Security & Crypto
Security Posture
What protects your money at each layer — and the exact status of each guarantee. Everything here is verifiable: the code is open-source, settlements are on public chains, and the parts that are still pending are labeled pending.
Non-custodial by construction
Furlpay never holds user funds in the payment path. x402 and gasless transfers move value with EIP-3009 transferWithAuthorization — the signed message itself fixes the payer, recipient, and amount, and the token contract re-verifies the signature on-chain. Our relayer pays gas; it cannot redirect a cent. CCTP bundles and LI.FI swaps are built server-side but signed and submitted by the client.
- LIVE EIP-712 signature recovery (ECDSA + ERC-1271 smart wallets), fail-closed.
- LIVE Atomic cross-instance replay protection (Redis SET NX on every EIP-3009 nonce).
- LIVE Amount-scaled confirmation depth before any resource is released.
- LIVE Fabricated-settlement guard: production refuses to run money paths in mock mode.
Authentication
- WebAuthn / FIDO2 passkeys — phishing-resistant, hardware-backed where the device provides it. The Relying Party ID comes from server configuration, never the
Hostheader. - Step-up TOTP for privileged operations; MFA state writable only through the dedicated MFA route (mass-assignment is rejected schema-level).
- Sessions are short-lived signed JWTs in
HttpOnlycookies; roles resolve from the user record on every request, and admin is pinned to a single founder account in production.
Money controls
- Hard per-transaction caps on every execution rail (swaps, CCTP, gasless transfers), enforced server-side.
- An ops control plane that can pause any rail — the pause is enforced at the route, not decorative.
- An append-only event ledger (Postgres triggers block update/delete) recording every settlement and every rejected attack: replays, bad signatures, tampered quotes, over-limit attempts.
- Agent spending is governed by user-signed mandates — an agent cannot widen its own permissions.
Continuous security pipeline
Every pull request runs:
- Slither + Semgrep over the Solidity contracts.
- CodeQL over the application code.
- gitleaks secret scanning.
- Dependabot with a reasoned allowlist —
npm audit fix --forceis banned by policy.
External audits
Current status — stated plainly
X402Facilitator.sol and related) are not yet externally audited. Mainnet deployment of the contracts is paused until an audit engagement completes, and the live settlement path runs with conservative per-transaction caps. When reports are published they will be linked on this page. Internal review, the CI pipeline above, and adversarial end-to-end tests (replay, bad-signature, pending-settlement recovery) are in place today.Responsible disclosure
Found something? We run a coordinated disclosure program with safe harbor — see the responsible disclosure policy or email security@furlpay.com.
Verify it yourself
| Method | Path | Description |
|---|---|---|
| GET | /api/rails | Live status of every payment rail |
| GET | /api/x402/settlement/{tx} | Independently confirm any settlement on-chain |
| GET | /.well-known/security.txt | Security contact + policy |
The application is open-source at github.com/FurlPay — every claim above can be checked against the code.