Legacy Core is early mainnet software. Treat RPC, wallet storage, private keys, seed material, backups, and release binaries as sensitive.
| Version | Status |
|---|---|
| v1.0.3 integration hardening | active development |
| v1.0.2 mainnet candidate | supported for current release assets |
| older versions | unsupported |
- RPC port
19556must stay private/firewalled. - P2P port
19555may be public. - Never expose wallet/RPC publicly.
- Back up wallet data before use, mining, imports, or upgrades.
- Never share wallet.dat, private keys, seed material, wallet backups, or RPC cookies.
- Verify SHA256 checksums before running release assets.
- Unsigned Windows builds may trigger SmartScreen.
- Seed operators should firewall RPC even when P2P is public.
- Exchanges should assume hot wallet compromise risk and keep reserves cold.
Cookie auth and rpcuser/rpcpassword auth are implemented. Public unauthenticated non-local RPC is refused. Operators should still keep RPC on localhost or a private network.
Please report security issues privately to project maintainers before public disclosure. Include:
- affected version or commit
- operating system
- whether funds, consensus, RPC credentials, wallet keys, or node availability are affected
- reproduction steps
- logs with secrets removed
Do not include private keys, wallet backups, RPC cookies, passwords, or seed material in reports.
High-priority examples:
- consensus validation bypass
- wallet key exposure
- RPC authentication bypass
- remote crash or denial of service
- transaction validation flaw
- P2P issue that can force a bad chain state
- release package path/secret leak
Out of scope:
- public P2P port visibility by itself
- SmartScreen warnings for unsigned binaries
- reports requiring leaked user secrets
Run:
.\legacycoind.exe params
.\scripts\verify-mainnet-identity.ps1 -Binary .\legacycoind.exe./legacycoind params
pwsh ./scripts/verify-mainnet-identity.ps1 -Binary ./legacycoindExpected production yespower backend:
yespower backend: cgo-c-reference
v1.0.3 integration hardening must not change consensus, genesis, chain ID, message start, yespower params, DGW/difficulty rules, ports, address/WIF formats, wallet DB compatibility, reward/supply schedule, halving interval, coinbase maturity, transaction validation consensus rules, P2P identity, or mainnet identity.