Ophis Finance runs a fork of cowprotocol/services. Only one chain is operationally live as of 2026-05-20:

The frontend at https://ophis.fi targets only the live chain set. Reports against paused chains are still in scope (contracts remain deployed) but will be triaged at a lower urgency.

Do NOT open a public GitHub issue. For anything that could affect users' funds, the protocol's solver budget, partner-fee accrual, or could enable settlement-on-forged-state:

• Email: clement@aleph.cloud with subject prefix [OPHIS SECURITY]
• Signal / Matrix / encrypted alternative: request a channel via email first

We do not yet operate a public bug-bounty program. Disclosure incentives are negotiated case-by-case based on impact and demonstrated proof-of-concept.

Please include:

1. A clear description of the issue and which component(s) it affects (solidity contract / Rust backend / FE / infra / docs).
2. Reproduction steps. If you have a proof-of-concept transaction, include the tx hash on whichever testnet you used (Sepolia / OP Sepolia) — never PoC against mainnet.
3. The git SHA (git rev-parse HEAD) you reproduced against.
4. Your suggested fix, if any.

• First acknowledgement: within 48 hours of receipt.
• Triage decision (severity + initial mitigation plan): within 5 business days.
• Patch released: depends on severity. Critical findings (loss-of-funds, settlement-on-forged-state, key disclosure) get an out-of-band emergency push within 72h of triage.

The following are NOT considered vulnerabilities by this policy:

• Anything in apps/frontend/ that's pure upstream CoW Protocol code (file a report with cowprotocol/cowswap instead). Ophis-specific FE code lives under apps/frontend/apps/cowswap-frontend/src/ophis/ and similar ophis/-prefixed paths.
• Findings in apps/backend/ against pure upstream CoW Protocol code (file with cowprotocol/services instead). Ophis additions are marked with ophis:: module paths or live in dedicated crates: poison-recovery, retry-helper, configs.
• Theoretical attacks requiring nation-state level adversary capability against shared infrastructure (e.g. Cloudflare DNS control-plane compromise).
• Findings against the deprecated infra dirs that were removed in #124 — infra/optimism/, infra/hyperevm/, infra/katana/, infra/linea/, infra/mantle/. These no longer exist.
• DoS via known public-tier rate limits on free RPC providers (the eRPC consensus posture fails closed under low-participants — this is the intended behavior, not a vulnerability).

Examples of what we consider in scope (non-exhaustive):

• Settlement-contract logic flaws in contracts/src/ (GPv2Settlement, GPv2AllowListAuthentication, GPv2VaultRelayer).
• Ophis-specific backend crates (poison-recovery, retry-helper, configs, settlement-state-machine in driver).
• Partner-fee economic exploits: the live CIP-75 volumeBps path (flat volume fee, recipient allowlist, backend fee clamping) and the legacy priceImprovementBps / maxVolumeBps fallback path.
• Key custody compromise paths.
• Frontend signing-path flaws under apps/frontend/apps/cowswap-frontend/src/ophis/.
• eRPC consensus posture bypass (e.g. a configuration that lets a single-upstream answer be trusted for a critical method).
• Submission-path or in-flight settlement-calldata handling flaws.

Phase 3 + 4 follow-ups were shipped across PRs #120-#138.