--- issue: "007" title: "SIM_ transaction bypass active in production — no NODE_ENV guard on wallet connection fallback" severity: critical domain: payment labels: [security, frontend, backend, bug] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🔴 SIM_ transaction bypass active in production — no NODE_ENV guard on wallet connection fallback **Severity:** critical **Domain:** payment **Labels:** security, frontend, backend, bug ## Description `frontend/src/web3/context/web3-provider.tsx` (lines ~225 and ~232) generates `SIM_` prefixed transaction hashes when wallet connection fails, and passes these to the backend as real transaction hashes. The backend's payment service skips all on-chain verification for any `paymentHash` starting with `SIM_`. This bypass is controlled **only by the hash prefix** — there is no `process.env.NODE_ENV === 'development'` check in either the frontend or backend. In production, if a user's wallet connection times out or throws (e.g., network error, MetaMask not responding), the frontend will submit a `SIM_` hash. This can result in a payment record being created as `completed` without any actual on-chain transaction. ## Current Behavior Wallet connection failure → frontend generates `SIM_xxxxxxxx` hash → sends to backend → backend skips on-chain verification → payment created as completed. ## Expected Behavior - Frontend: `SIM_` hash generation should be gated on `process.env.NODE_ENV !== 'production'` - Backend: `SIM_` bypass should additionally check an environment flag (e.g., `process.env.ALLOW_SIM_PAYMENTS !== 'true'`) ## Affected Files - `frontend/src/web3/context/web3-provider.tsx` — lines ~225, ~232 - `backend/src/services/payment/` — SIM_ prefix check in payment verification logic ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md) — Finding M39