Do not publish wallet, transaction-signing, authorization, or credential vulnerabilities in a public issue. Use GitHub private vulnerability reporting for this repository when available. Include affected versions, reproduction steps, impact, and a minimal proof of concept without real secrets or funds.

There is no guaranteed response or remediation timeline. This project is maintained on a best-effort basis and has not received a professional audit.

• Use a dedicated low-value wallet and a private Telegram bot.
• Keep .env, wallet certificates, database files, seed phrases, and API credentials out of commits, logs, screenshots, and reports.
• Restrict ALLOWED_TELEGRAM_USER_IDS to accounts you control.
• Keep TLS verification enabled and expose wallet RPC only when necessary.
• Rotate a Telegram token or wallet credential immediately if it is exposed.
• Verify uncertain or failed swaps in the wallet before retrying.

Seed phrases and private keys are never required by this application. Treat any request for them as malicious.