✅ Pay with $SAND - A mini-SDK for any website or dApp

The deliverables has already been sent . @yuelwolf just needs to verify them.

All working now, Milestone 2 completed CC @Geraldine @Paul

Hello @NovaTheMachine please send your invoice for the second milestone.

@NovaTheMachine can you submit your last milestone and invoice by the end of the week as we are closing the program ?

@Geraldine

I’ve already submitted the third milestone .

I’ve also updated the SDK and will share the details here today.

Hello @NovaTheMachine

My apologies for the misunderstanding. I haven’t approved the last milestone yet because I was waiting for the contract’s audit. Could you please tell me how it was audited so we can close the project?

Hi @yuelwolf,

Since the project was delayed due to the KYC situation, the wardens I had originally selected for the audit were no longer available. In the meantime, I arranged for several independent reviews of the contract:

• Doc https://3doc.fr/ : senior auditor at Certora Inc., currently #1 on Code4rena’s 365-day leaderboard. He found no critical vulnerabilities .
  Identified one medium severity issue:

  • Mempool frontrunning

    • Once the orderId is visible in the mempool, an attacker could frontrun with a transaction of negligible amount, causing the legitimate payment to fail.
    • Impact: the only outcome is that the transaction reverts (no loss of funds).

• Kriko coreggon11 (krikoeth) · GitHub : top web3 security researcher & competitive auditor (1st place in multiple Cantina/Hacken/Sherlock contests). He is currently preparing a formal report, which should be delivered in the coming days.

• SolidityScan: gave a score of 94/100, no critical findings. Report

Here are the contract modifications that were made since the early version:

Removed functions

• isProcessed(bytes32 orderId) (view) – removed from ABI (internal processed[...] logic remains).
• Fee-related functions (setFeeBasisPoints, fee variables) – logic fully removed.

Simplified functions

• payWithPermit(...) – validates recipient and processed[orderId], then transfers directly user → recipient before calling _processPayment.
• pay(...) – same simplification as above.
• _processPayment(...) – no longer transfers tokens; just marks the order as processed and emits PaymentDone.

Hello @NovaTheMachine , perfect, then we’ll wait for Kriko’s report to close the project and approve Milestone 3.

Hi @yuelwolf — quick update:

• Audit: Kriko has now delivered his audit (attached). Great news: no critical or high-severity issues were found, only some recommendations (CEI pattern, duplicate checks, event fields).
• SDK: I’m preparing an update for next week , refreshed UI, added the logo, and currently working on adding more wallet integrations.
• 

  Capture d’écran du 2025-09-26 23-09-41587×841 76.5 KB
• Post-grant: although the grant is officially complete, I’ll keep maintaining docs and releasing small updates over the next weeks.
• Hackathon: I’m also organizing a blockchain hackathon in San Francisco at the end of the year (target ~100 participants). This could be a great opportunity to promote both the SDK and The Sandbox at the same time. Would Sandbox be interested in sponsoring or getting involved?

Thank you @NovaTheMachine , great job. Milestone 3 approved, congrats . CC @Geraldine @Paul

Hi @yuelwolf ! thank you!
I’ve now deployed the new version with the UI update. Really appreciate all the support throughout this process.

Best,

https://www.npmjs.com/package/@pay-with-sand/sdk

Hi @Geraldine I’ve sent the invoice, but I haven’t received the payment yet. Could you please confirm if it’s being processed?

Thanks,

We will proceed in the next days.

Hello,

Unfortunately, there has been a mix-up in processing the payment via our software for this particular grant.

There have been two transactions with the same amount, 20 seconds apart, resulting in the payment being doubled, as you can see: 11870 USDC (total amount crypto) instead of the agreed-upon 5934. The UX should have caught it, as I can normally only pay what is displayed in the bill, but we are where we are. I have contacted our supplier, who cannot do anything, and the transaction cannot be reversed on the blockchain

CleanShot 2025-11-29 at 17.40.26@2x1556×704 37.8 KB

We have tried to contact @NovaTheMachine multiple times via email to organise the restitution of funds, but he keeps ignoring us.

I would like to request the opinion of the community on the best way forward.

FYI we have on the record:

• His Real name
• Address of residence
• email address
• Linkedin profile
• personnel website
• And the wallet where the funds have been sent

@Delegates @yuelwolf @Paul @Geraldine @theKuntaMC @Lanzer

Thanks for your help!

We acknowledge the error of the double transfer. We are waiting for the recipient to demonstrate the integrity to correct this mistake by returning the excess funds. We will follow up in the coming days. Should the funds not be recovered, we must use this as a critical opportunity to formalize a clear Standard Operating Procedure (SOP) for handling and mitigating transfer errors.

That’s a tough situation. In Star Atlas DAO we dealt with a situation where someone wasn’t delivering, and we had to recover the funds. In the research process we learned that Grand Cayman Islands law likely wouldn’t consider a PIP (equiv to a SIP) the same as a contract without something having been signed. Before we could go further, the PIP author sent the funds back voluntarily.

My recommendation,

1. Send a overpayment recovery letter via certified mail to Nova’s physical mailing address citing the request for overpayment to be returned.
2. Post a message TSB Discord #dao-discussion and on X, asking if anyone knows how to contact Nova (even though you have Nova’s contact info there might be alternative ways that reach them faster)
3. Continue with SIP implementation to receive the product from Nova
4. While you’re doing this, I recommend seeking advice from TTA, which I think would be worth the lawyer fees to learn their thoughts.

Questions I would ask:

1. Does the Cayman Islands have any equivalent to USA’s “unjust enrichment” doctrine?
2. If so, how would the Cayman Islands law work with or against the SIP author’s host country?

Because this is mostly the DAO’s oversight, I recommend continuing to give Nova the benefit of the doubt that they aren’t intentionally keeping the funds.

If the last milestone completes and Nova still hasn’t returned the funds, then it might be time to act upon the advice from TTA and employ more serious measures.

Thanks for the feedback, all! The grant has been paid in full, and the mistake happened at the payment of the last milestone. I have indeed thought about the TTA route, but the cost might outweigh the benefit. We could make this a matter of principle, though.

Still no news from him. I have sent an other chaser

To follow up on Lanzer’s remarks, I do believe that approved SIPs do not sufficiently protect the DAO’s investments.
Perhaps it would be possible to rely on a smart contract — I’m not entirely sure how it would be implemented — but essentially one that would hold the funds and release them progressively as long as the terms of the agreement are being met.

Either I’ve missed some important points (which is very possible), or we’re simply not being demanding enough when it comes to the work that is actually delivered. Should I provide concrete examples? I know it’s not always comfortable to speak up, and that my interventions can be disruptive. I also understand the importance of relationships and diplomacy — but at some point, we have to look at the situation honestly.