Skip to content

Security: 0xdungki/arc-yield-agent

Security

SECURITY.md

Security Policy

Supported versions

The main branch tracks the current Arc Testnet deployment. Older commits are not security-supported.

Reporting a vulnerability

If you believe you have found a security issue, please do not open a public issue. Instead:

  1. Open a private vulnerability report on this repository, or
  2. Email the maintainer at 0xdungki@protonmail.com with the subject arc-yield-agent: security.

Include:

  • A clear description of the issue and the affected files / contracts.
  • Reproduction steps (a short Hardhat or cast script is ideal).
  • Impact assessment: what an attacker can do, who is at risk.
  • Any proposed mitigation, if you have one.

Scope

In scope:

  • Solidity contracts in contracts/
  • Agent logic in scripts/agent.js
  • Web frontend in web/ (XSS, wallet handling, signature flows)

Out of scope:

  • The Arc Testnet network itself.
  • Issues that require a malicious local Hardhat node or compromised user wallet.
  • Vulnerabilities in third-party dependencies that already have an upstream advisory; please report those upstream.

Disclosure timeline

  • We will acknowledge a report within 7 days.
  • We aim to ship a fix or mitigation within 30 days for critical / high severity issues.
  • Once a fix lands, we coordinate a public advisory and credit the reporter (with consent).

Safe harbor

Good-faith research on this repository's testnet contracts and reference code is welcome. Do not test against contracts deployed by anyone else without their explicit permission.

There aren't any published security advisories