OPWA is currently on OPNet Testnet only. No real assets are at risk.

OPWA handles Bitcoin transactions. We take security seriously.

Please DO NOT open public GitHub issues for security vulnerabilities.

Report privately to: security@opwa.btc

Include in your report:

• Clear description of the vulnerability
• Steps to reproduce
• Potential impact (contracts affected, funds at risk, etc.)
• Suggested fix (if any)

We will acknowledge within 48 hours and provide a resolution timeline.

Never commit any of the following to this repository:

• Wallet mnemonics or seed phrases (12/24 word phrases)
• Private keys (hex strings, WIF format)
• .env files with real values
• mnemonic.txt or any plaintext key file
• API keys or service secrets

If you accidentally commit sensitive data, treat it as immediately compromised:

1. Generate a new wallet/key at once
2. Transfer any funds to the new wallet
3. Remove the secret from git history (git filter-branch or BFG Repo Cleaner)
4. Force-push and notify the team

All contracts (AssemblyScript → WASM on OPNet) must pass before deployment:

• WASM export validation — must include execute and onDeploy
• btc-runtime patch verification — schnorr stub + hrp patches applied
• One full block confirmation (~4-5 min) before btc_getCode verification

See AGENTS.md §8 for mandatory pre-deploy validation commands.

• USDOP.setMinter(): deployer can change minter — acceptable for testnet flexibility
• YieldVault.setAddresses(): can be reconfigured — acceptable for testnet iteration
• Some npm audit advisories from upstream OP_NET dependencies — known upstream issues, not exploitable in current deployment

A full third-party security audit will be conducted prior to mainnet launch.

• Never share your seed phrase or private key with anyone
• Always verify transaction details in your wallet before signing
• Use hardware wallets for significant amounts
• Keep your OPWallet / UniSat / XVerse extension updated
• This platform is testnet only — do not send real mainnet BTC to testnet addresses