These smart contracts are unaudited. Use at your own risk.
While we strive for correctness and security, no formal security audit has been conducted. Users should perform their own due diligence before deploying or interacting with these contracts in production.
If you discover a security vulnerability, please report it responsibly through GitHub Security Advisories:
- Go to the Security tab of this repository
- Click "Report a vulnerability"
- Provide a detailed description of the issue
Please do NOT open a public issue for security vulnerabilities.
The following are in scope for security reports:
- Smart contract vulnerabilities (reentrancy, access control bypass, integer overflow, etc.)
- Access control issues in the validator or verifier modules
- Logic errors that could lead to unauthorized token minting or state manipulation
- Proxy upgrade vulnerabilities
The following are out of scope:
- Gas optimization suggestions
- UI/frontend issues
- Issues in third-party dependencies (OpenZeppelin, forge-std)
- Known limitations documented in the codebase
We aim to acknowledge security reports within 48 hours and provide a resolution timeline within 7 days.
For security matters only: use GitHub Security Advisories as described above.