| Version | Status |
|---|---|
| V02 (Base Mainnet) | Active — current production deployment |
| V01 (Base Mainnet) | Legacy — no new deposits; redeem-only |
Do not open a public GitHub issue for security vulnerabilities.
Email: security@yearringfund.com
Include in your report:
- Affected contract(s) and address(es)
- Description of the vulnerability
- Potential impact (funds at risk, access control bypass, etc.)
- Steps to reproduce or proof-of-concept (if available)
- Your preferred contact method for follow-up
| Stage | Target |
|---|---|
| Acknowledgement | Within 48 hours |
| Initial triage | Within 5 business days |
| Resolution / disclosure | Coordinated with reporter |
We will not take legal action against researchers who follow responsible disclosure.
- All deployed contracts listed in yearring-protocol
- Frontend at app.yearringfund.com (client-side logic, ABI mismatches)
- Smart contract logic bugs that could result in loss of funds
- Issues in third-party dependencies (OpenZeppelin, Aave V3, Base L2 infrastructure)
- Gas optimization suggestions
- Issues requiring physical access to a private key
- Social engineering attacks
We follow a coordinated disclosure model. Once a fix is deployed on-chain, we will publish a post-mortem on docs.yearringfund.com crediting the reporter (unless anonymity is requested).
No formal bug bounty program is active at this time. Significant findings may be recognized at the team's discretion.