🛡️ The only official bot is @EazPay_bot. Any other handle, even a similar one, is a scam. Official support NEVER asks you to deposit to a different address.
EazPay is live on Tempo mainnet! Try it now →

Honest by default.
Self-custodial by export.

EazPay is custodial by default: the bot generates and stores your encrypted wallet key so payments work from Telegram with zero setup. On-chain access controls cap what the bot can do with it — and /export returns your key whenever you want to fully self-custody from any external wallet.

🔐

Smart Contract Wallets

Every user gets a dedicated smart contract wallet on Tempo L1. Fund balances live on-chain; the encrypted EOA key that owns the wallet is held by the bot (custodial by default).

  • Keys encrypted AES-256-GCM in our DB; the encryption key lives in Railway env, separate from the DB
  • Daily spending limits — on-chain enforced, 1,000 USDC/day/wallet
  • Self-custody exit via /export — receive the key, manage from any wallet, stop trusting the bot

Atomic Transactions

Every payment is a single on-chain transaction. All or nothing.

  • sendPayment() — one call, fee deducted, funds transferred, receipt emitted
  • batchSend() — split payments are atomic, all recipients receive or nobody does
🛡️

On-Chain Access Control

The bot operator key is dedicated and separated from the deployer (rotated 2026-04-16). On-chain it can only send payments and create wallets. It cannot:

  • Withdraw your funds to an arbitrary address
  • Change your daily limits
  • Transfer tokens other than USDC
  • Exceed the 1,000 USDC/day cap per wallet
🔒

Authentication

Multiple layers of user verification to protect your account.

  • PIN protection with bcrypt, 30-min auto-lock
  • 2FA for large transactions (6-digit code, 60s expiry)
  • Anti-phishing codes in every message

🌐 Fee Transparency

0.1% fee enforced by the TreasuryRouter contract. The rate is capped at 2% and transparent on-chain. We can't charge more than the contract allows — ever.

Smart Contracts
Deployed on Tempo L1, Chain ID 4217. All contracts verified on Tempo Explorer.
Contract Address
EazPay V4
Payment orchestrator — P2P, split, external withdrawals, emergency pause
 0x07950a498B83b5b2958bC5152884Ffc56409160F
UserWalletFactory V2
Deploys per-user wallets (V4 as botOperator)
 0x1BE92ea599bBb3896e3e0F1a98fb2363e0c379f7
TreasuryRouter V2
Fee rate (0.1%) + treasury sink, 2% on-chain ceiling
 0x6384a449B09501F0BFed3881E29CF8dCF582678c
USDC (TIP-20)
Stablecoin token
 0x20c000000000000000000000b9537d11c60e8b50
💾 What We Store (and What We Don't)
Full transparency about data handling. This is the honest answer, not a marketing one.

Stored (custodial)

  • Your EOA private key — encrypted (AES-256-GCM) in our DB
  • PIN hash (bcrypt only — never plaintext)
  • Anti-phishing code (plaintext so you can see it in messages)
  • Telegram user ID — mapped to wallet address
  • Username and first name — for @mention display
  • Transaction cache (source of truth is always on-chain)

Never Stored

  • Seed phrases (EOAs use a single key, no seed)
  • Plaintext passwords
  • Fund balances (always read live from on-chain)
  • Data after you request deletion at security@eazpay.xyz (manual process today; self-service /deleteaccount on roadmap)

⚠️ Known Risk — Custodial Scope

Because the EOA encryption key lives in our Railway environment and the encrypted keys live in our DB, a breach that compromises both would put user keys at risk. We mitigate via: separate Railway secret scope, strict access control, no key dumps in logs, periodic audits. A fully zero-custody redesign is on the roadmap but not yet shipped. Use /export if you want to opt out of custody today.

🧰 Security Features

Rate Limiting

5 commands per 30 seconds, 3 send operations per 60 seconds, anti-bruteforce on PIN and 2FA attempts.

Session Management

30-minute auto-lock, PIN-gated access, automatic session reset on restart.

Input Validation

Strict amount format, username sanitization, address verification before every transaction.

Export Safety

DM only delivery, double confirmation required, contract users receive self-custody information.

🔍 Responsible Disclosure
Found a vulnerability? We take security seriously.

In Scope

Smart Contracts (Tempo L1) Bot Backend (Node.js) Web Dashboard (Next.js)

Out of Scope

Social engineering DDoS Third-party (Telegram/Railway/Vercel) Physical access

How to Report

📧 security@eazpay.xyz
💬 Telegram DM: @tomajackmac
⚠️ Do NOT disclose publicly before fix is confirmed.

Rules

Recognition

Critical

Fund theft, key extraction

Public credit + reward

High

Privilege escalation

Public credit

Medium

Info leak, DoS

Acknowledgment

Low

Best practices

Acknowledgment

Source Verification

Smart contracts are verified on Tempo Explorer — you can read the Solidity source and confirm the deployed bytecode directly on-chain. Bot and web repositories are currently private during active development and will be opened after third-party contract audit.

🔍 EazPay V4 on Explorer 🌐 Tempo Explorer
"The parts we ask you to trust are the ones we document. The parts we don't ask you to trust are enforced on-chain."