TRUST
Verify the code you run
A wallet is only as trustworthy as the binary on your device. This page is the honest status of what you can verify today and what is still in progress.
Open source
Source code is public. The iOS app you install should match a tagged commit in the repository.
Reproducible builds
Status: in progress. We are working toward fully reproducible iOS builds via EAS so that anyone can rebuild a tagged commit and confirm it matches the binary distributed through the App Store. Track progress on the GitHub Actions workflow in the repository.
Verifying TestFlight builds
- Note the build number shown in TestFlight.
- Find the matching tag in the GitHub repository.
- Compare the commit hash in the TestFlight release notes.
- Once reproducible builds land, rebuild locally and diff against the published artifact.
These steps are placeholders until the reproducible-build pipeline is live.
Audit status
Unaudited as of 2026-04-29. An independent audit is planned before public launch. The current status is tracked in the GitHub repository.
Reporting vulnerabilities
Email security@paycashu.com. Please encrypt sensitive reports to the GPG key below and allow us 90 days to triage and ship a fix before public disclosure.
GPG fingerprint: 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 (placeholder)