Security

Smart Contract Security

• FeeRouterV4 is built on OpenZeppelin contracts.
• Oracle verification via EIP-712 typed data signatures — the contract only executes if the Oracle has signed.
• Nonce-based replay protection — each signature can only be used once.
• Admin functions (pause, fee changes) are owner-only and protected by a multi-sig.

Oracle System

Every transaction requires Oracle approval before the FeeRouter executes it.

• AML screening — addresses checked against sanctioned lists.
• Amount limits — configurable per merchant.
• Address blacklist — known malicious addresses blocked.
• If the Oracle is offline, transactions queue — they are not lost. They execute once the Oracle comes back.
• The Oracle private key is protected by AWS KMS. It never leaves the HSM.

Custodial Model

Two different models, depending on the component:

• End users: NON-custodial. You sign your own transactions with your own wallet. RSends never has access to your private key.
• Master wallet (splits/forwards): Custodial. The Master wallet holds funds temporarily during split and forward operations. Its key is protected by AWS KMS with hot wallet limits enforced.

What We Don't Do

• We never have access to your wallet private keys.
• We never ask for seed phrases.
• We never initiate transactions without your signature.
• We never store your private keys on our servers.