EazPay is live on Tempo mainnet! Try it now →

Your money. Your rules.
On-chain.

EazPay is built security-first. Every payment runs through audited smart contracts on Tempo L1 — not our servers. We can't touch your funds. Nobody can.

🔐

Smart Contract Wallets

Every user gets a dedicated smart contract wallet on Tempo L1. Your funds live on-chain — not in our database.

  • No private keys stored — we never hold your keys
  • Daily spending limits — on-chain enforced, 1,000 USDC/day/wallet
  • Owner control — full self-custody via withdraw() at any time

Atomic Transactions

Every payment is a single on-chain transaction. All or nothing.

  • sendPayment() — one call, fee deducted, funds transferred, receipt emitted
  • batchSend() — split payments are atomic, all recipients receive or nobody does
🛡️

On-Chain Access Control

The bot operator can only send payments and create wallets. It cannot:

  • Withdraw your funds
  • Change your daily limits
  • Transfer tokens other than USDC
  • Access any wallet without on-chain permission
🔒

Authentication

Multiple layers of user verification to protect your account.

  • PIN protection with bcrypt, 30-min auto-lock
  • 2FA for large transactions (6-digit code, 60s expiry)
  • Anti-phishing codes in every message

🌐 Fee Transparency

0.1% fee enforced by the TreasuryRouter contract. The rate is capped at 2% and transparent on-chain. We can't charge more than the contract allows — ever.

Smart Contracts
Deployed on Tempo L1, Chain ID 4217. All contracts verified on Tempo Explorer.
Contract Address
EazPay V3
Payment orchestrator (with emergency pause)
 0x8741ac2b1e4715084618B2540a4079EdA5D45b99
UserWalletFactory
Deploys user wallets
 0x7F076a59501b2d61c64e196d697a95415cCf3C40
TreasuryRouter
Fee collection (0.1%)
 0xf6b1285907F206848e1D51857eA4554B53E45ebc
USDC (TIP-20)
Stablecoin token
 0x20c000000000000000000000b9537d11c60e8b50
💾 What We Don't Store
We minimize data collection by design. Your sensitive information never touches our servers.

Never Stored

  • Private keys
  • Seed phrases
  • Passwords (only bcrypt hashes)
  • Fund balances (on-chain only)
  • Transaction history (on-chain; DB cache only)

Stored (Necessary)

  • Telegram user ID — mapped to wallet
  • Username — for @mention lookups
🧰 Security Features

Rate Limiting

5 commands per 30 seconds, 3 send operations per 60 seconds, anti-bruteforce on PIN and 2FA attempts.

Session Management

30-minute auto-lock, PIN-gated access, automatic session reset on restart.

Input Validation

Strict amount format, username sanitization, address verification before every transaction.

Export Safety

DM only delivery, double confirmation required, contract users receive self-custody information.

🔍 Responsible Disclosure
Found a vulnerability? We take security seriously.

In Scope

Smart Contracts (Tempo L1) Bot Backend (Node.js) Web Dashboard (Next.js)

Out of Scope

Social engineering DDoS Third-party (Telegram/Railway/Vercel) Physical access

How to Report

📧 security@eazpay.xyz
💬 Telegram DM: @tomajackmac
⚠️ Do NOT disclose publicly before fix is confirmed.

Rules

Recognition

Critical

Fund theft, key extraction

Public credit + reward

High

Privilege escalation

Public credit

Medium

Info leak, DoS

Acknowledgment

Low

Best practices

Acknowledgment

Open Source

Contracts verified on Tempo Explorer. Code available on GitHub for full transparency.

GitHub 🔍 Tempo Explorer
"We built EazPay so that we don't need your trust. The code is the guarantee."