zkVerify · drgora · Mar 18, 2026 · Mar 18, 2026 · Mar 19, 2026 · Mar 23, 2026
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -3,7 +3,6 @@ ignore = [
 	# Coming from outdated libp2p and litep2p dependencies from which
 	# some Polkadot libraries are dependent on. They will be updated
 	# once we update Polkadot packages to latest version
-	"RUSTSEC-2024-0336",
 	"RUSTSEC-2024-0421",
 	"RUSTSEC-2025-0009",
 	"RUSTSEC-2024-0363", # Maybe we should fix the sqlx dependency in our frontier branch
@@ -34,6 +33,32 @@ ignore = [
 	# and in protocols/identify/src/behaviour.rs we can see that there isn't any mutable iterator used for
 	# `lru::LruCache`.
 	# We can conclude that the unsound code is never exercised.
+	"RUSTSEC-2026-0020", # wasmtime v8.0.1 via sc-executor-wasmtime (polkadot-sdk, cannot upgrade independently).
+	# https://rustsec.org/advisories/RUSTSEC-2026-0020 ->
+	# https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-852m-cvvp-9p4w
+	# "Wasmtime's implementations of WASIp1 and WASIp2 are affected by this vulnerability."
+	# We use wasmtime exclusively as a Wasm executor for Substrate PVF/runtime blobs via
+	# sc-executor-wasmtime. Neither wasmtime-wasi nor any WASI context is present in our
+	# dependency tree, so we are unaffected.
+	"RUSTSEC-2026-0021", # wasmtime v8.0.1 via sc-executor-wasmtime (polkadot-sdk, cannot upgrade independently).
+	# https://rustsec.org/advisories/RUSTSEC-2026-0021 ->
+	# https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h
+	# "Specific to implementations using the wasi:http/types.fields resource in wasmtime-wasi-http."
+	# We do not use wasmtime-wasi-http (not present in Cargo.lock) — wasmtime is used only for
+	# Substrate PVF/runtime Wasm execution, so we are unaffected.
+	"RUSTSEC-2026-0049", # rustls-webpki v0.101.7 and v0.102.8 — transitive via libp2p-websocket/jsonrpsee (polkadot-sdk).
+	# https://rustsec.org/advisories/RUSTSEC-2026-0049 ->
+	# https://github.com/advisories/GHSA-pwjx-qhcg-rvj4
+	# Faulty CRL distribution point matching causes revocation checks to miss non-first
+	# distribution points. Only affects code that configures CRL revocation checking.
+	# We never configure CRL checking (no CRL/revocation usage anywhere in the codebase),
+	# so revocation status is never queried and the bug cannot be triggered.
+	# Fix requires rustls-webpki >=0.103.10; we are on 0.101.x/0.102.x pinned by polkadot-sdk.
+	"RUSTSEC-2026-0037", # quinn-proto v0.10.6 — stale lockfile entry (libp2p-quic -> quinn -> quinn-proto 0.10).
+	# https://rustsec.org/advisories/RUSTSEC-2026-0037
+	# Nothing in the workspace actually depends on this chain (`cargo tree` confirms it).
+	# It remains in Cargo.lock because Cargo resolves optional dependencies in the lockfile
+ # (libp2p's optional `quic` feature pulls it in). Cannot be updated: no patched 0.10.x exists.
 ]
 informational_warnings = ["unmaintained", "yanked"]
 

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/runtime/vflow/Cargo.toml b/runtime/vflow/Cargo.toml
@@ -25,6 +25,7 @@ cfg-if = { workspace = true }
 
 # Substrate
 frame-benchmarking = {workspace = true, optional = true}
+frame-executive = {workspace = true}
 frame-support = {workspace = true}
 frame-system = {workspace = true}
 frame-system-benchmarking = {workspace = true, optional = true}
@@ -36,7 +37,6 @@ pallet-balances = {workspace = true, features = ["insecure_zero_ed"]}
 pallet-deployment-permissions = {workspace = true}
 pallet-message-queue = {workspace = true}
 pallet-multisig = {workspace = true}
-pallet-proxy = {workspace = true}
 pallet-session = {workspace = true}
 pallet-collator-selection = {workspace = true}
 pallet-sudo = {workspace = true}
@@ -129,6 +129,7 @@ std = [
 	"fp-rpc/std",
 	"fp-self-contained/std",
 	"frame-benchmarking?/std",
+	"frame-executive/std",
 	"frame-support/std",
 	"frame-system-benchmarking?/std",
 	"frame-system-rpc-runtime-api/std",
@@ -153,7 +154,6 @@ std = [
 	"pallet-evm/std",
 	"pallet-message-queue/std",
 	"pallet-multisig/std",
-	"pallet-proxy/std",
 	"pallet-session/std",
 	"pallet-sudo/std",
 	"pallet-timestamp/std",
@@ -209,7 +209,6 @@ runtime-benchmarks = [
 	"pallet-evm/runtime-benchmarks",
 	"pallet-message-queue/runtime-benchmarks",
 	"pallet-multisig/runtime-benchmarks",
-	"pallet-proxy/runtime-benchmarks",
 	"pallet-sudo/runtime-benchmarks",
 	"pallet-timestamp/runtime-benchmarks",
 	"pallet-transaction-payment/runtime-benchmarks",
@@ -232,6 +231,7 @@ try-runtime = [
 	"cumulus-pallet-xcm/try-runtime",
 	"cumulus-pallet-xcmp-queue/try-runtime",
 	"fp-self-contained/try-runtime",
+	"frame-executive/try-runtime",
 	"frame-support/try-runtime",
 	"frame-system/try-runtime",
 	"frame-try-runtime/try-runtime",
@@ -246,7 +246,6 @@ try-runtime = [
 	"pallet-evm/try-runtime",
 	"pallet-message-queue/try-runtime",
 	"pallet-multisig/try-runtime",
-	"pallet-proxy/try-runtime",
 	"pallet-session/try-runtime",
 	"pallet-sudo/try-runtime",
 	"pallet-timestamp/try-runtime",

diff --git a/runtime/vflow/src/benchmark.rs b/runtime/vflow/src/benchmark.rs
@@ -18,7 +18,6 @@ frame_benchmarking::define_benchmarks!(
     [frame_system_extensions, SystemExtensionsBench::<Runtime>]
     [cumulus_pallet_parachain_system, ParachainSystem]
     [pallet_timestamp, Timestamp]
-    [pallet_proxy, Proxy]
     [pallet_utility, Utility]
     [pallet_multisig, Multisig]
     [pallet_transaction_payment, TransactionPayment]

diff --git a/runtime/vflow/src/configs/ethereum_xcm.rs b/runtime/vflow/src/configs/ethereum_xcm.rs
@@ -15,28 +15,13 @@
 
 //! In this module, we provide the configurations for the ethereum-xcm pallet.
 
-use crate::{
-    configs::system::{ProxyType, ReservedXcmpWeight},
-    AccountId, BlockNumber, Runtime, RuntimeEvent,
-};
-use frame_support::ensure;
+use crate::{configs::system::ReservedXcmpWeight, AccountId, Runtime, RuntimeEvent};
 use frame_system::EnsureRoot;
-use sp_runtime::traits::Zero;
 
 pub struct EthereumXcmEnsureProxy;
 impl xcm_primitives::EnsureProxy<AccountId> for EthereumXcmEnsureProxy {
-    fn ensure_ok(delegator: AccountId, delegatee: AccountId) -> Result<(), &'static str> {
-        // The EVM implicitly contains an Any proxy, so we only allow for "Any" proxies
-        let def: pallet_proxy::ProxyDefinition<AccountId, ProxyType, BlockNumber> =
-            pallet_proxy::Pallet::<Runtime>::find_proxy(
-                &delegator,
-                &delegatee,
-                Some(ProxyType::Any),
-            )
-            .map_err(|_| "proxy error: expected `ProxyType::Any`")?;
-        // We only allow to use it for delay zero proxies, as the call will immediatly be executed
-        ensure!(def.delay.is_zero(), "proxy delay is Non-zero`");
-        Ok(())
+    fn ensure_ok(_delegator: AccountId, _delegatee: AccountId) -> Result<(), &'static str> {
+        Err("proxy pallet removed")
     }
 }