Paymatic · Smart Contract Security AssessmentPaymatic Client Hub

Paymatic Payments

Zealynx audited Paymatic, a trust-minimized escrow protocol for ERC-20 tokens with delayed settlement and sender-controlled execution. The 3-day review of the single PaymaticPayments.sol contract (189 nSLOC) identified 6 issues: 2 Medium (decimal precision in fee calculation, fee-on-transfer token incompatibility), 2 Low, and 2 Informational. The contract demonstrated solid structure overall, with findings concentrated in ERC-20 edge cases and documentation gaps.

EthereumSoliditySmart Contract Code Review2025-05-08Zealynx methodology
Total findings
6
0 fixed · 6 acknowledged
Critical
00
High
00
Medium
02
Low + Info
04
02

Scope

1 file · 189 SLOC
Platform
Ethereum · Solidity
Methodology
Zealynx audit methodology
File
PaymaticPayments.sol
03

Findings

click any row for the full write-up
Severity
ID
Finding
Status
mediumF-2025-0001Decimal Precision Issues in Fee CalculationAckmediumF-2025-0002Fee-on-Transfer Tokens Lead to Locked FundsAcklowF-2025-0003Zero-Value Fee Transfers Can RevertAcklowF-2025-0004The Created State Alone Does Not Indicate Whether a Payment is UnlockedAckinfoF-2025-0005Misleading Documentation on Pausable FeatureAckinfoF-2025-0006Unbounded feeValue May Undermine User TrustAck
04

Key Findings

  • Decimal precision issues in fee calculation. The fee calculation uses a fixed divisor (100,000) without normalizing for token decimal precision, causing the effective fee rate to vary dramatically between tokens with different decimal standards (0.0003% on USDC vs 0.3% on WETH for the same nominal amount).
  • Fee-on-transfer tokens lead to locked funds. The contract assumes the amount transferred equals the amount specified, but fee-on-transfer tokens deduct a fee per transfer, leaving the contract with less than recorded in payment.amount and causing settlements to fail or lock balances.
  • Zero-value fee transfers can revert. Some ERC-20 tokens (like LEND) revert on zero-value transfers, and the contract does not check whether the fee amount is zero before attempting the transfer, blocking very small payments and wasting gas.
  • Created state ambiguity for unlocked payments. Payments are created in the Created state with an unlockTime, but the Created state alone does not indicate whether a payment is unlocked, complicating UI status queries and filtering.
  • Misleading documentation on Pausable feature. Documentation claims the Pausable owner can pause all state-changing actions, but the whenNotPaused modifier is applied only to creation paths, not to cancelPayment() or settlePayment().
  • Unbounded feeValue may undermine user trust. setFeeValue allows the owner to set any fee amount without an upper limit, leaving users without assurance that fees will remain fair over time.
05

Team & approval

Auditor
Sergio
@Seecoalba
Lead Auditor
Carlos (Bloqarl)
@TheBlockChainer
06

Disclaimer

This audit is not an endorsement and does not constitute investment advice. Zealynx reviewed the codebase at the commits listed in section 02 over the engagement window. Findings are limited to issues identified within that scope and do not preclude the existence of other vulnerabilities. Subsequent code changes are not covered by this report unless the engagement is explicitly extended.

Download PDF (15p)
ZEALYNX SECURITY · published 2025-05-08
6 findings · Solidity

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx