January
Updated: January 13, 2026 This release adds Solana wallet authentication, cursor-based pagination for the API, Economic Security Analysis, CI/CD Quality Gates,...
Last updated: January 14, 2026
January 2026 Release Notes
Updated: January 13, 2026
This release adds Solana wallet authentication, cursor-based pagination for the API, Economic Security Analysis, CI/CD Quality Gates, and completes Phase 3.1b Extended Authentication Providers.
Economic Security Analysis (Phase 5.5a)
New Economic Security Analysis panel detects and categorizes DeFi-specific vulnerabilities.
Features
- Flash Loan Attack Detection: Identifies flash loan vulnerabilities
- MEV Exploitation Detection: Detects sandwich attacks, frontrunning, backrunning
- Oracle Manipulation: Finds price oracle and data manipulation risks
- DeFi Protocol Risks: Identifies liquidity pool and AMM vulnerabilities
Economic Risk Score
Each scan includes an economic risk score (0-100) calculated from:
- Severity weights (Critical: 40, High: 25, Medium: 10, Low: 3)
- Category multipliers (Flash Loan: 1.3x, DeFi: 1.2x, MEV: 1.0x)
- Capped at 100
AI-Powered Explanations
Paid tier users can request AI explanations for economic vulnerabilities:
| Tier | Monthly AI Explanations |
|---|---|
| Free | 0 (not available) |
| Developer | 10 |
| Startup | 100 |
| Professional | 500 |
| Enterprise | Unlimited |
API Endpoints
| Endpoint | Description |
|---|---|
GET /scans/{id}/economic-analysis |
Economic security summary |
GET /scans/{id}/economic-analysis/explain |
AI explanation (tier-gated) |
GET /contracts/{id}/economic-findings |
Contract economic findings |
GET /projects/{id}/economic-risk |
Project economic risk |
CI/CD Quality Gates (Phase 5.5c)
New Quality Gates feature enables CI/CD pipeline integration with configurable security thresholds.
Features
- Project-level Configuration: Set thresholds in the dashboard
- Blocking Rules: Block on any critical or high vulnerability
- Threshold Rules: Set maximum counts per severity level
- Build Status Badges: Embed security status in README files
- Evaluation History: Track quality gate results over time
- CI Context Tracking: Store branch, commit, PR info with evaluations
Quality Gate Configuration
| Setting | Description | Default |
|---|---|---|
| Block on Critical | Fail if ANY critical | Enabled |
| Block on High | Fail if ANY high | Disabled |
| Max Critical | Max allowed (0 = none) | 0 |
| Max High | Max allowed (-1 = unlimited) | -1 |
| Max Medium | Max allowed (-1 = unlimited) | -1 |
API Endpoints
| Endpoint | Description |
|---|---|
GET /quality-gates/projects/{id} |
Get configuration |
PUT /quality-gates/projects/{id} |
Configure gate |
POST /quality-gates/projects/{id}/evaluate |
Evaluate scan |
GET /quality-gates/projects/{id}/build-status |
Build status |
GET /quality-gates/projects/{id}/badge.svg |
SVG badge (public) |
GET /quality-gates/projects/{id}/history |
Evaluation history |
README Badge
Add a security status badge to your README:
[](https://app.blocksecops.com/projects/PROJECT_ID)
Tier Requirement
Quality Gates require Developer tier or higher.
Cursor-Based Pagination
The API now supports cursor-based pagination for efficient navigation of large datasets.
Benefits
- Stable Results: Items won't shift between pages when new data is added
- Efficient: Uses keyset pagination with composite indexes
- Large Datasets: Optimized for 1000+ items
- Backward Compatible: Existing
skip/limitparameters still work
New Query Parameters
| Parameter | Type | Description |
|---|---|---|
first |
int (1-1000) | Items to return (forward pagination) |
after |
string | Cursor to paginate after |
last |
int (1-1000) | Items to return (backward pagination) |
before |
string | Cursor to paginate before |
include_total |
bool | Include total count (optional, slower) |
New Response Format
{
"vulnerabilities": [...],
"page_info": {
"has_next_page": true,
"has_previous_page": false,
"start_cursor": "eyJ2IjoxLC...",
"end_cursor": "eyJ2IjoxLC...",
"total_count": null
}
}
Supported Endpoints
GET /api/v1/vulnerabilities- Full supportGET /api/v1/scans- Index readyGET /api/v1/audit-logs- Index ready
Example Usage
# First page (20 items)
curl "https://api.blocksecops.com/api/v1/vulnerabilities?first=20" \
-H "Authorization: Bearer YOUR_API_KEY"
# Next page using cursor
curl "https://api.blocksecops.com/api/v1/vulnerabilities?first=20&after=eyJ2IjoxLC..." \
-H "Authorization: Bearer YOUR_API_KEY"
See Pagination Documentation for complete details.
Solana Wallet Authentication
Connect your Solana wallet to sign in to BlockSecOps without a password.
Supported Wallets
- Phantom - Most popular Solana wallet
- Solflare - Full-featured Solana wallet
- Backpack - Multi-chain wallet (xNFT)
- Ledger - Hardware wallet support via adapter
- Torus - Social login wallet
How It Works
- Click Connect Solana on the login page
- Select your wallet from the modal
- Sign the authentication message (no transaction required)
- You're logged in!
Technical Details
- Signature: Ed25519 (Solana native)
- Address Format: Base58 encoded (44 characters)
- Nonce Expiration: 5 minutes
- No SOL Required: Signing is free
API Endpoints
New endpoints for Solana authentication:
| Endpoint | Method | Description |
|---|---|---|
/api/v1/auth/wallet/solana/nonce |
POST | Request authentication nonce |
/api/v1/auth/wallet/solana/verify |
POST | Verify signature and authenticate |
/api/v1/auth/wallet/solana/link |
POST | Link Solana wallet to existing account |
/api/v1/auth/wallet/solana/unlink |
POST | Unlink Solana wallet |
/api/v1/auth/wallet/solana/status |
GET | Check wallet link status |
/api/v1/auth/wallet/solana/lookup/{address} |
GET | Look up user by wallet address |
Unified Wallet Authentication (Supabase)
Wallet authentication now uses Supabase Admin API for unified session management.
What Changed
- Backend: Wallet auth generates Supabase sessions (not custom JWTs)
- Frontend: Uses
supabase.auth.setSession()instead of localStorage - Sessions: All auth methods now share the same session format
Benefits
- Unified Sessions: OAuth, email, and wallet auth all use Supabase sessions
- Middleware Compatible: Wallet users can access all protected endpoints
- Auto Token Refresh: Supabase client handles token refresh automatically
- Consistent UX: Same session behavior regardless of auth method
Configuration Required
Add SUPABASE_SERVICE_KEY to your .env file:
SUPABASE_SERVICE_KEY=your-service-role-key
Get this from Supabase Dashboard > Settings > API > service_role key.
Extended OAuth Providers (UI Complete)
The following OAuth providers have UI buttons ready:
| Provider | Status | Notes |
|---|---|---|
| Discord | UI Ready | Needs Supabase configuration |
| Slack | UI Ready | Needs Supabase configuration |
| BitBucket | UI Ready | Needs Supabase configuration |
| X (Twitter) | UI Ready | Needs Supabase configuration |
These providers will be activated once configured in Supabase Dashboard.
Note: Apple OAuth was removed (requires $99/year Apple Developer Account).
Dashboard UI Updates
Quality Gates Integration
The Quality Gates panel is now integrated into the Project Detail page:
- Location: Project Detail > Quality Gates section (below Access Control)
- Tier Gate: Available for Developer tier and above
- Features:
- Configure blocking rules for CI/CD pipelines
- Set severity thresholds
- View evaluation history
- Generate README badges
Contracts Search
New search functionality added to the Contracts page (/contracts):
- Search by name: Filter contracts by contract name
- Search by address: Filter contracts by wallet/contract address
- Real-time filtering: Results update as you type
- Clear button: Quick reset of search query
Advanced Search Rename
The Search page has been renamed for clarity:
| Previous | Current |
|---|---|
/search |
/advanced-search |
| Sidebar: "Search" | Sidebar: "Advanced Search" |
Note: All saved searches continue to work with the new URL.
Contract Links in Search Results
Search results now include clickable contract navigation:
- Click to navigate: Clicking a contract result navigates to
/contracts/{id} - Visual indicator: Arrow icon shows clickable items
- Hover state: Visual feedback on hover
Security Headers via Traefik Middleware (v0.30.4)
Security headers including Content Security Policy (CSP) are now delivered via Traefik HTTP headers instead of HTML meta tags:
Benefits:
- Server-enforced: Headers cannot be bypassed or modified client-side
- Full CSP support:
frame-ancestorsdirective only works via HTTP headers - Environment flexibility: No rebuild needed when CSP domains change
- Production-ready: Follows OWASP security header best practices
Security Headers Delivered:
| Header | Value |
|---|---|
| Content-Security-Policy | Full CSP with connect-src for Supabase, wallets |
| X-Frame-Options | DENY |
| X-Content-Type-Options | nosniff |
| X-XSS-Protection | 1; mode=block |
| Referrer-Policy | strict-origin-when-cross-origin |
| Permissions-Policy | camera=(), microphone=(), geolocation=(), payment=(self) |
Files Changed:
- Added:
k8s/overlays/local/middleware-security-headers.yaml - Updated:
k8s/overlays/local/ingressroute.yaml(middleware reference) - Updated:
k8s/overlays/local/kustomization.yaml(resource + version) - Removed: CSP meta tags from
index.html
Upgrade Banner (v0.30.1)
New global upgrade banner promotes tier upgrades across the dashboard:
- Global Display: Shows on all authenticated pages below the header
- Personalized: Promotes the next tier up from user's current subscription
- Feature Highlights: Shows 3 key features of the target tier
- Dismissible: Can be dismissed for 7 days
- Enterprise Hidden: Never shown to Enterprise users
Tier-Specific Highlights:
| Current Tier | Target Tier | Highlighted Features |
|---|---|---|
| Free | Developer | Quality Gates, CI/CD, Priority Support |
| Developer | Startup | Team Collaboration, AI Explanations, Analytics |
| Startup | Professional | 500 AI Explanations, Custom Integrations |
| Professional | Enterprise | Unlimited AI, SSO/SAML, Custom SLAs |
TierGate Preview Mode (v0.30.0)
New "preview" mode for tier-gated features creates upsell opportunities:
- Visual Preview: Shows greyed-out content with overlay instead of hiding
- Upgrade Badge: Purple "Upgrade to {tier}" badge links to pricing
- Interactive Demo: Users see what they're missing before upgrading
- Currently Used On:
- QualityGatePanel (Developer tier, preview mode)
- ProjectAccessPanel (Enterprise tier, preview mode)
// Example usage
<TierGate requiredTier="developer" mode="preview" featureName="Quality Gates">
<QualityGatePanel projectId={id} />
</TierGate>
Version Updates
| Component | Previous | Current |
|---|---|---|
| Dashboard | 0.27.0 | 0.30.4 |
| API Service | 0.9.0 | 0.10.2 |
Database Changes
Migration 032: Quality Gates (Phase 5.5c)
New tables for CI/CD Quality Gates:
quality_gates table:
| Column | Type | Description |
|---|---|---|
id |
UUID | Primary key |
project_id |
UUID | Project reference |
organization_id |
UUID | Organization reference |
name |
VARCHAR(255) | Gate name |
block_on_critical |
BOOLEAN | Block on any critical |
block_on_high |
BOOLEAN | Block on any high |
max_critical |
INTEGER | Max critical threshold |
max_high |
INTEGER | Max high threshold |
max_medium |
INTEGER | Max medium threshold |
max_low |
INTEGER | Max low threshold |
is_active |
BOOLEAN | Gate active status |
created_by |
UUID | Creator user |
created_at |
TIMESTAMPTZ | Creation timestamp |
updated_at |
TIMESTAMPTZ | Update timestamp |
quality_gate_evaluations table:
| Column | Type | Description |
|---|---|---|
id |
UUID | Primary key |
quality_gate_id |
UUID | Gate reference |
scan_id |
UUID | Scan evaluated |
project_id |
UUID | Project reference |
status |
VARCHAR(20) | passing/failing/pending |
passed |
BOOLEAN | Pass result |
critical_count |
INTEGER | Critical count |
high_count |
INTEGER | High count |
medium_count |
INTEGER | Medium count |
low_count |
INTEGER | Low count |
violations |
JSONB | Violation details |
triggered_by |
VARCHAR(50) | Trigger source |
ci_context |
JSONB | CI/CD context |
evaluated_at |
TIMESTAMPTZ | Evaluation timestamp |
Migration 029: Cursor Pagination Indexes
New composite indexes for efficient cursor-based pagination:
| Index | Table | Columns |
|---|---|---|
ix_vulnerabilities_detected_at_id_cursor |
vulnerabilities | (detected_at DESC, id DESC) |
ix_scans_created_at_id_cursor |
scans | (created_at DESC, id DESC) |
ix_audit_logs_created_at_id_cursor |
audit_logs | (created_at DESC, id DESC) |
Migration 028: Solana Wallet Authentication
New columns added to users table:
| Column | Type | Description |
|---|---|---|
solana_wallet_address |
VARCHAR(44) | Solana wallet address (base58) |
solana_wallet_nonce |
VARCHAR(64) | Nonce for signature verification |
solana_wallet_linked_at |
TIMESTAMPTZ | When wallet was linked |
New index: ix_users_solana_wallet_address (UNIQUE)
Dependencies Added
Frontend (Dashboard)
{
"@solana/wallet-adapter-base": "^0.9.23",
"@solana/wallet-adapter-react": "^0.15.35",
"@solana/wallet-adapter-react-ui": "^0.9.35",
"@solana/wallet-adapter-wallets": "^0.19.32",
"@solana/web3.js": "^1.95.8"
}
Backend (API Service)
pynacl>=1.5.0,<2.0.0 # Ed25519 signature verification
base58>=2.1.0,<3.0.0 # Base58 encoding
Documentation Updates
- Updated Creating an Account with Solana option
- Updated Connecting Wallet with Solana instructions
- Updated Authentication Architecture
- Updated Database Schema with Solana fields
- Updated Migrations with Migration 028
Known Issues
- WalletConnect Project ID required for Ethereum WalletConnect (user must register at cloud.walletconnect.com)
- OAuth providers (Discord, Slack, BitBucket, X) require manual Supabase configuration
SUPABASE_SERVICE_KEYrequired in.envfor wallet authentication
What's Next
Coming in future releases:
- OAuth provider activation (pending Supabase configuration)
- Multi-wallet support (link multiple wallets to one account)
- Solana program scanning improvements