--- issue: 058 title: "Frontend test payment mode enablable in production via NEXT_PUBLIC env var" severity: high domain: Payment labels: [security, frontend, test-bypass] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Frontend test payment mode enablable in production via NEXT_PUBLIC env var **Severity:** high **Domain:** Payment **Labels:** security, frontend, test-bypass ## Description `isTestPaymentEnabled()` in `src/web3/services/test-payment-service.ts` is gated only on `NEXT_PUBLIC_ENABLE_TEST_PAYMENT` env flag. Setting this flag in a production deployment (intentionally or by misconfiguration) activates test-payment mode, which bypasses real payment flows. ## Options 1. Gate `isTestPaymentEnabled()` on `(process.env.NODE_ENV !== 'production') AND` the env flag — code-level hard stop. 2. Strip the test-payment code path entirely from production via a build-time define/dead-code elimination. 3. Both: NODE_ENV guard plus CI assertion that the flag is unset in prod env. ## Recommendation Require `NODE_ENV !== 'production'` in addition to the flag, and add a CI check that `NEXT_PUBLIC_ENABLE_TEST_PAYMENT` is absent in production secrets. ## Affected Files - `frontend/src/web3/services/test-payment-service.ts:131` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-3