Bounty Reward

Reward: 1000 MRG

Goal

Implement a USDT crypto payment intake flow for MergeOS so customers can fund projects through supported crypto payment gateways, the gateway can send a verified callback/webhook to the backend server, and MergeOS can update project payment state, MRG token credit, admin review, and public proof ledger records safely.

Scope

• Support USDT payment intake through a configurable crypto payment gateway provider.
• Add a provider abstraction so additional coin payment gateways can be added later without rewriting the funding flow.
• Provide sandbox/test-mode configuration through environment variables or documented local config.
• Add a backend callback/webhook endpoint for payment status updates.
• Verify gateway callback signatures or shared secrets before mutating payment state.
• Handle idempotency so repeated callbacks do not mint duplicate MRG credit or duplicate ledger entries.
• Map gateway statuses into MergeOS payment states such as pending, confirmed, expired, failed, or refunded where applicable.
• Store sanitized proof metadata for admin review and the public proof ledger without leaking private customer data or gateway secrets.
• Keep real production crypto credentials out of the repository.

Sandbox/Test Requirements

• Include a documented sandbox/test configuration path for local development.
• If the selected gateway does not provide a real sandbox, include a deterministic mock/test provider that exercises the same server callback flow.
• Provide sample non-secret environment variable names for the provider, webhook secret, callback URL, and default USDT network.
• Include tests or a clear local verification script for successful, failed, duplicate, and invalid-signature callbacks.

Acceptance Criteria

• A contributor comments on the Claim MRG Tokens issue before starting work: Claim MRG Tokens for Bug Bounty Reports - Comment New Bugs Here Before Opening a PR #1
• A PR links back to this issue and describes the selected gateway/test provider.
• The backend exposes a documented callback/webhook route for USDT payment updates.
• The callback handler verifies authenticity before updating server state.
• Duplicate callbacks are safe and do not duplicate token minting or ledger records.
• Admin payment/ledger views show the USDT payment result.
• Public ledger output remains sanitized and does not expose customer secrets, raw private payloads, or internal credentials.
• Backend tests and frontend/admin build checks pass.

Required PR Evidence

Every PR for this bounty must include:

• Screenshot or recording of the USDT payment/invoice/test provider flow.
• Screenshot or recording of the server receiving and processing the callback.
• Screenshot or recording of the MergeOS admin payment or ledger result.
• Short written test notes covering sandbox config, callback URL, duplicate callback behavior, and invalid signature behavior.

Labels

bounty, bounty: feature, payment, crypto, usdt, webhook, sandbox, reward:1000-mrg, evidence: missing