Furlpay Docs
Open App

Security & Crypto

Security Posture

What protects your money at each layer — and the exact status of each guarantee. Everything here is verifiable: the code is open-source, settlements are on public chains, and the parts that are still pending are labeled pending.

Non-custodial by construction

Furlpay never holds user funds in the payment path. x402 and gasless transfers move value with EIP-3009 transferWithAuthorization — the signed message itself fixes the payer, recipient, and amount, and the token contract re-verifies the signature on-chain. Our relayer pays gas; it cannot redirect a cent. CCTP bundles and LI.FI swaps are built server-side but signed and submitted by the client.

  • LIVE EIP-712 signature recovery (ECDSA + ERC-1271 smart wallets), fail-closed.
  • LIVE Atomic cross-instance replay protection (Redis SET NX on every EIP-3009 nonce).
  • LIVE Amount-scaled confirmation depth before any resource is released.
  • LIVE Fabricated-settlement guard: production refuses to run money paths in mock mode.

Authentication

  • WebAuthn / FIDO2 passkeys — phishing-resistant, hardware-backed where the device provides it. The Relying Party ID comes from server configuration, never the Host header.
  • Step-up TOTP for privileged operations; MFA state writable only through the dedicated MFA route (mass-assignment is rejected schema-level).
  • Sessions are short-lived signed JWTs in HttpOnly cookies; roles resolve from the user record on every request, and admin is pinned to a single founder account in production.

Money controls

  • Hard per-transaction caps on every execution rail (swaps, CCTP, gasless transfers), enforced server-side.
  • An ops control plane that can pause any rail — the pause is enforced at the route, not decorative.
  • An append-only event ledger (Postgres triggers block update/delete) recording every settlement and every rejected attack: replays, bad signatures, tampered quotes, over-limit attempts.
  • Agent spending is governed by user-signed mandates — an agent cannot widen its own permissions.

Continuous security pipeline

Every pull request runs:

  • Slither + Semgrep over the Solidity contracts.
  • CodeQL over the application code.
  • gitleaks secret scanning.
  • Dependabot with a reasoned allowlist — npm audit fix --force is banned by policy.

External audits

Current status — stated plainly

The smart contracts (X402Facilitator.sol and related) are not yet externally audited. Mainnet deployment of the contracts is paused until an audit engagement completes, and the live settlement path runs with conservative per-transaction caps. When reports are published they will be linked on this page. Internal review, the CI pipeline above, and adversarial end-to-end tests (replay, bad-signature, pending-settlement recovery) are in place today.

Responsible disclosure

Found something? We run a coordinated disclosure program with safe harbor — see the responsible disclosure policy or email security@furlpay.com.

Verify it yourself

MethodPathDescription
GET/api/railsLive status of every payment rail
GET/api/x402/settlement/{tx}Independently confirm any settlement on-chain
GET/.well-known/security.txtSecurity contact + policy

The application is open-source at github.com/FurlPay — every claim above can be checked against the code.

Did this page help?
Edit this page on GitHub