed network inputs become computation, memory pressure, bandwidth consumption, validator downtime and economic loss.

We reproduce the mechanisms, preserve the evidence, and build defences that can act before a node absorbs the full cost.

Explore the research →
Something's wrong with my node→ SymptomsBrowse NRDAX→ RegistryView live network risk→ SlashrReport an incident→ Intake
[01] · The neglected attack surface

Between the contract and the server, there is a boundary no one watches.

Most security systems monitor what happens above the node, or after the node begins to fail. NullRabbit studies the hostile input and the mechanism that produced the failure: the point where a small or inexpensive network message forces a validator into disproportionate work.

above
Contract & transaction security
Watches program logic and on-chain state. Blind to the node beneath it.
around
Conventional server monitoring
Reports CPU, memory and disk after the pressure has already landed.
the gap
The protocol boundary
Where an untrusted P2P, RPC or transport input first becomes expensive node work. Where NullRabbit looks.
Something's wrong with my node

Start with the error, not the theory.

Paste what you're seeing. Each entry routes onward to whatever exists: the mechanism, an advisory, an NRDAX technique, a research post, or the incident intake. Where there is no explanation yet, it says so.

solana-rpc-429-getprogramaccounts-timeout
RPC returns 429, calls time outMechanism
validator-stuck-catching-up-snapshot-slow
Validator will not finish catch-upAdvisory
packet-loss-af-xdp-drops-iops-saturation
AF_XDP drops under IOPS saturationResearch
different-blockhash-across-rpc-endpoints
Endpoints disagree on blockhashOpen · intake
[02] · Latest evidence
Research index →
Advisory2026-07-13
How unauthenticated simulateTransaction requests saturate an Agave RPC node's executor pool
research · advisory · solana
Advisory2026-07-13
How CometBFT's SecretConnection handshake spends CPU before authenticating the peer
research · advisory · cosmos
Advisory2026-07-13
How unbounded HTTP/2 concurrent streams let one TCP connection OOM-kill an IOTA node's public gRPC server
research · advisory · iota
Registry2026-07-13
NRDAX: browsable by chain and family, readable by machines
nrdax · security-research · taxonomy
Advisory2026-07-13
How an unauthenticated TLS half-open flood pins rippled's memory and crashes it under low file-descriptor limits
research · advisory · xrp
Registry2026-07-11
NRDAX now includes known-but-not-reproduced techniques
nrdax · security-research · taxonomy
Corrections & retractions

Published self-falsification is what makes the rest of the advisories worth reading. When a finding does not survive re-verification, NullRabbit pulls it and says why.

RETRACTEDThe 99% was wrong. So was the 0.32.2026-06-09METHODHow we decide a finding is real before we tell you about it2026-05-27DOCTRINEAnyone can knock a validator over once. The skill is designing an attack you can learn from.2026-06-02
[03] · Research areas
A1Active
Transport & P2P attacks
Malformed gossip, eclipse and churn at the wire.
A2Active
RPC & request asymmetry
Cheap calls, disproportionate server cost.
A3Active
Validator availability
How nodes lose liveness under pressure.
A4Active
Cross-chain mechanism transfer
When an attack moves between implementations.
A5Datasets
Adversarial traffic datasets
Attack and benign captures, published.
A6Active
Detection at the wire boundary
Identifying the input before the cost lands.
A7Paper
Earned Autonomy
How automated defence earns authority to act.
A8Active
Incident reconstruction
Rebuilding what happened from the evidence.
[04] · How the work is recorded

Research that stops at a blog post decays. NullRabbit gives every mechanism it finds a permanent identity and a live view.

1Observe
2Investigate
3Classify
4Publish
5Detect
TBL.1 · Mechanism axis: how the input becomes cost4 families · topical axis maps alongside
01memory_ampnetwork-p2p · consensus×211
02compute_ampnetwork-rpc · ledger-tx×161
03connection_exhaustionnetwork-p2p×142
04gossip_abusenetwork-p2p×134
2,103
Corpus v3 · bundles
full versioned set, internal reference
1,092
Public sample
10 families · 19 primitives · Hugging Face
31
Latest snapshot
schema-pinned observations · 2026-05-13
[05] · Evidence, not claims

What every finding is expected to carry.

01Packet captures
02Reproducible workloads
03Affected implementations & versions
04Host & network telemetry
05Attack and benign datasets
06Cross-chain comparison
07Permanent technique identifiers
08Dated advisories
09Clearly stated uncertainty
10Published corrections
[06] · Who is behind the work

NullRabbit is led by an independent researcher focused on transport-layer attacks, validator failure and autonomous defence for decentralised networks.

Authorship is visible on every advisory and research page. The company reads as institutional while the expertise accumulates around a clearly identifiable investigator.

Simon Morley
Simon Morley
Security researcher · decentralised networks
[07] · Incident submission

Something happened that does not fit the dashboard?

Send NullRabbit the artefacts. Real incident intake, not a sales-lead form. If there is nothing to explain it yet, it becomes an open question, not a padded page.

Packet captures
Crash traces
Validator incident timelines
Client versions & correlated downtime
Suspicious RPC or P2P traffic
Resource-consumption evidence
Never send private keys, seed phrases or any other secret material. NullRabbit does not need them and will not store them.
[08] · Doctrine
D1Decentralisation does not eliminate infrastructure failure.
D2Availability attacks are economic attacks.
D3The mechanism matters more than the chain.
D4Monitoring the consequence is not the same as identifying the cause.
D5Autonomous defence must earn authority.