Latest main branch only. This is reference / educational code; do not deploy unaudited contracts to production with real customer funds.
Open a private security advisory on GitHub: https://github.com/lopezpalacios/paycodex-factory/security/advisories/new
Please do not disclose publicly until a patch lands. Acknowledgment within 48h, status update within 7d.
- This repo: not audited. Contracts are simplified for documentation / demonstration of cash-management patterns on EVM.
- Production use requires:
- Independent audit (recommend: Trail of Bits, OpenZeppelin, Quantstamp, Sigma Prime, Spearbit)
- Mainnet deployment via Safe-style multi-sig
- Pause / upgrade governance with timelock
- Monitoring (Tenderly / OpenZeppelin Defender / Forta)
- Incident response plan + on-call rotation
- Reentrancy: covered via Checks-Effects-Interactions in all stateful contracts
- Integer overflow: Solidity 0.8.27 default reverts;
uncheckedonly where proven safe - Access control: AccessControl roles where multi-actor; Ownable where single-actor
- Front-running / MEV: applicable to FxSwap (use private mempool / commit-reveal in production)
- Oracle manipulation: ConditionalPayment + ESGLinkedLoan rely on trusted oracle (use Chainlink + multi-source in production)
- Flash loan attacks: SCFFlow / Repo could be exposed; cap risk via collateral haircuts in production
| Severity | Acknowledge | Patch | Public disclosure |
|---|---|---|---|
| Critical | 24h | 48h | After patch + coordinated |
| High | 48h | 7d | After patch + coordinated |
| Medium | 7d | 30d | After patch |
| Low | 14d | 90d | At reporter discretion |