Reporting a Vulnerability

If you believe you have found a security vulnerability in Gensyn Foundation — whether in our smart contracts, landing page, blog, or supporting infrastructure — please report it responsibly.

Email: info@gensynfoundation.org

You must send reports using our PGP key:

Do not open a public GitHub issue for security vulnerabilities.

What to Include

A description of the vulnerability and its potential impact.
Steps to reproduce or a proof of concept.
Which in-scope contract(s) are affected, with addresses, transaction hashes, or network details if applicable.
Your contact information for follow-up.

Scope

This page covers only the landing page, blog, and smart contracts listed below. Anything not listed here is out of scope for this disclosure channel.

Smart Contracts

Gensyn Foundation smart contracts are deployed on the Gensyn Foundation network (EVM-compatible, Solidity 0.8.30). Core contracts include:

Contract	Mainnet Address
BuyBack Vault Proxy	`0x2CBEE00F91A2BC50a7D5C53DFfa6BAB79d7E0243`
BuyBack Vault Timelock	`0x6292B830DC9AaB0988bBf7BFcd31A75Cdc106187`
BuyBack Vault Timelock Proposer	`0xaa11F69F612cEae5bE1f8f64a94E745bC33280be`

Issues of interest include but are not limited to:

Loss or theft of user funds (token balances, market positions, or collateral).
Manipulation of market outcomes, pricing, or settlement logic.
Unauthorized market creation, initialization, or state transitions.
Rounding, precision, or overflow errors in DynamicParimutuelMath that enable value extraction.
Proxy or initialization flaws (clone-based deployment via Clones.clone()).
Denial of service against market operations (buy, sell, redeem, liquidate).
Access control bypasses on gateway initialization or factory registration.

Disclosure Policy

We follow a coordinated disclosure model:

Triage. Reports are reviewed by the security team. We prioritize by severity — critical smart contract vulnerabilities (fund loss, unauthorized state changes) are triaged immediately; lower-severity issues are assessed as capacity allows.
Remediation. Confirmed vulnerabilities are remediated as rapidly as possible, with critical issues taking precedence. For critical smart contract vulnerabilities, we may deploy emergency mitigations — including contract pauses — before the full fix is complete.
Coordination. We will coordinate with you on a disclosure timeline. We ask that you give us a reasonable window — generally 90 days for non-critical issues, shorter for critical issues with active exploitation risk — before any public disclosure.
Credit. With your permission, we will publicly credit you for the discovery in any advisory or post-mortem we publish.

We may not respond to every report individually, but we read all of them. If your report describes a critical or high-severity issue, you will hear from us.

Safe Harbor

Gensyn Foundation will not pursue legal action against security researchers who:

Act in good faith to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data.
Only interact with accounts they own or with explicit permission of the account holder.
Do not exploit a vulnerability beyond the minimum necessary to demonstrate the issue.
Report the vulnerability promptly and do not disclose it publicly before coordinated resolution.
Do not extract, move, or otherwise interact with funds belonging to other users.

Severity Classification

We use the following severity levels when triaging reports:

Severity	Examples
Critical	Direct theft of user funds; unauthorized minting or burning of positions; manipulation of market settlement
High	Permanent freezing of funds; griefing attacks that block market settlement or redemption; economic exploits via rounding or precision errors
Medium	Temporary denial of service against specific markets; minor economic inefficiency exploitable under narrow conditions
Low	Theoretical issues requiring unrealistic preconditions; gas optimization issues

Contact

Security reports: info@gensynfoundation.org
Gensyn: gensyn.network · blog.gensyn.ai