Skip to content

Security: lopezpalacios/paycodex-factory

Security

SECURITY.md

Security policy

Supported versions

Latest main branch only. This is reference / educational code; do not deploy unaudited contracts to production with real customer funds.

Reporting a vulnerability

Open a private security advisory on GitHub: https://github.com/lopezpalacios/paycodex-factory/security/advisories/new

Please do not disclose publicly until a patch lands. Acknowledgment within 48h, status update within 7d.

Audit status

  • This repo: not audited. Contracts are simplified for documentation / demonstration of cash-management patterns on EVM.
  • Production use requires:
    • Independent audit (recommend: Trail of Bits, OpenZeppelin, Quantstamp, Sigma Prime, Spearbit)
    • Mainnet deployment via Safe-style multi-sig
    • Pause / upgrade governance with timelock
    • Monitoring (Tenderly / OpenZeppelin Defender / Forta)
    • Incident response plan + on-call rotation

Threat model (high level)

  • Reentrancy: covered via Checks-Effects-Interactions in all stateful contracts
  • Integer overflow: Solidity 0.8.27 default reverts; unchecked only where proven safe
  • Access control: AccessControl roles where multi-actor; Ownable where single-actor
  • Front-running / MEV: applicable to FxSwap (use private mempool / commit-reveal in production)
  • Oracle manipulation: ConditionalPayment + ESGLinkedLoan rely on trusted oracle (use Chainlink + multi-source in production)
  • Flash loan attacks: SCFFlow / Repo could be exposed; cap risk via collateral haircuts in production

Disclosure timeline target

Severity Acknowledge Patch Public disclosure
Critical 24h 48h After patch + coordinated
High 48h 7d After patch + coordinated
Medium 7d 30d After patch
Low 14d 90d At reporter discretion

There aren't any published security advisories