I'm trying to write a small akash client. While discerning part of the protocol, I posted the three-post https://lists.cpunks.org/pipermail/cypherpunks/2023-July/115544.html which describes a potential vulnerability where a mitm can fake servers. I have not tested it, and am using a compromised system that often indicates mutated web content. I opened an issue for it. Curiously, I also looked up certs the other way around -- server validating client. I don't see this being done either, but have looked at it less in depth. This second option would be very serious as any old person could log into anybody's server, and hence it's pretty unlikely that I'm seeing it correctly, and one could infer from that the first vulnerability may be nonexistent too. But it's possible they're there! The usual way to check a vulnerability is to try to exploit it. It's very hard for me to spend time pursuing tasks, so I have not done this at this time.