| Version | Supported |
|---|---|
0.1.x (current) |
Yes |
< 0.1.0 |
No |
Do not open public GitHub issues for exploitable bugs.
- Open a private security advisory
- Or email the maintainers listed in the GitHub org (if configured)
We aim to:
- Acknowledge within 72 hours
- Provide a severity assessment within 7 days
- Coordinate disclosure and patch release before public details
In scope
- The
winsafCosmWasm contract andwinsaf-sharedcrate in this repository - Fund accounting, prize claims, referral ledger, randomness verification
- Admin / pause / migrate behavior
Out of scope
- The WinSaf Mini App, API, MPC service, or Telegram bot (private
winsafrepo) - Social engineering, phishing, or compromised user devices
- Issues in Safrochain node / wasmvm itself (report to Safrochain)
Player funds sit in the contract’s round pools. The backend cannot move user wallets — only the ticket owner claims prizes.
The contract admin can:
- Pause new ticket sales (
Pause/Unpause) - Change economics via
SetConfig(split must sum to 10_000 bps) - Withdraw the treasury balance (
WithdrawTreasury) — not player prize pools - Migrate contract code (CosmWasm-level admin)
Production requirement: admin = multisig + timelock, never a single hot key.
Winning numbers derive only from verified submitted randomness:
- Drand — BLS12-381 pairing check on-chain (
VerifyMode::Bls) - Commit-reveal —
sha256(value) == commitment - Mock — dev/localnet only; never mainnet
Block hash and block time are never used as entropy.
- Build reproducible artifact:
./scripts/optimize.sh - Compare
artifacts/checksums.txtwith on-chain code hash - Store new wasm → note
code_id - Admin multisig executes
wasm migrateto the verifiedcode_id - Publish release notes + advisory if user action required
Rollback = migrate back to a previous verified code_id.
- Contract
--adminis a multisig - Mainnet uses
RandomnessMode::Drand+VerifyMode::Bls(not Mock/Dev) - Deployer key has no ongoing admin role
- Keeper mnemonic is gas-only, low value
- GitHub branch protection enabled on
main - Dependabot + CI required on PRs
Independent audit: pending — track progress in release notes. Do not treat unaudited code as production-ready for mainnet with real funds.