Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please email the maintainers directly at security@agentfi.io (or the email listed in package.json). We aim to acknowledge reports within 48 hours and provide a fix or mitigation plan within 7 days.

• Description of the vulnerability
• Steps to reproduce
• Affected component (backend, contracts, admin, MCP server)
• Potential impact assessment
• Suggested fix (if any)

1. You report the vulnerability privately.
2. We acknowledge receipt within 48 hours.
3. We investigate and develop a fix.
4. We release the fix and credit you (unless you prefer anonymity).
5. We publish a security advisory after the fix is deployed.

The following are in scope for security reports:

• Smart contracts (packages/contracts/)
• Backend API (packages/backend/)
• Admin dashboard (packages/admin/)
• MCP server (packages/mcp-server/)
• CI/CD pipeline and deployment configurations

• Issues in third-party dependencies (report to the upstream project)
• Social engineering attacks
• Denial of service attacks against test/staging environments

• All API keys are hashed with SHA-256 before storage
• Transaction simulation via Tenderly before on-chain execution
• On-chain policy enforcement via AgentPolicyModule (Safe module)
• MPC wallet infrastructure via Turnkey (no raw private keys)
• Rate limiting on all API endpoints
• Input validation via Zod on all routes