docs: add security notes

README.md

@@ -44,35 +44,5 @@ The exact cycle consumptions will slightly vary from one signature to another, a
 
 In general, the `s` variants take longer to generate a signature, but takes less cycles to verify. The `f` variants are fast in signature generation but takes longer cycles to verify.
 
-## Tool (Deprecated)
-
-**NOTE**: the following tool shall be considered deprecated, and only kept here for historic reasons.
-
-This tool is to **convert a default Lock(SECP256K1/blake160) to quantum resistant lock script.**.
-
-Follow steps below:
-
-1. compile.
-
-   By default, sphincsplus_lock file's size is about 85K bytes.
-2. Deploy the compiled contract to the test network.
-   </br>
-   We use [ckb-cli](https://github.com/nervosnetwork/ckb-cli) to deploy this contract, You can refer to [here](https://github.com/nervosnetwork/ckb-cli/wiki/Handle-Complex-Transaction#a-demo).
-   * After the execution is successful, it is recommended to record the tx-hash to facilitate subsequent operations.
-3. Generate key file.
-   </br>
-   Use this tool: tools/ckb-sphincs-tools.
-   ``` shell
-   cargo run -- gen-key key.json
-   ```
-   We can get a set of key files, including public and private keys.
-   * If the contract you compile does not use the default value, it needs to be the same here.
-   * Need to save this file.
-4. Convert a SECP256K1/blake160 lock script to quantum resistant lock script.
-   ``` shell
-   cargo run -- cc_to_sphincsplus --tx_hash <tx-hash> --tx_index <index> --key_file key.json --prikey <You can use ckb-cli account export>
-   ```
-5. Convert a quantum resistant lock script to SECP256K1/blake160 lock script.
-   ``` shell
-   cargo run -- cc_to_secp --tx_hash <tx-hash> --tx_index <index> --key_file key.json --lock_arg <LOCK-ARG> --sp_tx_hash <SPHINCS+ Script in step 2> --sp_tx_index <index> --fee 10000
-   ```
+### Security Notes
+This project has been audited by [ScaleBit](https://scalebit.xyz/reports/20251216-Quantum-Resistant-Lock-Script-Final-Audit-Report.pdf).

tools/ckb-sphincs-tools/README.md

@@ -0,0 +1,31 @@
+**NOTE**: the following tool shall be considered deprecated, and only kept here for historic reasons.
+
+This tool is to **convert a default Lock(SECP256K1/blake160) to quantum resistant lock script.**.
+
+Follow steps below:
+
+1. compile.
+
+   By default, sphincsplus_lock file's size is about 85K bytes.
+2. Deploy the compiled contract to the test network.
+   </br>
+   We use [ckb-cli](https://github.com/nervosnetwork/ckb-cli) to deploy this contract, You can refer to [here](https://github.com/nervosnetwork/ckb-cli/wiki/Handle-Complex-Transaction#a-demo).
+   * After the execution is successful, it is recommended to record the tx-hash to facilitate subsequent operations.
+3. Generate key file.
+   </br>
+   Use this tool: tools/ckb-sphincs-tools.
+   ``` shell
+   cargo run -- gen-key key.json
+   ```
+   We can get a set of key files, including public and private keys.
+   * If the contract you compile does not use the default value, it needs to be the same here.
+   * Need to save this file.
+4. Convert a SECP256K1/blake160 lock script to quantum resistant lock script.
+   ``` shell
+   cargo run -- cc_to_sphincsplus --tx_hash <tx-hash> --tx_index <index> --key_file key.json --prikey <You can use ckb-cli account export>
+   ```
+5. Convert a quantum resistant lock script to SECP256K1/blake160 lock script.
+   ``` shell
+   cargo run -- cc_to_secp --tx_hash <tx-hash> --tx_index <index> --key_file key.json --lock_arg <LOCK-ARG> --sp_tx_hash <SPHINCS+ Script in step 2> --sp_tx_index <index> --fee 10000
+   ```
+