The main branch tracks the current Arc Testnet deployment. Older commits are not security-supported.
If you believe you have found a security issue, please do not open a public issue. Instead:
- Open a private vulnerability report on this repository, or
- Email the maintainer at
0xdungki@protonmail.comwith the subjectarc-yield-agent: security.
Include:
- A clear description of the issue and the affected files / contracts.
- Reproduction steps (a short Hardhat or
castscript is ideal). - Impact assessment: what an attacker can do, who is at risk.
- Any proposed mitigation, if you have one.
In scope:
- Solidity contracts in
contracts/ - Agent logic in
scripts/agent.js - Web frontend in
web/(XSS, wallet handling, signature flows)
Out of scope:
- The Arc Testnet network itself.
- Issues that require a malicious local Hardhat node or compromised user wallet.
- Vulnerabilities in third-party dependencies that already have an upstream advisory; please report those upstream.
- We will acknowledge a report within 7 days.
- We aim to ship a fix or mitigation within 30 days for critical / high severity issues.
- Once a fix lands, we coordinate a public advisory and credit the reporter (with consent).
Good-faith research on this repository's testnet contracts and reference code is welcome. Do not test against contracts deployed by anyone else without their explicit permission.