QA in Action

Open

PAY

RULE-001 CRITICAL

Processing continues transaction search after Travel Rule decline

The processing-service continues searching and processing transactions even after the Travel Rule service returns a DECLINED status.

Payments Travel Rule Transaction

Environment: Production, Processing Service, Travel Rule

Steps to Reproduce:

1. Create an invoice or transaction
2. Wait for Travel Rule verification to start
3. Return a DECLINED response from the Travel Rule service
4. Check processing-service logs and queue activity
5. Verify that transaction search continues after the decline

Actual Result: Processing-service continues transaction search and processing after Travel Rule verification is declined.

Expected Result: Processing-service must immediately stop transaction search and further processing after receiving a decline status from Travel Rule.

Recommendations:

• Immediately terminate transaction-search after DECLINED status
• Add an early-stop mechanism for the processing pipeline
• Prevent creation of new processing jobs after Travel Rule rejection
• Add guard-check validation before each transaction processing stage
• Log the processing flow termination reason
• Cover the scenario with integration and e2e tests

Show Details

Open

RPC

RPC-018 CRITICAL

Polygon RPC provider returns malformed block data

Polygon RPC providers (Infura, Alchemy, GetBlock) intermittently return malformed block payloads that fail deserialization with DeserError: BlockTransactions during block processing.

Polygon RPC EIP-4844

Environment: Production, Polygon RPC, Infura / GetBlock

Steps to Reproduce:

1. Connect to Polygon RPC via Infura or Alchemy
2. Request block data using eth_getBlockByNumber
3. Attempt to deserialize BlockTransactions
4. Observe intermittent DeserError failures

Actual Result: Block deserialization intermittently fails with DeserError, causing the RPC backend to skip affected blocks.

Expected Result: Block data should deserialize correctly, including support for EIP-4844 blob transactions.

Recommendations:

• Update transaction deserialization logic for EIP-4844 compatibility
• Add fallback parsing for unknown transaction variants
• Implement retry and provider failover for malformed RPC responses
• Log affected block numbers and provider responses for investigation
• Validate RPC payload schema before transaction processing
• Cover blob transaction scenarios with regression and integration tests

Show Details

Open

INV

INV-024 CRITICAL

Crypto invoice waits full timeout when no deposit is detected

Crypto invoices remain in AwaitingCryptoDeposit state until the full expires_at timeout (5-10+ hours) even when no blockchain transaction is ever detected, causing poor payment widget UX.

Payments Crypto Invoices

Environment: Production, payment-invoices, crypto payment widget

Steps to Reproduce:

1. Create a crypto invoice and open the payment widget
2. Observe invoice state AwaitingCryptoDeposit
3. Do not send any crypto transaction
4. Wait for the deposit detection window to pass
5. Verify that the invoice still waits until expires_at

Actual Result: The invoice remains active for the full timeout period (5-10+ hours). Step_02 continuously polls oracle-pool every ~2 minutes and receives "Transaction still not found" responses while the widget keeps showing "awaiting payment".

Expected Result: Invoices without detected blockchain transactions should expire early after the deposit detection window ends, while full expires_at timeout should only apply once a transaction has been detected.

Recommendations:

• Implement two-tier timeout logic for crypto invoices
• Add early expiry for invoices without detected transactions
• Keep invoices cancellable during the deposit detection window
• Prevent expiry when oracle-pool has already detected an in-flight transaction
• Unsubscribe oracle-pool listeners on all invoice expiry states
• Move invoice timeout values into configurable environment variables

Show Details

Open

C2F

C2F-011 CRITICAL

GetInvoice returns 500 after oracle-pool callback

After receiving an oracle-pool callback, the GetInvoice endpoint returns 500 Internal Server Error instead of a valid invoice object.

Payments Oracle Pool Invoices

Environment: Development, payment-invoices, oracle-pool callback flow

Steps to Reproduce:

1. Create invoice via PaymentInvoicesService.CreateInvoice
2. Verify invoice state is pending.awaiting_crypto_deposit
3. Call GetInvoice and confirm it works before callback
4. Send POST /v1/callbacks/oracle-pool with status=1 and confirmations=1
5. Call GetInvoice again using the same invoice_id

Actual Result: GetInvoice returns 500 Internal Server Error after oracle-pool callback processing.

Expected Result: GetInvoice should return a valid invoice object with an updated state such as pending.awaiting_checks, pending.awaiting_exchange, or expired.

Recommendations:

• Validate invoice state transitions after oracle-pool callback processing
• Add null and schema validation before invoice serialization
• Log callback payloads and invoice state mutations for debugging
• Prevent invalid invoice states from reaching GetInvoice response mapping
• Add fallback error handling for malformed callback data
• Cover callback-to-GetInvoice flow with integration and regression tests

Show Details

Open

PAY

PAY-001 CRITICAL

Payment Gateway Timeout

Payment fails when the provider response takes longer than 15 seconds. Users lose orders and money.

Payments Timeout Production

Environment: Production, Chrome 120, 3G network

Steps to Reproduce:

1. Add a product to the cart
2. Proceed to checkout
3. Enter card details
4. Click "Pay" on a slow connection

Actual Result: Timeout error "Session expired" after 15s

Expected Result: Payment is processed or a retry button is shown

Recommendations:

• Increase timeout to 30 seconds
• Add a retry mechanism (3 attempts)
• Show a progress indicator

Show Details

Verified

AUTH

AUTH-042 HIGH

Session Token in URL

Authentication token is visible in the browser address bar, allowing interception via browser history or proxy logs.

Security OAuth Token

Environment: All browsers after OAuth login

Steps to Reproduce:

1. Click "Sign in with Google"
2. Complete OAuth authorization
3. Check the URL after redirect

Actual Result: Token is visible: site.com/home?token=abc123

Expected Result: Token is stored only in an httpOnly cookie

Recommendations:

• Remove the token from URL parameters
• Use a secure cookie with SameSite=Strict
• Check access logs for exposed tokens

Show Details

Verified

UI

UI-089 MEDIUM

Menu Overlap on iPhone SE

Navigation menu items overlap on screens smaller than 375px.

Interface Responsive Mobile

Environment: iOS Safari, iPhone SE (375667)

Steps to Reproduce:

1. Open the site on iPhone SE
2. Tap the burger menu
3. Check how the menu items are positioned

Actual Result: Menu items overlap and some become inaccessible

Expected Result: All menu items are visible and clickable

Recommendations:

• Add a media query for screens below 375px
• Reduce font size or spacing
• Test on a real iPhone SE

Show Details

Verified

SYNC

SYNC-014 HIGH

Draft Loss After Page Refresh

Latest changes in a long form disappear if the user refreshes the page while autosave is delayed.

Data Loss Autosave Safari

Environment: Staging, Safari 17, unstable Wi-Fi

Steps to Reproduce:

1. Open a long form with autosave enabled
2. Enter data for 20-30 seconds
3. Refresh the page during synchronization

Actual Result: Latest changes disappear without warning

Expected Result: Draft is restored or a warning about unsaved changes is shown

Recommendations:

• Store unsynchronized state locally
• Add a sync status indicator
• Warn before reload when unsaved changes exist

Show Details

Open

ROLE

ROLE-031 CRITICAL

Privilege Escalation via Role Cache

After admin rights are revoked, the user can still perform protected actions for some time.

Environment: Production, SaaS admin panel

Steps to Reproduce:

1. Remove the administrator role from an existing user
2. Do not end the current session
3. Try to perform admin actions

Actual Result: Some admin endpoints remain accessible until the cache expires

Expected Result: Role changes apply immediately after permissions are updated

Recommendations:

• Invalidate the role cache after permission updates
• Validate roles server-side for sensitive actions
• Log access attempts after permission revocation

Show Details

Verified

AN

AN-022 MEDIUM

Purchase Event Missing in Analytics

A successful order is created, but the purchase event is not sent after one-click checkout.

Analytics GA4 Checkout

Environment: Production, GA4 + internal BI pipeline

Steps to Reproduce:

1. Start one-click checkout with a saved card
2. Complete payment successfully
3. Check network requests and the analytics dashboard

Actual Result: Order is created, but the revenue event is missing

Expected Result: Purchase event is sent once with the correct amount and order ID

Recommendations:

• Trigger analytics only after confirmed backend success
• Add alerts for drops in purchase events
• Cover checkout flows with a dedicated regression suite

Show Details

Verified

CHK

PERF-017 MEDIUM

Filters Reset After Catalog Pagination

After moving to the second catalog page, active filters disappear and the product list changes without warning.

Catalog Filters UX

Environment: Production, Chrome 123, desktop catalog

Steps to Reproduce:

1. Open the product catalog
2. Apply 2-3 filters and sorting
3. Go to the second results page

Actual Result: Filters reset and unfiltered items are shown

Expected Result: Filters remain applied during pagination

Recommendations:

• Add filters to URL parameters
• Use the History API for navigation
• Store filter state in sessionStorage

Show Details

Open

PDF

FILE-055 HIGH

PDF Invoice Remains Accessible After Logout

The invoice link continues to open the document even after the user session ends.

Security PDF Access

Environment: Production, customer portal, invoice history

Steps to Reproduce:

1. Sign in and open invoice history
2. Copy the direct PDF link
3. Log out and open the link in a new tab

Actual Result: Document downloads without a repeated access check

Expected Result: File access is blocked or requires fresh authorization

Recommendations:

• Validate authorization at the file endpoint level
• Use short-lived signed URLs
• Add audit logging for access to sensitive documents

Show Details

Open

SQL

SQL-008 CRITICAL

SQL Injection in Search Field

The search field does not escape special characters, allowing arbitrary SQL queries to execute.

Security SQL Injection Search

Environment: Production, product search, PostgreSQL 14

Steps to Reproduce:

1. Open the product catalog
2. Enter into search: '; DROP TABLE orders; --
3. Press Enter

Actual Result: Query executes without sanitization, creating a risk of data loss

Expected Result: Special characters are escaped and search remains safe

Recommendations:

• Use parameterized queries (prepared statements)
• Add input validation at the API layer
• Enable WAF rules for SQL injection patterns

Show Details

Verified

WARN

XSS-003 HIGH

XSS Through Review Field

User reviews are rendered without HTML escaping, allowing scripts to execute.

Security XSS Reviews

Environment: Production, product page, reviews section

Steps to Reproduce:

1. Open any product
2. Add a review with text: <script>alert('XSS')</script>
3. Save the review

Actual Result: Script executes when other users view the review

Expected Result: HTML tags are escaped and displayed as text

Recommendations:

• Use textContent instead of innerHTML
• Add CSP headers
• Audit all user-generated content output points

Show Details

Verified

TMO

RATE-007 MEDIUM

No API Rate Limiting

The password reset API endpoint has no request rate limits.

API Rate Limit Brute Force

Environment: Production, API endpoint /api/v1/password-reset

Steps to Reproduce:

1. Send a password change request
2. Repeat the request 100+ times per minute
3. Check the server responses

Actual Result: All requests are processed, enabling token brute force

Expected Result: After 5 failed attempts, a temporary block is applied

Recommendations:

• Add rate limiting (5 requests per minute)
• Implement exponential backoff
• Log suspicious activity

Show Details

Open

EXP

UPLOAD-012 HIGH

Executable File Upload

The avatar upload form accepts any file types, including .exe and .php.

Security File Upload Validation

Environment: Production, user profile, avatar upload

Steps to Reproduce:

1. Open profile settings
2. Select shell.php instead of an image
3. Upload the file

Actual Result: File uploads successfully and remains accessible via direct link

Expected Result: Validation error is shown, only images are allowed

Recommendations:

• Validate MIME type and file extension
• Check file magic bytes
• Store files outside the web root with renamed filenames

Show Details

Open

PAY

PAY-014 CRITICAL

Duplicate Charge After Payment Retry

If the user retries payment after a delayed provider response, two successful charges are created for the same order.

Payments Duplicate Charge Checkout

Environment: Production, checkout, Stripe fallback flow

Steps to Reproduce:

1. Place an order using a bank card
2. Wait for a delayed response from the payment provider
3. Click the "Pay" button again

Actual Result: Two successful payments and a duplicated webhook are created

Expected Result: Repeated click is blocked and the payment is processed once

Recommendations:

• Add an idempotency key for each payment request
• Disable the button after the first click until the provider responds
• Log duplicated webhooks and reconciliation cases separately

Show Details

Verified

BIL

PAY-029 MEDIUM

Incorrect Rounding During Partial Payment

When a bonus balance is used for partial payment, the checkout total differs from the amount sent to the payment provider.

Payments Rounding Bonuses

Environment: Production, bonus balance, partial card payment

Steps to Reproduce:

1. Add a product with fractional cents to the cart
2. Apply bonus balance to part of the amount
3. Proceed to card payment confirmation

Actual Result: One amount is shown in the UI while a different amount is sent to the provider

Expected Result: The amount matches across UI, backend, and provider

Recommendations:

• Unify rounding rules between frontend and backend
• Use minor units instead of float values
• Add autotests for bonus and mixed-payment scenarios

Show Details

Verified

AN

AN-031 HIGH

Refund Event Missing in Analytics

After a successful refund in the admin panel, the refund event does not reach either GA4 or the internal finance dashboard.

Analytics Refund Finance

Environment: Production, admin panel, refund workflow

Steps to Reproduce:

1. Open a paid order in the admin panel
2. Perform a partial or full refund
3. Check analytics events and the BI dashboard

Actual Result: Refund completes, but the refund event is never sent

Expected Result: Analytics is updated immediately after a successful refund

Recommendations:

• Send a dedicated refund event after backend confirmation
• Monitor gaps between orders and refunds in analytics
• Cover the refund flow with a dedicated regression scenario

Show Details

Open

UTM

AN-044 MEDIUM

UTM Parameters Lost After Login

After the user signs in, campaign attribution resets and orders are reported as direct / none.

Analytics UTM Attribution

Environment: Production, multi-step login before checkout

Steps to Reproduce:

1. Open a landing page with UTM parameters
2. Go to a product page and sign in
3. Finish checkout and verify source / medium

Actual Result: Order is registered as direct / none without campaign attribution

Expected Result: Original UTM parameters are preserved until purchase completion

Recommendations:

• Persist attribution state in sessionStorage or server session
• Do not overwrite source after the auth redirect
• Add checks for the login-to-checkout funnel

Show Details