# Reporting a vulnerability If you have found a security issue in TONado Cash (in the contracts, the circuits, the SDK, the relayer, or anywhere in the protocol), please report it responsibly. ## What counts as a security issue The vulnerability classes we care about most: * **Anything that allows draining a pool**: proof forgery, double-spending a nullifier, accepting an invalid root, replay attacks. * **Anything that breaks the privacy guarantee**: linking a deposit to a withdrawal beyond the anonymity-set baseline, deanonymization via on-chain side channels. * **Anything that lets an attacker steal an individual user's deposit**: note exfiltration via the CLI, the SDK, the relayer, or the dApp. * **Counterfeit-jetton attacks** on jetton pools: bypassing the `sender == config.poolJettonWallet` check. * **Trusted-setup integrity**: anything that suggests the ceremony was compromised or that a contributor's toxic waste was leaked. * **Relayer wallet compromise paths**: any way to extract or misuse the relayer's mnemonic. Lower-priority but still in scope: * Denial-of-service against the relayer or the pool. * Information leakage from the CLI / SDK / relayer. * Anything that could cause permanent fund-loss for any party (not just attackers). * Documentation that misleads users about safety-critical behavior. ## How to report 1. **Email** . Use PGP if possible (key fingerprint to be published on the project website ahead of mainnet). 2. **Include**: * A clear description of the vulnerability. * Steps to reproduce, ideally with a proof-of-concept on testnet. * The impact (what an attacker can do, against whom, at what cost). * Your suggested fix, if you have one. 3. **Do not** open a public GitHub issue or pull request for security-sensitive findings. The fix needs time before disclosure. 4. **Do not** exploit the vulnerability beyond what's needed to demonstrate it. Don't drain pools. Don't withdraw without authorization. Don't deanonymize real users. ## What you can expect * **Acknowledgement within 48 hours.** We will confirm we received your report. * **An initial impact assessment within 7 days.** We will tell you our severity rating and target fix timeline. * **Coordinated disclosure.** Once a fix is deployed, we will publish a write-up crediting you (or anonymously if you prefer), and add the finding to the [security review](/security/security-review.md). * **A bounty**, if the issue is in scope and severe. Bug bounty amounts are TBD pre-mainnet; the full program launches before mainnet (see [Security overview](/security/security.md)). ## What we ask of you * Give us a reasonable window to fix before public disclosure. **90 days** is standard, less if the impact is contained. * Don't blackmail us. We will pay the bounty if the issue is real. We will not pay more under pressure. * Don't share the vulnerability with third parties until the disclosure window has elapsed. ## Out-of-scope Reports about the following are not in scope: * Toncenter, lite-client correctness, or TVM-level issues (we assume these are correct; if not, the TON chain itself is compromised). * circomlib / snarkjs / `@ton/sandbox`: these are external dependencies; report them upstream. * Best-practices not directly tied to a concrete vulnerability ("you should use library X instead of Y" without an actual exploit). * User-side mistakes: lost notes, leaked notes shared in a chat, weak randomness in someone's home-rolled wallet. ## Hall of fame Once we've had researchers contribute, this page will list them. ## Disclosure of past issues A running log of internally-identified findings is kept in [Tolk security findings](/security/tolk-security-findings.md) and the consolidated [security review](/security/security-review.md). Both are public. TONado Cash prefers a fully-transparent security posture over a polished marketing surface. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.tonadocash.com/security/disclosure.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.