onchain provides core EVM primitives — JSON-RPC, ABI, ERC token interfaces,
and signing. This surface constructs and signs transactions and decodes untrusted
chain data, so bugs can move funds or corrupt signed payloads.
This library is pre-1.0; only the current release line receives security fixes.
| Version | Supported |
|---|---|
| 0.8.x | ✅ |
| < 0.8 | ❌ |
Do not open a public issue for security vulnerabilities.
Report privately through GitHub's Security tab on this repository: Security → Advisories → "Report a vulnerability" (https://github.com/ZenHive/onchain/security/advisories/new).
This opens a private advisory visible only to you and the maintainers.
- Signing and transaction construction
- RPC request construction and receipt/response parsing
- ABI / ERC decoding of untrusted chain data and event-log decoding
- Vulnerabilities in upstream dependencies (
cartouche,hieroglyph,req) — report those to their projects, though a heads-up is welcome. - A compromised local environment or developer machine.
- Acknowledgement within a few business days.
- A fix or mitigation plan communicated through the private advisory.
- Coordinated disclosure: we'll agree on a disclosure timeline with you before any public release.
Thank you for helping keep the stack safe.