How to report
DM @archrdeploy on X to open a private line and wait for an operator to move the conversation to DMs before sharing details or a proof of concept. Do not post vulnerability details in public tweets or replies, and do not open a GitHub issue. Please give the team a reasonable window to investigate and ship a fix before disclosing the issue anywhere publicly.Scope
In scope:- The on-chain contracts:
WebFactory,ArchrLaunchpad,RedditFactory,TwitterFactory,Coin, andArchrLauncher. See Contracts for the address list. - The archr.win frontend at archr.win — client-side vulnerabilities, wallet-interaction flaws, socials-storage sig-bypass.
- The public routes on
archr.win/api/*that read or write coin metadata.
Good-faith safe harbor
We will not pursue or support legal action against researchers who, in good faith:- Report a vulnerability through the private channel above.
- Avoid privacy violations, data destruction, and any disruption to launched coins, LP positions, or other users.
- Give the team a reasonable opportunity to remediate before any public disclosure.

