Audit Status
x402r extends the canonical commerce-payments protocol from Base. The commerce-payments contracts have professional audits and run directly at their universal CREATE2 addresses (no fork). The x402r-specific contracts on top of them are not yet audited.What’s Audited (Upstream)
x402r runs the commerce-payments primitives at their canonical addresses, so their audit coverage applies directly with no fork to re-audit. Base maintains the authoritative, dated report list, defer to it rather than this page:- commerce-payments
audits/directory hosts the report PDFs. - Security Audits section of the upstream README lists each audit with its date and report link.
AuthCaptureEscrow contract and its supporting infrastructure (TokenCollectors, TokenStore, Permit2 integration) were covered by five reports, three from Coinbase Protocol Security and two from Spearbit. These cover the core escrow lifecycle: authorize, capture, void, reclaim, and refund.
What’s Not Audited
| Component | Status | Risk |
|---|---|---|
| PaymentOperator | Unaudited | Core operator with condition/hook dispatch and fee system |
| PaymentOperatorFactory | Unaudited | CREATE2 deterministic deployment |
| ProtocolFeeConfig | Unaudited | Timelocked fee governance |
| StaticFeeCalculator | Unaudited | Simple immutable fee calculator |
| Condition plugins | Unaudited | PayerCondition, ReceiverCondition, StaticAddressCondition, AlwaysTrueCondition |
| Combinator plugins | Unaudited | AndCondition, OrCondition, NotCondition |
| EscrowPeriod | Unaudited | Combined hook + time-lock condition |
| Freeze | Unaudited | Freeze/unfreeze state management |
| Hook plugins | Unaudited | AuthorizationTimeRecorderHook, PaymentIndexRecorderHook, HookCombinator |
| RefundRequest | Unaudited | Refund request lifecycle management |
What This Means
- The audited escrow layer covers fund custody, token transfers, and payment state transitions
- The condition/hook plugin system is stateless or minimal-state by design, reducing attack surface
Security Practices
Even without a formal audit, the x402r contracts follow established security patterns:- CEI (Checks-Effects-Interactions) ordering in all state-changing functions
- ReentrancyGuardTransient (EIP-1153) on all external entry points
- Immutable configuration: deployment locks the operator conditions and fee calculators
- 7-day timelock on protocol fee changes via ProtocolFeeConfig
- 2-step ownership transfers via Solady’s Ownable
- Forge test suite covering core flows and edge cases
Audit Roadmap
The plan is to pursue third-party audits as the contract architecture and use cases stabilize. Priority order:- PaymentOperator: condition dispatch, fee calculation, fee locking, distribution
- Plugin system: conditions, hooks, combinators, and their factories
- EscrowPeriod + Freeze: time-lock enforcement and freeze state management
- RefundRequest: request lifecycle and access control
To discuss the security posture in more detail before integrating, or to report a vulnerability, reach out at security@x402r.org.