openintentsframework · luiz-lvj · Feb 18, 2026 · Feb 16, 2026 · Feb 16, 2026 · Feb 18, 2026
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,5 @@
+# Security Policy
+
+Security vulnerabilities should be disclosed to the project maintainers by email to security@openzeppelin.com.
+
+
diff --git a/src/contracts/block-hash-pusher/BaseBuffer.sol b/src/contracts/block-hash-pusher/BaseBuffer.sol
@@ -11,6 +11,7 @@ import {IBuffer} from "./interfaces/IBuffer.sol";
 ///      a sliding window of block hashes without requiring contiguous block numbers.
 /// @dev Concrete implementations should override `receiveHashes` to add chain-specific access control.
 /// @notice Inspired by: https://github.com/OffchainLabs/block-hash-pusher/blob/main/contracts/Buffer.sol
+/// @custom:security-contact security@openzeppelin.com
 abstract contract BaseBuffer is IBuffer {
     /// @dev The size of the circular buffer.
     /// @dev For a parent chain with a block time of 12s (Ethereum), this is equivalent to roughly 54 days of history.

diff --git a/src/contracts/block-hash-pusher/BlockHashArrayBuilder.sol b/src/contracts/block-hash-pusher/BlockHashArrayBuilder.sol
@@ -10,6 +10,7 @@ import {Blockhash} from "@openzeppelin/contracts/utils/Blockhash.sol";
 ///      that can be pushed to a buffer contract on a child chain. Concrete implementations should
 ///      override `pushHashes` to implement chain-specific cross-chain messaging mechanisms.
 /// @notice Inspired by: https://github.com/OffchainLabs/block-hash-pusher/blob/main/contracts/Pusher.sol
+/// @custom:security-contact security@openzeppelin.com
 abstract contract BlockHashArrayBuilder {
     /// @notice Thrown when the block number is invalid
     error InvalidBlockNumber(uint256 blockNumber);

diff --git a/src/contracts/block-hash-pusher/interfaces/IBuffer.sol b/src/contracts/block-hash-pusher/interfaces/IBuffer.sol
@@ -6,6 +6,7 @@ pragma solidity ^0.8.28;
 ///         Once a block X is included in the buffer, it will remain available
 ///         until another block X+M*bufferSize is pushed, where M is a positive integer.
 /// @notice Inspired by: https://github.com/OffchainLabs/block-hash-pusher/blob/main/contracts/interfaces/IBuffer.sol
+/// @custom:security-contact security@openzeppelin.com
 interface IBuffer {
     /// @notice Emitted when the buffer is pushed to.
     /// @param  firstBlockNumber The block number of the first block in the batch.

diff --git a/src/contracts/block-hash-pusher/interfaces/IPusher.sol b/src/contracts/block-hash-pusher/interfaces/IPusher.sol
@@ -6,6 +6,7 @@ pragma solidity 0.8.30;
 ///         - Building arrays of recent block hashes from the parent chain
 ///         - Sending these hashes to a buffer contract on the child chain via chain-specific cross-chain messaging
 /// @notice Inspired by: https://github.com/OffchainLabs/block-hash-pusher/blob/main/contracts/interfaces/IPusher.sol
+/// @custom:security-contact security@openzeppelin.com
 interface IPusher {
     /// @notice Emitted when block hashes are pushed to the buffer.
     /// @param  firstBlockNumber The block number of the first block in the batch.

diff --git a/src/contracts/block-hash-pusher/linea/LineaBuffer.sol b/src/contracts/block-hash-pusher/linea/LineaBuffer.sol
@@ -13,6 +13,7 @@ import {IMessageService} from "@linea-contracts/messaging/interfaces/IMessageSer
 ///      In order to do this, anyone is able to claim the message on the message service contract on L2.
 ///      Currently Linea runs a postman service that claims messages on L2, but this might not happen for more expensive messages and
 ///      users might need to claim the messages themselves in those cases.
+/// @custom:security-contact security@openzeppelin.com
 contract LineaBuffer is BaseBuffer {
     /// @dev The address of the L2MessageService contract on L2.
     address private immutable _l2MessageService;

diff --git a/src/contracts/block-hash-pusher/linea/LineaPusher.sol b/src/contracts/block-hash-pusher/linea/LineaPusher.sol
@@ -11,6 +11,7 @@ import {IMessageService} from "@linea-contracts/messaging/interfaces/IMessageSer
 /// @dev This contract sends block hashes from Ethereum L1 to a LineaBuffer contract on Linea L2
 ///      via the Linea MessageService's `sendMessage` function. The pusher must be configured
 ///      with the correct rollup address.
+/// @custom:security-contact security@openzeppelin.com
 contract LineaPusher is BlockHashArrayBuilder, IPusher {
     /// @dev The address of the Linea Rollup contract on L1.
     address private immutable _lineaRollup;

diff --git a/src/contracts/block-hash-pusher/scroll/ScrollBuffer.sol b/src/contracts/block-hash-pusher/scroll/ScrollBuffer.sol
@@ -10,6 +10,7 @@ import {IL2ScrollMessenger} from "@scroll-tech/scroll-contracts/L2/IL2ScrollMess
 /// @dev This contract extends BaseBuffer with access control specific to Scroll's L1->L2 messaging.
 ///      The pusher address on L1 must send the message via L1ScrollMessenger to the buffer address on L2.
 ///      The L2ScrollMessenger contract on L2 is responsible for relaying the message to the buffer contract on L2.
+/// @custom:security-contact security@openzeppelin.com
 contract ScrollBuffer is BaseBuffer {
     /// @dev The address of the L2ScrollMessenger contract on L2.
     address private immutable _l2ScrollMessenger;

diff --git a/src/contracts/block-hash-pusher/scroll/ScrollPusher.sol b/src/contracts/block-hash-pusher/scroll/ScrollPusher.sol
@@ -11,6 +11,7 @@ import {IL1ScrollMessenger} from "@scroll-tech/scroll-contracts/L1/IL1ScrollMess
 /// @dev This contract sends block hashes from Ethereum L1 to a ScrollBuffer contract on Scroll L2
 ///      via the Scroll L1ScrollMessenger's `sendMessage` function. The pusher must be configured
 ///      with the correct L1ScrollMessenger address.
+/// @custom:security-contact security@openzeppelin.com
 contract ScrollPusher is BlockHashArrayBuilder, IPusher {
     /// @dev The address of the Scroll L1ScrollMessenger contract on L1.
     address private immutable _l1ScrollMessenger;

diff --git a/src/contracts/block-hash-pusher/zksync/ZkSyncBuffer.sol b/src/contracts/block-hash-pusher/zksync/ZkSyncBuffer.sol
@@ -10,6 +10,7 @@ import {IBuffer} from "../interfaces/IBuffer.sol";
 /// @dev This contract extends BaseBuffer with access control specific to ZkSync's L1->L2 messaging.
 ///      When a message is sent from L1 to L2 via ZkSync's Mailbox, the sender address is aliased.
 ///      The buffer only accepts hash pushes from the aliased pusher address.
+/// @custom:security-contact security@openzeppelin.com
 contract ZkSyncBuffer is BaseBuffer {
     /// @dev The address of the pusher contract on L1.
     address private immutable _pusher;

diff --git a/src/contracts/block-hash-pusher/zksync/ZkSyncPusher.sol b/src/contracts/block-hash-pusher/zksync/ZkSyncPusher.sol
@@ -6,6 +6,7 @@ import {IBuffer} from "../interfaces/IBuffer.sol";
 import {IPusher} from "../interfaces/IPusher.sol";
 
 /// @notice Interface for the ZkSync Mailbox contract used to send L1->L2 messages.
+/// Source: https://github.com/matter-labs/era-contracts/blob/33fbd0d832d15da150dcc7ec8032660980caa692/l1-contracts/contracts/state-transition/chain-interfaces/IMailboxImpl.sol#L88
 interface IMailbox {
     function requestL2Transaction(
         address _contractL2,
@@ -23,6 +24,7 @@ interface IMailbox {
 /// @dev This contract sends block hashes from Ethereum L1 to a ZkSyncBuffer contract on ZkSync Era L2
 ///      via the ZkSync Mailbox's `requestL2Transaction` function. The pusher must be configured
 ///      with the correct ZkSync Diamond proxy address.
+/// @custom:security-contact security@openzeppelin.com
 contract ZkSyncPusher is BlockHashArrayBuilder, IPusher {
     /// @dev The address of the ZkSync Diamond proxy contract on L1.
     address private immutable _zkSyncDiamond;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,5 @@
		# Security Policy

		Security vulnerabilities should be disclosed to the project maintainers by email to security@openzeppelin.com.