Please do not open public GitHub issues for security vulnerabilities.
Instead:
- Gather the affected functions, state assumptions, and impact details.
- Contact the maintainers privately or use GitHub private vulnerability reporting if it is enabled for this repository.
- Give the maintainers time to validate and coordinate a fix before public disclosure.
Security reports are especially relevant for:
- authorization and signer requirements
- storage layout and upgrade assumptions
- buy and sell execution
- pricing or fee calculations
- event integrity and state consistency
- Do not share exploit details publicly before a fix exists.
- Include exact reproduction steps or a proof of concept when possible.
- Treat all contract correctness bugs as potentially high-impact until reviewed.