--- issue: 069 title: "Backend: cleanupOldPendingPayments deletes pending RN payments mid-flow" severity: high domain: Payment labels: [bug, backend, data-loss, escrow] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Backend: cleanupOldPendingPayments deletes pending RN payments mid-flow **Severity:** high **Domain:** Payment **Labels:** bug, backend, data-loss, escrow ## Description `cleanupPendingPayments.ts:42` deletes pending payments after a TTL without excluding webhook-driven providers. Request Network flows can take hours or days to receive on-chain confirmation. A pending RN payment deleted by this cleanup will never be reconciled when the late webhook arrives. ## Options 1. Exclude provider `request.network`/`shkeeper` from the cleanup, or greatly extend the TTL for them. 2. Mark as `expired` instead of deleting, so a late webhook can reconcile. 3. Only delete pending payments that have no associated active purchase request. ## Recommendation Exclude webhook-driven providers (or use a long TTL) and prefer expire-over-delete so late webhooks can reconcile. This is a data-loss risk. ## Affected Files - `backend/src/services/payment/cleanupPendingPayments.ts:42` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-39