npm - @btc-vision/btc-runtime - Versions diffs - 1.10.11 → 1.11.0-alpha - Mend

@btc-vision/btc-runtime 1.10.11 → 1.11.0-alpha

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (41) hide show

package/README.md +48 -224
package/SECURITY.md +38 -191
package/docs/README.md +28 -0
package/docs/advanced/contract-upgrades.md +537 -0
package/docs/advanced/plugins.md +90 -25
package/docs/api-reference/blockchain.md +48 -14
package/docs/api-reference/storage.md +2 -111
package/docs/contracts/op-net-base.md +22 -0
package/docs/contracts/upgradeable.md +396 -0
package/docs/core-concepts/blockchain-environment.md +0 -2
package/docs/core-concepts/security.md +8 -111
package/docs/core-concepts/storage-system.md +1 -32
package/docs/examples/nft-with-reservations.md +8 -238
package/docs/storage/memory-maps.md +1 -44
package/docs/storage/stored-arrays.md +1 -65
package/docs/storage/stored-maps.md +1 -73
package/docs/storage/stored-primitives.md +2 -49
package/docs/types/bytes-writer-reader.md +76 -0
package/docs/types/safe-math.md +2 -45
package/package.json +5 -5
package/runtime/buffer/BytesReader.ts +90 -3
package/runtime/buffer/BytesWriter.ts +81 -3
package/runtime/contracts/OP721.ts +40 -4
package/runtime/contracts/OP_NET.ts +83 -11
package/runtime/contracts/Upgradeable.ts +242 -0
package/runtime/env/BlockchainEnvironment.ts +124 -27
package/runtime/env/global.ts +24 -0
package/runtime/events/upgradeable/UpgradeableEvents.ts +41 -0
package/runtime/generic/AddressMap.ts +20 -18
package/runtime/generic/ExtendedAddressMap.ts +147 -0
package/runtime/generic/MapUint8Array.ts +20 -18
package/runtime/index.ts +8 -0
package/runtime/plugins/Plugin.ts +34 -0
package/runtime/plugins/UpgradeablePlugin.ts +279 -0
package/runtime/storage/BaseStoredString.ts +1 -1
package/runtime/storage/arrays/StoredPackedArray.ts +4 -0
package/runtime/types/ExtendedAddress.ts +36 -24
package/runtime/types/ExtendedAddressCache.ts +27 -0
package/runtime/types/SafeMath.ts +109 -18
package/runtime/types/SchnorrSignature.ts +44 -0
package/runtime/utils/lengths.ts +2 -0

package/README.md CHANGED Viewed

@@ -11,19 +11,13 @@
 ## Overview
-The **OPNet Smart Contract Runtime** is the foundational framework for building decentralized applications directly on
-Bitcoin Layer 1 (L1). Written in AssemblyScript and compiled to WebAssembly, btc-runtime enables developers to create,
-deploy, and execute smart contracts on the Bitcoin network with the same expressiveness as Ethereum's Solidity.
+The OPNet Smart Contract Runtime is the framework for building decentralized applications on Bitcoin L1. Written in AssemblyScript and compiled to WebAssembly, it enables smart contract development on Bitcoin with similar expressiveness to Solidity.
-Unlike Bitcoin Layer 2 solutions, OPNet operates directly on Bitcoin's base layer, inheriting Bitcoin's security
-guarantees and decentralization properties while adding programmable smart contract capabilities.
+Unlike Bitcoin Layer 2 solutions, OPNet operates directly on Bitcoin's base layer, inheriting Bitcoin's security guarantees and decentralization properties while adding programmable smart contract capabilities.
 > **What is OPNet?**
 >
-> OPNet (Open Protocol Network) is a consensus-layer built on Bitcoin L1. It allows developers to write smart
-> contracts in AssemblyScript or similar that compile to WebAssembly (WASM) and execute deterministically across all
-> network nodes. Think of it as "Solidity for Bitcoin" - you get the programmability of Ethereum with the security of
-> Bitcoin.
+> OPNet (Open Protocol Network) is a consensus-layer built on Bitcoin L1. It allows developers to write smart contracts in AssemblyScript or similar that compile to WebAssembly (WASM) and execute deterministically across all network nodes. Think of it as "Solidity for Bitcoin" - you get the programmability of Ethereum with the security of Bitcoin.
 > **Why AssemblyScript?**
 >
@@ -33,51 +27,32 @@ guarantees and decentralization properties while adding programmable smart contr
 > - **Memory safety** through WASM's sandboxed environment
 > - **Familiar syntax** for TypeScript/JavaScript developers
-> **IMPORTANT: Floating-Point Arithmetic is Prohibited**
+> **Floating-Point Arithmetic is Prohibited**
 >
-> Floating-point arithmetic (`f32`, `f64`) is **strictly prohibited** in blockchain and smart contract environments.
-> Floating-point operations are **non-deterministic** across different CPU architectures, compilers, and platforms due
-> to differences in rounding, precision, and IEEE 754 implementation details.
+> Floating-point arithmetic (`f32`, `f64`) is **strictly prohibited** in blockchain and smart contract environments. Floating-point operations are non-deterministic across different CPU architectures, compilers, and platforms due to differences in rounding, precision, and IEEE 754 implementation details.
 >
-> **Always use integer arithmetic** (`u128`, `u256`) for all blockchain computations. For decimal values, use
-> fixed-point representation (e.g., store currency as smallest units like satoshis). This library provides full support
-> for 128-bit and 256-bit integer operations through [@btc-vision/as-bignum](https://github.com/btc-vision/as-bignum).
+> **Always use integer arithmetic** (`u128`, `u256`) for all blockchain computations. For decimal values, use fixed-point representation (e.g., store currency as smallest units like satoshis). This library provides full support for 128-bit and 256-bit integer operations through [@btc-vision/as-bignum](https://github.com/btc-vision/as-bignum).
 ## Security Audit
 <p align="center">
   <a href="https://verichains.io">
-    <img src="https://raw.githubusercontent.com/btc-vision/contract-logo/refs/heads/main/public-assets/verichains.png" alt="Verichains" width="300"/>
+    <img src="https://raw.githubusercontent.com/btc-vision/contract-logo/refs/heads/main/public-assets/verichains.png" alt="Verichains" width="100"/>
   </a>
 </p>
 <p align="center">
   <a href="https://verichains.io">
-    <img src="https://img.shields.io/badge/Security%20Audit-Verichains-4C35E0?style=for-the-badge&logo=data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj48cGF0aCBkPSJNMTIgMkw0IDV2Ni41YzAgNS4yNSAzLjQgMTAuMiA4IDExLjUgNC42LTEuMyA4LTYuMjUgOC0xMS41VjVsLTgtM3ptMCAxMC45OVYxOS41Yy0zLjQ1LTEuMTctNS45My00LjgtNi02LjVWNi4zTDEyIDRsMCA4Ljk5eiIgZmlsbD0id2hpdGUiLz48L3N2Zz4=" alt="Audited by Verichains"/>
+    <img src="https://img.shields.io/badge/Security%20Audit-Verichains-4C35E0?style=for-the-badge" alt="Audited by Verichains"/>
   </a>
   <a href="./SECURITY.md">
-    <img src="https://img.shields.io/badge/Security-Report-22C55E?style=for-the-badge&logo=data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj48cGF0aCBkPSJNOSAxNi4xN0w0LjgzIDEybC0xLjQyIDEuNDFMOSAxOSAyMSA3bC0xLjQxLTEuNDFMOSAxNi4xN3oiIGZpbGw9IndoaXRlIi8+PC9zdmc+" alt="Security Report"/>
+    <img src="https://img.shields.io/badge/Security-Report-22C55E?style=for-the-badge" alt="Security Report"/>
   </a>
 </p>
-This runtime has been professionally audited by [**Verichains**](https://verichains.io), a leading blockchain security
-firm. The audit covered all core components including contract standards (OP20, OP721), storage systems, cryptographic
-operations, and security mechanisms.
+This runtime has been professionally audited by [Verichains](https://verichains.io).
-For full details, see [SECURITY.md](./SECURITY.md).
-## Features
-| Feature                      | Description                                                      |
-|------------------------------|------------------------------------------------------------------|
-| **Contract Standards**       | OP20 (fungible tokens), OP721 (NFTs), OP20S (gasless signatures) |
-| **Storage System**           | Pointer-based persistent storage with SHA256 key hashing         |
-| **SafeMath**                 | Overflow/underflow protection for all arithmetic operations      |
-| **Reentrancy Protection**    | Built-in guards with STANDARD and CALLBACK modes                 |
-| **Cryptographic Operations** | Schnorr signatures, ML-DSA (quantum-resistant), SHA256           |
-| **Bitcoin Integration**      | Transaction parsing, address validation, script building         |
-| **Event System**             | 352-byte events for state change notifications                   |
-| **Cross-Contract Calls**     | Inter-contract communication with configurable failure handling  |
+See [SECURITY.md](./SECURITY.md) for details.
 ## Installation
@@ -87,10 +62,6 @@ npm install @btc-vision/btc-runtime
 ## Quick Start
-### Your First Contract
-Here's a minimal OP20 token contract to get you started:
 ```typescript
 import { u256 } from '@btc-vision/as-bignum/assembly';
 import {
@@ -103,219 +74,72 @@ import {
 @final
 export class MyToken extends OP20 {
-    public constructor() {
-        super();
-        // NOTE: Constructor runs on EVERY interaction, not just deployment!
-    }
-    // This runs ONCE when the contract is deployed (like Solidity's constructor)
     public override onDeployment(_calldata: Calldata): void {
-        const maxSupply: u256 = u256.fromString('1000000000000000000000000'); // 1 million tokens
+        const maxSupply: u256 = u256.fromString('1000000000000000000000000');
         const decimals: u8 = 18;
         const name: string = 'MyToken';
         const symbol: string = 'MTK';
         this.instantiate(new OP20InitParameters(maxSupply, decimals, name, symbol));
-        // Mint initial supply to deployer
         this._mint(Blockchain.tx.origin, maxSupply);
     }
-    // Custom mint function (deployer only)
-    public mint(calldata: Calldata): BytesWriter {
-        this.onlyDeployer(Blockchain.tx.sender);
-        const to = calldata.readAddress();
-        const amount = calldata.readU256();
-        this._mint(to, amount);
-        return new BytesWriter(0);
-    }
 }
 ```
-### Solidity Comparison
-If you're coming from Solidity/EVM development, here's how OPNet concepts map:
-| Solidity/EVM                | OPNet/btc-runtime                         | Notes                       |
-|-----------------------------|-------------------------------------------|-----------------------------|
-| `contract MyContract`       | `class MyContract extends OP_NET`         | Base class inheritance      |
-| `constructor()`             | `onDeployment(calldata)`                  | Runs once at deployment     |
-| `msg.sender`                | `Blockchain.tx.sender`                    | Immediate caller            |
-| `tx.origin`                 | `Blockchain.tx.origin`                    | Original transaction signer |
-| `block.number`              | `Blockchain.block.number`                 | Current block height        |
-| `mapping(address => uint)`  | `AddressMemoryMap` + `StoredU256`         | Pointer-based storage       |
-| `emit Transfer(...)`        | `this.emitEvent(new TransferEvent(...))`  | Event emission              |
-| `ERC20`                     | `OP20`                                    | Fungible token standard     |
-| `ERC721`                    | `OP721`                                   | Non-fungible token standard |
-| `uint256`                   | `u256`                                    | 256-bit unsigned integer    |
-| `require(condition, "msg")` | `if (!condition) throw new Revert("msg")` | Error handling              |
-| `modifier onlyOwner`        | `this.onlyDeployer(sender)`               | Access control              |
+## Solidity Comparison
+| Solidity/EVM                | OPNet/btc-runtime                         |
+|-----------------------------|-------------------------------------------|
+| `contract MyContract`       | `class MyContract extends OP_NET`         |
+| `constructor()`             | `onDeployment(calldata)`                  |
+| `msg.sender`                | `Blockchain.tx.sender`                    |
+| `tx.origin`                 | `Blockchain.tx.origin`                    |
+| `block.number`              | `Blockchain.block.number`                 |
+| `mapping(address => uint)`  | `AddressMemoryMap` + `StoredU256`         |
+| `emit Transfer(...)`        | `this.emitEvent(new TransferEvent(...))` |
+| `ERC20`                     | `OP20`                                    |
+| `ERC721`                    | `OP721`                                   |
+| `require(condition, "msg")` | `if (!condition) throw new Revert("msg")` |
 ## Documentation
-Comprehensive documentation is available in the [docs/](./docs/) directory:
-### Getting Started
-- [Installation](./docs/getting-started/installation.md) - Setup and configuration
-- [First Contract](./docs/getting-started/first-contract.md) - Step-by-step tutorial
-- [Project Structure](./docs/getting-started/project-structure.md) - Directory layout
-### Core Concepts
-- [Blockchain Environment](./docs/core-concepts/blockchain-environment.md) - Runtime context
-- [Storage System](./docs/core-concepts/storage-system.md) - How data persistence works
-- [Pointers](./docs/core-concepts/pointers.md) - Storage key management
-- [Events](./docs/core-concepts/events.md) - State change notifications
-- [Security](./docs/core-concepts/security.md) - Protection mechanisms
+Documentation is available in [docs/](./docs/):
-### Contract Standards
-- [OP_NET Base](./docs/contracts/op-net-base.md) - Abstract contract class
-- [OP20 Token](./docs/contracts/op20-token.md) - Fungible token standard
-- [OP20S Signatures](./docs/contracts/op20s-signatures.md) - Gasless approvals
-- [OP721 NFT](./docs/contracts/op721-nft.md) - Non-fungible tokens
-- [ReentrancyGuard](./docs/contracts/reentrancy-guard.md) - Reentrancy protection
-### Types & Utilities
-- [Address](./docs/types/address.md) - 32-byte address handling
-- [SafeMath](./docs/types/safe-math.md) - Overflow-safe arithmetic
-- [Calldata](./docs/types/calldata.md) - Input parsing
-- [BytesWriter/Reader](./docs/types/bytes-writer-reader.md) - Serialization
-### Storage Types
-- [Stored Primitives](./docs/storage/stored-primitives.md) - Basic value storage
-- [Stored Arrays](./docs/storage/stored-arrays.md) - Array storage
-- [Stored Maps](./docs/storage/stored-maps.md) - Key-value storage
-- [Memory Maps](./docs/storage/memory-maps.md) - In-memory mappings
-### Advanced Topics
-- [Cross-Contract Calls](./docs/advanced/cross-contract-calls.md) - Inter-contract communication
-- [Signature Verification](./docs/advanced/signature-verification.md) - Cryptographic operations
-- [Quantum Resistance](./docs/advanced/quantum-resistance.md) - ML-DSA support
-- [Bitcoin Scripts](./docs/advanced/bitcoin-scripts.md) - Script building
-- [Plugins](./docs/advanced/plugins.md) - Extending functionality
-### Examples
-- [Basic Token](./docs/examples/basic-token.md) - Simple OP20 implementation
-- [NFT with Reservations](./docs/examples/nft-with-reservations.md) - Advanced NFT
-- [Stablecoin](./docs/examples/stablecoin.md) - Role-based token
-- [Oracle Integration](./docs/examples/oracle-integration.md) - Price feeds
-### API Reference
-- [Blockchain](./docs/api-reference/blockchain.md) - Environment methods
-- [OP20](./docs/api-reference/op20.md) - Token standard API
-- [OP721](./docs/api-reference/op721.md) - NFT standard API
-- [SafeMath](./docs/api-reference/safe-math.md) - Math operations
-- [Storage](./docs/api-reference/storage.md) - Storage classes
-- [Events](./docs/api-reference/events.md) - Event classes
+- **Getting Started**: [Installation](./docs/getting-started/installation.md), [First Contract](./docs/getting-started/first-contract.md), [Project Structure](./docs/getting-started/project-structure.md)
+- **Core Concepts**: [Blockchain Environment](./docs/core-concepts/blockchain-environment.md), [Storage System](./docs/core-concepts/storage-system.md), [Pointers](./docs/core-concepts/pointers.md), [Events](./docs/core-concepts/events.md), [Security](./docs/core-concepts/security.md)
+- **Contract Standards**: [OP_NET Base](./docs/contracts/op-net-base.md), [OP20](./docs/contracts/op20-token.md), [OP20S](./docs/contracts/op20s-signatures.md), [OP721](./docs/contracts/op721-nft.md)
+- **Storage Types**: [Stored Primitives](./docs/storage/stored-primitives.md), [Stored Arrays](./docs/storage/stored-arrays.md), [Stored Maps](./docs/storage/stored-maps.md), [Memory Maps](./docs/storage/memory-maps.md)
+- **Advanced**: [Cross-Contract Calls](./docs/advanced/cross-contract-calls.md), [Signature Verification](./docs/advanced/signature-verification.md), [Quantum Resistance](./docs/advanced/quantum-resistance.md)
 ## Running Tests
 ```bash
-# Run all tests with verbose output
 npm test
-# Run tests with summary only
-npm run test:ci
 ```
-## Project Structure
-```
-btc-runtime/
-├── runtime/                    # Core runtime library
-│   ├── contracts/              # Contract base classes (OP_NET, OP20, OP721)
-│   ├── storage/                # Storage types (Stored*, Maps)
-│   ├── math/                   # SafeMath operations
-│   ├── types/                  # Core types (Address, Calldata)
-│   ├── events/                 # Event system
-│   └── env/                    # Blockchain environment
-├── docs/                       # Documentation
-└── tests/                      # Test suite
-```
-## Key Differences from Solidity
-### 1. Constructor Behavior
-```typescript
-// OPNet: Constructor runs EVERY time
-export class MyContract extends OP_NET {
-    constructor() {
-        super();
-        // DON'T put initialization here - it runs on every call!
-    }
-    // Use this for one-time initialization (like Solidity constructor)
-    public override onDeployment(calldata: Calldata): void {
-        // Initialize storage here
-    }
-}
-```
-### 2. Storage is Explicit
-```typescript
-// Solidity: Implicit storage
-// mapping(address => uint256) balances;
-// OPNet: Explicit pointer allocation
-class Test {
-    private balancePointer: u16 = Blockchain.nextPointer;
-    private balances: AddressMemoryMap<Address, StoredU256> = new AddressMemoryMap(
-        this.balancePointer,
-        u256.Zero
-    );
-}
-```
-### 3. Integer Types
-```typescript
-// OPNet uses u256 from as-bignum (NOT native BigInt)
-import { u256 } from '@btc-vision/as-bignum/assembly';
-const a = u256.from(100);
-const b = u256.from(50);
-const sum = SafeMath.add(a, b);  // Always use SafeMath!
-```
-### 4. No Floating Point
-```typescript
-// WRONG - Non-deterministic!
-// const price: f64 = 1.5;
+## Contributing
-// CORRECT - Fixed-point with integers
-const PRECISION: u256 = u256.fromU64(1_000_000); // 6 decimals
-const price: u256 = SafeMath.mul(amount, PRECISION);
-```
+1. Fork the repository
+2. Create a feature branch
+3. Make your changes
+4. Run tests: `npm test`
+5. Submit a pull request
-## Contributing
+See the [pull request template](./.github/PULL_REQUEST_TEMPLATE.md) for requirements.
-Contributions are welcome! Please ensure all tests pass before submitting a pull request.
+## Reporting Issues
-```bash
-npm test
-```
+- **Bugs**: Use the [bug report template](https://github.com/btc-vision/btc-runtime/issues/new?template=bug_report.yml)
+- **Security**: See [SECURITY.md](./SECURITY.md) - do not open public issues for vulnerabilities
 ## License
-This project is licensed under the Apache-2.0 License. See [LICENSE](./LICENSE) for details.
+[Apache-2.0](./LICENSE)
 ## Links
-- **Website**: [OPNet](https://opnet.org)
-- **Documentation**: [docs/](./docs/)
-- **Security**: [SECURITY.md](./SECURITY.md)
-- **GitHub**: [btc-vision/btc-runtime](https://github.com/btc-vision/btc-runtime)
-- **Issues**: [GitHub Issues](https://github.com/btc-vision/btc-runtime/issues)
-- **Auditor**: [Verichains](https://verichains.io)
+- [OPNet](https://opnet.org)
+- [Documentation](./docs/)
+- [GitHub](https://github.com/btc-vision/btc-runtime)
+- [npm](https://www.npmjs.com/package/@btc-vision/btc-runtime)
+- [Verichains](https://verichains.io)

package/SECURITY.md CHANGED Viewed

@@ -2,225 +2,72 @@
 <p align="center">
   <a href="https://verichains.io">
-    <img src="https://raw.githubusercontent.com/btc-vision/contract-logo/refs/heads/main/public-assets/verichains.png" alt="Verichains" width="300"/>
+    <img src="https://raw.githubusercontent.com/btc-vision/contract-logo/refs/heads/main/public-assets/verichains.png" alt="Verichains" width="150"/>
   </a>
 </p>
 <p align="center">
   <a href="https://verichains.io">
-    <img src="https://img.shields.io/badge/Security%20Audit-Verichains-4C35E0?style=for-the-badge&logo=data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj48cGF0aCBkPSJNMTIgMkw0IDV2Ni41YzAgNS4yNSAzLjQgMTAuMiA4IDExLjUgNC42LTEuMyA4LTYuMjUgOC0xMS41VjVsLTgtM3ptMCAxMC45OVYxOS41Yy0zLjQ1LTEuMTctNS45My00LjgtNi02LjVWNi4zTDEyIDRsMCA4Ljk5eiIgZmlsbD0id2hpdGUiLz48L3N2Zz4=" alt="Audited by Verichains"/>
+    <img src="https://img.shields.io/badge/Security%20Audit-Verichains-4C35E0?style=for-the-badge" alt="Audited by Verichains"/>
   </a>
 </p>
-<p align="center">
-  <strong>Professionally Audited by <a href="https://verichains.io">Verichains</a></strong>
-</p>
 ## Audit Status
-| Aspect                    | Status                              |
-|---------------------------|-------------------------------------|
-| **Auditor**               | [Verichains](https://verichains.io) |
-| **Audit Date**            | 2025                                |
-| **Report Status**         | Pending Publication                 |
-| **Severity Issues Found** | All resolved                        |
-## About the Audit
-The OPNet Smart Contract Runtime has undergone a comprehensive security audit by [Verichains](https://verichains.io), a
-leading blockchain security firm with extensive experience in:
-- Smart contract security audits
-- Blockchain protocol assessments
-- Cryptographic implementation reviews
-- WebAssembly security analysis
-## Audit Scope
-The security audit covered all core components of the btc-runtime:
-### Contract Standards
-- [x] **OP_NET Base Contract** - Abstract contract class, lifecycle hooks, method dispatching
-- [x] **OP20 Token Standard** - Fungible token implementation, transfers, approvals, minting/burning
-- [x] **OP20S Signatures** - Gasless approvals, EIP-712 typed signatures, nonce management
-- [x] **OP721 NFT Standard** - Non-fungible tokens, ownership, enumeration, metadata
-- [x] **ReentrancyGuard** - Reentrancy protection mechanisms (STANDARD and CALLBACK modes)
-### Storage System
-- [x] **Pointer Architecture** - u16 primary pointers, u256 sub-pointers, SHA256 key hashing
-- [x] **Persistent Storage** - StoredU256, StoredString, StoredAddress, StoredBoolean
-- [x] **Array Storage** - StoredU256Array through StoredU8Array, bounds checking
-- [x] **Map Storage** - StoredMapU256, AddressMemoryMap, MapOfMap nested structures
-### Cryptographic Operations
-- [x] **Signature Verification** - Schnorr signatures, ML-DSA quantum-resistant signatures
-- [x] **Hash Functions** - SHA256, double SHA256 (hash256)
-- [x] **EIP-712 Domain Separator** - Typed data signing, replay protection
-- [x] **Address Derivation** - P2TR, P2WSH, P2WPKH address generation
-### Security Mechanisms
-- [x] **SafeMath Operations** - Overflow/underflow protection for u256, u128, u64
-- [x] **Access Control** - onlyDeployer patterns, role-based authorization
-- [x] **Input Validation** - Calldata parsing, bounds checking, type verification
-- [x] **Event System** - 352-byte limit enforcement, proper encoding
-### Bitcoin Integration
-- [x] **Transaction Parsing** - Input/output decoding, script parsing
-- [x] **Address Validation** - Bitcoin address format verification
-- [x] **Script Building** - Opcodes, CSV timelocks, witness structures
-- [x] **Network Configuration** - Mainnet/testnet handling
+| Component          | Status  | Auditor                               |
+|--------------------|---------|---------------------------------------|
+| btc-runtime   | Audited | [Verichains](https://verichains.io)   |
 ## Supported Versions
-| Version | Supported              |
-|---------|------------------------|
-| 1.10.x  | ✅ Current              |
-| 1.9.x   | ⚠️ Upgrade recommended |
-| < 1.9.0 | ❌ Not supported        |
-## Security Best Practices
-When developing contracts with btc-runtime, follow these guidelines:
-### Use SafeMath for All Arithmetic
-```typescript
-import { SafeMath } from '@btc-vision/btc-runtime/runtime';
-// CORRECT: Use SafeMath
-const total = SafeMath.add(balance, amount);
-const remaining = SafeMath.sub(balance, amount);
-// WRONG: Direct arithmetic can overflow silently
-// const total = balance + amount;  // DON'T DO THIS
-```
-### Always Validate Inputs
-```typescript
-class Test extends OP_NET {
-    public transfer(calldata: Calldata): BytesWriter {
-        const to = calldata.readAddress();
-        const amount = calldata.readU256();
-        // Validate recipient is not zero address
-        if (to.equals(Address.zero())) {
-            throw new Revert('Cannot transfer to zero address');
-        }
-        // Validate amount is positive
-        if (amount.isZero()) {
-            throw new Revert('Amount must be greater than zero');
-        }
-        // ... proceed with transfer
-    }
-}
-```
-### Use Reentrancy Guards
-```typescript
-import { ReentrancyGuard, ReentrancyGuardMode } from '@btc-vision/btc-runtime/runtime';
-@final
-export class MyContract extends ReentrancyGuard {
-    constructor() {
-        // Use CALLBACK mode for contracts with safe transfer callbacks
-        super(ReentrancyGuardMode.CALLBACK);
-    }
-}
-```
-### Implement Access Control
-```typescript
-// Check deployer authorization
-this.onlyDeployer(Blockchain.tx.sender);
-// Custom role checks
-class Test {
-    private onlyAdmin(): void {
-        if (!this.isAdmin(Blockchain.tx.sender)) {
-            throw new Revert('Caller is not admin');
-        }
-    }
-}
-```
-### Handle Cross-Contract Calls Safely
-```typescript
-const result = Blockchain.call(targetContract, calldata, true);
-if (!result.success) {
-    throw new Revert('External call failed');
-}
-// Parse and validate response
-const response = result.data;
-```
-### Never Use Floating-Point Arithmetic
-```typescript
-// WRONG: Floating-point is non-deterministic
-// const price = 1.5;  // DON'T USE FLOATS
-// CORRECT: Use fixed-point with integers
-const PRECISION = u256.fromU64(1_000_000); // 6 decimals
-const price = SafeMath.mul(amount, PRECISION);
-```
+| Version | Status             |
+|---------|--------------------|
+| 1.11.x  | Supported          |
+| < 1.10 | Not supported      |
 ## Reporting a Vulnerability
-We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
-### How to Report
-1. **DO NOT** open a public GitHub issue for security vulnerabilities
-2. Report via [GitHub Security Advisories](https://github.com/btc-vision/btc-runtime/security/advisories)
-3. Include detailed steps to reproduce the vulnerability
-4. Allow reasonable time for a fix before public disclosure
+**DO NOT** open a public GitHub issue for security vulnerabilities.
-### What to Include
+Report vulnerabilities through [GitHub Security Advisories](https://github.com/btc-vision/btc-runtime/security/advisories/new).
+Include:
 - Description of the vulnerability
-- Affected component(s) and version(s)
+- Affected version(s)
 - Steps to reproduce
-- Potential impact assessment
+- Potential impact
 - Suggested fix (if any)
-- Proof of concept (if applicable)
 ### Response Timeline
-| Action                     | Timeframe           |
-|----------------------------|---------------------|
-| Initial response           | 48 hours            |
-| Vulnerability confirmation | 7 days              |
-| Patch development          | 14-30 days          |
-| Public disclosure          | After patch release |
+| Action                   | Timeframe         |
+|--------------------------|-------------------|
+| Initial response         | 48 hours          |
+| Vulnerability assessment | 7 days            |
+| Patch development        | 14-30 days        |
+| Public disclosure        | After patch       |
-## Audit Report
+## Security Scope
-The full audit report from Verichains will be published here upon completion of the disclosure process.
+### In Scope
-📄 **[Audit Report - Coming Soon]**
+- Contract standards (OP_NET, OP20, OP721, OP20S)
+- Storage system (pointers, maps, arrays)
+- Cryptographic operations (Schnorr, ML-DSA, SHA256)
+- SafeMath operations
+- Reentrancy guards
+- Access control mechanisms
+- Event system
+- Cross-contract calls
-## Contact
+### Out of Scope
-- **Security Issues**: [GitHub Security Advisories](https://github.com/btc-vision/btc-runtime/security/advisories)
-- **General Questions**: [GitHub Issues](https://github.com/btc-vision/btc-runtime/issues)
-- **Website**: [OPNet](https://opnet.org)
-- **Auditor**: [Verichains](https://verichains.io)
+- Third-party dependencies (report to respective maintainers)
+- User contract logic errors
+- Issues in development/test environments only
----
+## Contact
-<p align="center">
-  <sub>Security is a continuous process. This document will be updated as new audits are completed.</sub>
-</p>
+- **Security Issues**: [GitHub Security Advisories](https://github.com/btc-vision/btc-runtime/security/advisories)
+- **General Issues**: [GitHub Issues](https://github.com/btc-vision/btc-runtime/issues)
+- **Website**: [opnet.org](https://opnet.org)