Security Overview

XyncPay never holds, controls, or has access to private keys. It never signs or submits transactions. It never custodies or temporarily stores funds. Agents retain full control of their wallets and sign all transactions independently. XyncPay builds unsigned transaction instructions that agents execute on their own.

The FeeSplit smart contract has undergone multiple independent security analyses:

• Slither static analysis (Trail of Bits): Zero high or medium findings.
• Hashlock AI Audit: Zero critical or high-severity findings. The one actionable recommendation (adding an emergency pause mechanism) was implemented using OpenZeppelin Pausable, and the contract was redeployed with the fix.
• Contract source code is verified and publicly viewable on BaseScan.
• Verified contract: 0x1bd714Fb...e125Cb
• A professional third-party audit is planned as transaction volume scales.

The FeeSplit contract implements OpenZeppelin's Pausable module, providing an owner-controlled emergency stop. If a security issue is detected, the contract owner can halt all payment routing in a single transaction and resume operations once resolved. This follows the circuit breaker pattern recommended for production smart contracts.

Agent registration uses wallet ownership verification via challenge-response signature (EIP-191 for EVM). Sessions are required for MPP payment flows and optional for x402 and AP2. Solana support with Ed25519 signatures is on the roadmap. XyncPay never sees or stores private keys.

No personally identifiable information is stored. Agents are identified by wallet addresses (public on-chain data). All communication is encrypted over TLS. Sensitive configuration is stored in environment variables, never in code.

Security concerns can be reported to contact@xyncpay.com. All reports are reviewed and responded to promptly.