If you believe you have found a security vulnerability in this repository — smart contracts, predictor, dashboard, or CI tooling — please do not open a public GitHub issue.
Use GitHub's private vulnerability reporting instead:
- Open the repository's Security tab.
- Click Report a vulnerability.
- Fill in the form. The report stays private between you and the maintainers until a fix is released.
This is the only supported reporting channel. Reports sent through other means (email, social media, public issues) may be missed or ignored.
Please include:
- A description of the vulnerability and the affected component.
- Steps to reproduce, or a proof-of-concept if available.
- The impact you believe an attacker could achieve.
- Any suggested remediation, if you have one.
We aim to acknowledge receipt within 3 working days and to provide an initial assessment within 10 working days. Critical issues affecting on-chain funds or user safety will be prioritised over everything else.
This project follows a coordinated disclosure model:
- We will work with you to confirm, reproduce, and triage the issue.
- We ask that you do not publicly disclose details until a fix is released or a mutually agreed timeline has elapsed (default: 90 days from initial report).
- We will credit you in the release notes for the fix unless you request otherwise.
| Area | In scope | Notes |
|---|---|---|
contracts/ |
Yes | Solidity sources, deploy scripts, foundry tests. See contracts/docs/SECURITY.md for the on-chain threat model. |
predictor/ |
Yes | Python code that fetches market and weather data, generates predictions, posts to Discord. |
dashboard/ |
Yes | Read-only Next.js dashboard (no wallet, no signing). |
.github/ |
Yes | Workflows, CI scripts, Dependabot config. Script injection issues are explicitly in scope. |
| Third-party services | No | Open-Meteo, Kalshi, Pinata, Vercel, Discord — report directly to the vendor. |
| Social engineering | No | Targeting the maintainer's accounts or contributors. |
- Findings that require an attacker to already control the maintainer's EOA, Pinata account, or GitHub account.
- Denial-of-service via legitimate quota exhaustion on free-tier APIs.
- Best-practice nits (e.g. "missing X header") without a concrete exploit path. Open a regular issue or a PR instead.
- Anything on
mainthat has not yet been deployed and is clearly a work in progress.
- Solidity static analysis via Slither in CI (
fail-on: medium). - Forge unit tests + fuzz (10 000 runs) + invariants on the contracts.
- GitHub Dependabot weekly updates on
pip,npm,github-actions. - CodeQL static analysis on Python and JavaScript/TypeScript.
.gitignorecovers all known secret files; rotation procedure documented indocs/SECURITY-rotation-procedure.mdwhen present.
Phase 1 contracts run on Arbitrum Sepolia testnet only. Mainnet deployment is gated on at least one community audit and the establishment of a multisig Safe with separate signers per role. Until then, no real value is at risk on-chain.