Do not open a public GitHub issue for security vulnerabilities.

Please email security reports to: security@tracechain.example

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (optional)

You will receive an acknowledgement within 48 hours and a resolution timeline within 7 days.

• All state-changing contract functions require explicit require_auth() from the relevant party
• Deposit escrow logic enforces status transitions — funds cannot be released without recipient confirmation
• Events are emitted for every state change, providing an immutable audit trail
• Role-based access: only the assigned carrier can start transit, only the recipient can confirm delivery
• Admin operations (cancel, mint, burn) are gated behind admin address verification
• No floating-point arithmetic — all token amounts use i128 integers