Urgent: Private Security Disclosure Request regarding Authority.sol

[Architect-core-dev]

Hello Inverse Finance Team,

I have identified a verified security vulnerability in Authority.sol (SHA256: 97a7d4...855).

I am a white-hat researcher and wish to disclose this privately. Since the official security email is currently unreachable and no GitHub Security Advisory is active, please provide a secure, private communication channel (PGP or encrypted chat) for the full report and PoC.

I am opting for a direct disclosure due to privacy requirements regarding the standard Immunefi KYC process.

Regards,
Architect

[Architect-core-dev]

Update: Additional Security Finding - Oracle Price Staleness Risk

While waiting for a private channel, my deeper audit of the repository has revealed a second, critical issue regarding Oracle data validation.

I’ve identified multiple instances where latestRoundData() is called without validating answeredInRound. This exposes the protocol to stale price data in the event of an Oracle delay or freeze, potentially leading to incorrect liquidations or arbitrage opportunities during market volatility.

This finding, combined with the previously mentioned ownership transfer risk in Authority.sol, suggests a broader need for a comprehensive security review. I have the full PoC and a list of affected files ready for private disclosure.

Please provide a secure communication path to discuss these findings.