This is the public repository (arc-pay-public) containing:
- Smart contracts (audit-ready)
- Public backend core (demo/audit mode only)
- Frontend integration
The private repository contains production backend with real settlement, custody, and CCTP bridging logic.
If you discover a security vulnerability, please report it to: security@arcpaykit.com
Please do NOT open a public GitHub issue for security vulnerabilities.
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution: Depends on severity and complexity
✅ Smart Contracts
InvoicePaymentProof.solMerchantBadge.solPaymentRegistry.sol
✅ Public Backend Core
- Request validation (Zod schemas)
- Type definitions
- Public API endpoints (demo mode)
- Error handling
✅ Frontend
- Client-side validation
- Wallet connection security
- API key handling
❌ Private Backend Modules
- Settlement service (private repository)
- CCTP bridging implementation (private repository)
- Payout processing (private repository)
- Circle integration (private repository)
- Production API keys and secrets
- Infrastructure configuration
❌ Production Environment
- Production database
- Production API endpoints
- Real on-chain transactions
- Real custody operations
-
Smart Contract Vulnerabilities
- Reentrancy attacks
- Access control bypass
- Integer overflow/underflow
- Front-running
-
Frontend Security
- XSS (Cross-Site Scripting)
- CSRF (Cross-Site Request Forgery)
- API key leakage
- Wallet private key exposure
-
Backend Security (Public Core Only)
- Input validation bypass
- Rate limiting bypass
- SQL injection (if using raw queries)
- Authentication bypass
- Smart Contracts: OpenZeppelin libraries, access control, write-once patterns
- Frontend: React best practices, input sanitization, secure wallet integration
- Backend: Zod validation, rate limiting, API key authentication
- No Real Settlement: All settlement operations are stubbed
- No Real CCTP: CCTP bridging is not implemented
- No Real Custody: No funds are held or transferred
- Demo Mode Only: Server requires
ARCPAY_PUBLIC_DEMO_MODE=true
- InvoicePaymentProof: Requires owner to record proofs (centralized control)
- MerchantBadge: Allows self-minting (merchants can mint their own badges)
- PaymentRegistry: No access control (anyone can emit events)
- Never commit secrets to the public repository
- Use demo mode when running the public repository
- Validate all inputs using Zod schemas
- Use rate limiting on public endpoints
- Keep dependencies updated and audit regularly
- Focus on smart contract logic and access control
- Review public API endpoints for validation issues
- Check frontend for XSS/CSRF vulnerabilities
- Verify demo mode guards are in place
We follow responsible disclosure:
- Report vulnerability privately
- We acknowledge and investigate
- We develop and test a fix
- We deploy the fix
- We publicly disclose (if appropriate)
We will credit security researchers who responsibly disclose vulnerabilities (with permission).
Security updates will be:
- Tagged with
[SECURITY]in commit messages - Documented in CHANGELOG.md
- Announced via GitHub releases (if critical)
- Security Email: security@arcpaykit.com
- General Issues: Use GitHub Issues (non-security)
- Documentation: See README.md and ARCHITECTURE.md