OneLink Collect targets Arc Testnet (chain id 5042002). There is no mainnet deployment of OneLinkCollect.sol at this time. Testnet USDC has no monetary value, but we still take vulnerability reports seriously because the codebase is intended for production use once mainnet support lands.

Please do not open a public GitHub issue for security findings.

Use GitHub's private vulnerability reporting or open a private security advisory with the maintainers. Include:

• A description of the vulnerability and the impacted surface.
• Reproduction steps or a proof-of-concept.
• Your name / handle for credit, if you'd like.

The public repository also enables GitHub secret scanning, push protection, Dependabot security updates, and CodeQL scanning for JavaScript/TypeScript.

We will acknowledge receipt within 72 hours and provide a remediation timeline within 7 days. For high-severity issues we will work with you on a coordinated disclosure window before publishing the fix.

• Issues that require physical access to a victim's wallet.
• Issues in upstream dependencies (@circle-fin/*, wagmi, viem, next, etc.) without a OneLink-specific exploitation path — please report those upstream.
• Spam-prevention concerns on Supabase writes — known limitation; see the "Security trade-offs" section in README.md.
• Reports against demo deployments (onelink-mauve-nu.vercel.app while NEXT_PUBLIC_ALLOW_DEMO=true).

Thanks to everyone who reports security issues responsibly — once mainnet ships, contributors who help find and fix vulnerabilities will be credited here.