Skip to content

Security: dusy4/pi3

Security

SECURITY.md

Security & responsible use

guml is a defensive / research tool: it finds smart contracts that may be exploitable and tries to prove it with a local proof-of-concept, so the finding can be responsibly disclosed. Please use it accordingly.

Acceptable use

  • Only test contracts you are authorized to test — your own, or those covered by a bug-bounty / audit program that permits this kind of research.
  • The intended destination for any finding is responsible disclosure (a bug bounty, the project's security contact, or a coordinated disclosure) — never on-chain fund-draining.
  • Proofs-of-concept run only against a local anvil fork of real chain state and are never broadcast to a live network. The pipeline refuses to use private keys or send transactions to mainnet/testnets. Do not modify it to do so.

You are responsible for complying with the laws and program rules that apply to you.

Operational security

  • The dashboard is an unauthenticated control plane. Anyone who can reach its port can start/stop workers, change the model, and read everything. Bind it to 127.0.0.1 or a private overlay network (Tailscale/WireGuard) or reach it via an SSH tunnel. Never expose it to the public internet.
  • Secrets (RPC URLs with keys, Etherscan key, model-provider keys, Telegram token) live in .env, which is gitignored. Don't commit real keys; rotate any that leak.
  • The audit agent executes tools (forge, cast, shell) inside each per-contract workspace to build and test its PoC. Run guml as a non-root user, ideally on an isolated host/VM, since the agent runs largely autonomously.
  • Runtime data — guml.db, audits/, confirmed/, run/, out/ — is gitignored and may contain target details; treat it as sensitive and keep it out of any public repo.

Reporting a vulnerability in guml itself

If you find a security issue in this codebase, please report it privately to the maintainer (see the repository's contact / security advisory settings) rather than opening a public issue.

There aren't any published security advisories