Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.ifalabs.com/llms.txt

Use this file to discover all available pages before exploring further.

IFÁ Labs takes security seriously. If you believe you have discovered a vulnerability in the oracle contracts, the relayer infrastructure, the MCP server, or any other component of the IFÁ Labs system, we want to hear from you immediately through the appropriate channels. Responsible disclosure protects every protocol building on IFÁ Labs infrastructure. A vulnerability left unreported — or disclosed publicly before a fix is deployed — puts real funds at risk.

Reporting Channels

Use the channel that matches the severity of what you’ve found.

Critical and High Severity

For vulnerabilities that could result in loss of funds, price manipulation, or contract exploitation: Email — preferred for sensitive disclosures:

support@ifalabs.com

Use this address for all critical and high severity reports. Encrypted communication is available on request — contact us first and we will arrange a secure channel.
Do not disclose critical vulnerabilities in public channels, Discord, Telegram, or GitHub issues. Public disclosure before a fix is deployed puts protocols and users at immediate risk.

Low and Informational Severity

For low-severity issues, documentation errors, or non-exploitable findings:

GitHub Issues

Open a private or public issue. Use the Bug Report template. Include reproduction steps and affected component.

Telegram

Reach the team directly for questions about whether a finding warrants a formal report.

What to Include in Your Report

A well-structured report enables faster triage and resolution. Include as much of the following as possible: Required:
  • Clear description of the vulnerability and its potential impact
  • The affected component — contract address, function name, or infrastructure component
  • Steps to reproduce the issue
  • The network where the vulnerability was observed or can be demonstrated
Strongly recommended:
  • Proof-of-concept code or transaction — use testnets where possible, never exploit on mainnet
  • The block number or transaction hash of any relevant on-chain state
  • Your assessment of severity and exploitability
  • Any suggested fix or mitigation
Optional but appreciated:
  • Your name or handle for attribution in the fix acknowledgement
  • Whether you want to be credited publicly or anonymously

Responsible Disclosure Guidelines

By reporting a vulnerability to IFÁ Labs, you agree to the following: Do:
  • Report privately through the channels above before any public disclosure
  • Use testnets for proof-of-concept demonstrations wherever possible
  • Allow reasonable time for the team to investigate, develop a fix, and deploy before going public
  • Keep the details of your report confidential until a fix has been deployed and announced
Do not:
  • Exploit the vulnerability on mainnet beyond the minimum required to demonstrate it
  • Access, modify, or exfiltrate data beyond what is necessary to demonstrate the issue
  • Disclose the vulnerability publicly — including social media, Discord, or conference talks — before coordinating with IFÁ Labs
  • Conduct denial-of-service testing against live infrastructure

Our Commitments to You

When you submit a responsible disclosure report, IFÁ Labs commits to:
CommitmentTimeline
Acknowledge receipt of your reportWithin 48 hours
Provide an initial severity assessmentWithin 5 business days
Keep you updated on investigation progressWeekly, or on significant developments
Notify you before public disclosureBefore any fix announcement
Credit you in release notes (with permission)At time of public disclosure
We will not take legal action against researchers who discover and report vulnerabilities in good faith following these guidelines.

Severity Classification

Use this guide to self-assess the severity of your finding before reporting. Include your assessment in the report — the team will independently verify it.
SeverityDescriptionExamples
CriticalDirect loss of funds or complete price feed compromiseOn-chain price manipulation, unauthorized price writes, contract drain
HighSignificant impact on feed reliability or protocol safetyRelayer manipulation, sustained staleness attack, depeg event suppression
MediumLimited impact with specific preconditionsEdge case in derived pair calculation, non-standard input handling
LowMinor issue with negligible exploitabilityInefficient logic, misleading error messages, documentation inconsistency in contract comments
InformationalNo security impact — code quality or best practice observationUnused variables, naming inconsistencies, gas inefficiency

Scope

In Scope

The following components are in scope for vulnerability reports:
  • Oracle smart contracts — all deployed contracts at addresses listed in Contract Addresses
  • Relayer infrastructure — any vulnerability in the price submission pipeline
  • MCP server — the @ifalabs/mcp-server npm package and its dependencies
  • Interface package — the ifapricefeed-interface npm package
  • Price aggregation logic — any vulnerability in source collection, outlier detection, or consensus calculation
  • IFÁ Labs official documentation — factual errors that could cause developers to implement insecure integrations

Out of Scope

The following are explicitly out of scope:
  • Theoretical attacks with no practical exploitability on current deployments
  • Vulnerabilities in third-party dependencies that are not directly exploitable via IFÁ Labs components
  • Social engineering attacks against IFÁ Labs team members
  • Physical security of infrastructure
  • Denial-of-service attacks against the public RPC endpoints
  • Findings already documented in the AdForensics Audit Summary

Bug Bounty

A formal bug bounty program is under development. Details on scope, reward tiers, and submission platform will be announced via @ifalabs and the Telegram. Until the program launches, critical and high severity findings submitted through responsible disclosure will be reviewed for discretionary rewards based on impact and quality of the report.

Public Acknowledgements

IFÁ Labs publicly acknowledges security researchers who responsibly disclose vulnerabilities — with their permission. Researchers who have contributed to IFÁ Labs security will be listed here as findings are resolved and disclosed. No public acknowledgements yet — the program is new.

Next Steps

Data Integrity Mechanisms

Understand the technical layers protecting IFÁ Labs price accuracy.

AdForensics Audit Summary

Review the full audit results for the deployed oracle contracts.