Security & Compliance

Built for businesses
that take security seriously.

ArcFX is non-custodial by design. We never hold your funds, never store your private keys, and every transaction is verifiable on-chain. Here is exactly how it works.

Non-custodial
ArcFX never holds, moves, or controls your funds. Every transaction is signed by your wallet and executed directly on Arc. We have no access to your assets at any point.
On-chain verifiable
Every payment, batch transfer, and fee collection settles on Arc and is verifiable on ArcScan. ArcFX additionally indexes these public on-chain events into a database to power analytics and the developer API — but settlement itself is always on-chain, never in a private ledger.
No private key storage
ArcFX never requests, stores, or transmits private keys or seed phrases. Wallet connection uses MetaMask — your keys stay in your browser.
Safe / Multi-sig compatible
ArcFX is non-custodial and interacts with standard ERC-20 tokens, so it is designed to work with smart-contract wallets such as Safe (Gnosis Safe). Full Safe multi-sig support is on our roadmap and not yet independently verified end-to-end on Arc.
How the architecture works

ArcFX is a frontend interface that connects your wallet directly to two smart contracts on Arc. There is no ArcFX server involved in transaction execution. When you make a payment, the flow is:

Your wallet → ArcFXPayments.sol → Recipient wallet
The smart contract deducts 0.15% to the treasury address and forwards the remainder to the recipient — all in one atomic transaction. If any step fails, the entire transaction reverts. You cannot lose funds to a partial execution.

For batch transfers via Multisender: Your wallet → ArcFXMultisender.sol → Up to 500 recipient wallets
Executed in a single on-chain transaction. The contract validates all recipients before execution begins.

Deployed contracts (Arc Testnet)
⚠ ArcFX is currently live on Arc Testnet only. Mainnet contracts will be deployed when Arc Mainnet launches. Testnet USDC has no real-world value.
ArcFXPayments.sol
0xc37D88f17573f13F7A27D33a502f5f1fB7D545D3
Handles Pay Links and Invoice payments. Collects 0.15% protocol fee automatically. Emits PaymentExecuted event for every transaction. View on ArcScan ↗
ArcFXMultisender.sol
0xF7aeb369bB50b7d9E2DDe7d3aC386B5ed6e71398
Handles batch USDC/EURC transfers to up to 500 wallets in a single transaction. Free tier (≤5 recipients) and Pro tier (≤500). 0.15% fee on Pro batches. View on ArcScan ↗
What ArcFX can and cannot do
✓ What ArcFX can do
Collect 0.15% fee when a payment executes
Read your wallet address and token balances
Request transaction approvals from your wallet
Display your on-chain transaction history
✗ What ArcFX cannot do
Move your funds without your signature
Access your private key or seed phrase
Freeze or pause your wallet or funds
Reverse or cancel a completed transaction
Data storage & privacy

ArcFX keeps your in-app data — your address book, saved invoice details and logo, and any scheduled payouts — entirely in your browser's localStorage; it never leaves your device, and invoice PDFs and receipts are generated client-side. The one exception: if you create a developer API key, we store the email address you provide and the request IP for that issuance, solely to issue the key and prevent abuse. We don't collect personal data beyond that.

The only data ArcFX reads from external sources is your on-chain transaction history, fetched directly from Arc Testnet RPC and ArcScan. This is public blockchain data, the same data available to anyone with your wallet address.

ArcFX does not use cookies, tracking pixels, or analytics beyond what is strictly necessary for the application to function. There is no advertising, no user profiling, and no data sold to third parties.

Smart contract audit status
⚠ ArcFX smart contracts have not yet been formally audited by a third-party security firm. We are currently on Arc Testnet — mainnet deployment will follow a professional audit.

Our contracts are open source — browse the contract code at github.com/Qazza1/arcfx-contracts. We encourage security researchers to review the code. Responsible disclosure of any vulnerabilities should be sent to security@arcfx.app.

Security testing to date. Ahead of the formal audit, we run our own testing as part of development: static analysis with Slither (Trail of Bits) and property/fuzz testing with Foundry. Findings from this internal review — including checked ERC-20 return values, a Checks-Effects-Interactions ordering pass, and a pinned compiler version — have been remediated in source and are slated to ship in the audited contracts deployed for mainnet. The current Testnet contracts are an earlier build; this internal testing is not a substitute for the independent third-party audit below.

A formal audit from a reputable security firm is planned prior to Arc Mainnet launch. Audit reports will be published publicly.

Enterprise security review
Need a security questionnaire completed, a custom compliance review, or have specific questions about ArcFX's architecture? We're happy to work with your security team directly.
Contact security team →