The short answer is that the law does not regulate you directly. It regulates issuers. But the downstream effects on which stablecoins you accept, how you document transactions, and how you handle tax reporting are real. This article breaks down what you need to know, what you need to do, and why your choice of payment gateway matters more than ever.
The Guiding and Establishing National Innovation for U.S. Stablecoins Act creates a two-tier licensing system for stablecoin issuers. Issuers with more than $10 billion in outstanding tokens must register with a federal regulator. Smaller issuers can opt for state-level oversight, provided their state framework meets federal minimum standards.
The main requirements for issuers include:
None of these obligations fall on merchants. But they reshape the stablecoin market you operate in. Stablecoins that meet GENIUS Act standards will carry a form of regulatory legitimacy that unregulated tokens will not. For a deeper look at the bill itself, see the GENIUS Act page on Congress.gov.
Circle, the issuer of USDC, has been positioning for federal regulation for years. It already publishes monthly reserve attestations from Deloitte and holds reserves primarily in short-term Treasuries and cash at regulated banks. USDC is widely expected to be among the first stablecoins to achieve full GENIUS Act compliance.
Tether (USDT) presents a more complicated picture. Tether is incorporated offshore, and its reserve disclosures have historically been less transparent than Circle’s. Whether Tether will pursue GENIUS Act licensing — or whether it even can under the current framework — remains an open question. If you are weighing which stablecoin to prioritize, our comparison of USDT vs USDC for merchant acceptance covers the tradeoffs in detail.
Several major banks, including JPMorgan and Bank of America, have signaled interest in issuing their own stablecoins under the new framework. Within 12 to 18 months, merchants may face a market with three categories of stablecoins: federally regulated, state-regulated, and unregulated offshore tokens.
The GENIUS Act does not impose direct compliance obligations on merchants who accept stablecoin payments. You are not an issuer, a custodian, or a money transmitter (assuming you use a non-custodial gateway). However, you still operate within existing tax and financial reporting frameworks that apply to any business receiving payment in digital assets.
You should maintain records of every stablecoin payment you receive. At minimum, each record should include:
This is not a new requirement under the GENIUS Act. It is standard practice under existing IRS guidance. But as regulatory scrutiny increases, sloppy record-keeping becomes a larger liability.
If you convert stablecoins to fiat immediately upon receipt, document the conversion rate, the platform used, and any fees incurred. If you hold stablecoins before converting, you will need to track the cost basis at the time of receipt and the fair market value at the time of conversion or disposal.
For stablecoins pegged 1:1 to USD, the cost basis calculation is straightforward in most cases. But de-peg events — however rare — can create reportable gains or losses. Your records need to capture these edge cases.
The IRS treats stablecoins as property, not currency. This classification has not changed under the GENIUS Act, and there is no indication it will change soon. The practical consequences for merchants are well-established but frequently misunderstood.
When you receive a stablecoin payment, you recognize income equal to the fair market value of the tokens at the time of receipt. For a stablecoin trading at $1.00, this is functionally identical to receiving USD. You report this as ordinary business income.
If you hold stablecoins and their value fluctuates — even by fractions of a cent — you may realize a capital gain or loss when you eventually convert or spend them. In practice, these amounts are negligible for stablecoins that maintain their peg. But the reporting obligation exists, and the IRS expects compliance.
The IRS published updated guidance on digital asset reporting in its FAQ on virtual currency transactions. If you accept stablecoins at any volume, review this guidance or consult a tax professional familiar with digital assets.
Starting in tax year 2026, brokers and certain digital asset platforms are required to issue Form 1099-DA for reportable transactions. If you use a custodial exchange to convert stablecoins, you may receive this form. If you use a non-custodial gateway and self-custody your funds, you are responsible for your own reporting — but you also avoid the counterparty risk that comes with custodial platforms.
Here is where the choice of payment infrastructure directly affects your regulatory exposure. Custodial gateways hold your funds on your behalf. Under evolving AML regulations, custodial providers may be classified as money services businesses, which subjects them — and potentially their merchants — to additional reporting requirements.
A non-custodial payment gateway never takes possession of your funds. Payments flow directly from the customer’s wallet to yours. This architecture has three compliance advantages:
This distinction will become more important as the GENIUS Act’s secondary regulations take shape. The law directs federal regulators to issue additional rules for entities that “facilitate” stablecoin transactions. Non-custodial gateways, by design, minimize the facilitation surface area.
You do not need to wait for every regulation to finalize before accepting stablecoins. But you should build your payment infrastructure with compliance in mind from day one. Here is a practical checklist:
Prioritize stablecoins from issuers pursuing GENIUS Act compliance. USDC is the safest bet today. As bank-issued stablecoins enter the market, evaluate them based on reserve transparency and redemption terms. See our fee comparison between stablecoins and credit cards to understand the cost savings at stake.
Avoid unnecessary regulatory exposure by choosing a gateway that does not hold your funds. This is not just a security decision — it is a compliance decision. Compare your options in our 2026 crypto payment gateway comparison.
Use accounting integrations or export tools to capture every transaction with the data fields listed above. Manual tracking does not scale, and gaps in your records create audit risk.
General accountants may not understand the nuances of stablecoin taxation. Find a CPA or tax attorney with specific digital asset experience. The cost is minor compared to the risk of misreporting.
The GENIUS Act is a starting point, not the finish line. Secondary rulemaking, state-level variations, and potential IRS updates will continue through 2026 and beyond. Stay informed through industry associations and your gateway provider’s compliance updates.
Many merchants view regulation with anxiety. That reaction is understandable but misplaced in this context. The GENIUS Act does not restrict merchants from accepting stablecoins. It creates a framework that makes stablecoins safer and more predictable for everyone in the payment chain.
Regulated stablecoins backed by audited reserves reduce your exposure to de-peg events. Federal oversight of issuers means the tokens you accept are more likely to be redeemable at par when you need to convert. And the regulatory clarity itself removes a major objection that enterprise buyers and B2B partners have cited when asked to pay in crypto.
For context on how stablecoins have already proven their resilience during market stress, see our analysis of stablecoins as a safe haven beyond Bitcoin and gold. The GENIUS Act reinforces the thesis that stablecoins are becoming infrastructure, not speculation.
The merchants who move early — building compliant payment stacks while competitors wait for perfect clarity — will capture the cost savings and the customer base that comes with accepting the next generation of digital dollars. The regulatory framework is here. The question is whether you are ready to use it.
Aurpay is the non-custodial payment gateway that never holds your funds. No counterparty risk. No withdrawal delays. Just crypto payments, direct to your wallet. Learn more about Aurpay.
]]>If you are a merchant exploring stablecoin payments, the network you choose matters as much as the token itself. This guide breaks down why TRC-20 USDT has become the default rail for low-cost crypto payments, how it compares to alternatives, and what you need to know before accepting it in your store.
USDT (Tether) exists on multiple blockchains simultaneously. The token is the same — each unit is backed by the same reserve and redeemable at the same value. What differs is the network that moves it. Think of it like sending a package: the contents are identical, but shipping via express air costs more than ground freight.
TRC-20 is the token standard on the Tron blockchain. When someone sends you TRC-20 USDT, the transaction is validated by Tron’s delegated proof-of-stake network, which processes blocks every 3 seconds and charges minimal fees. ERC-20 USDT, by contrast, rides on Ethereum, where block space is expensive and gas fees fluctuate with network congestion.
For merchants, the practical difference is simple: accepting TRC-20 USDT means your customers pay less in network fees, transactions confirm faster, and your effective cost per payment drops dramatically compared to credit card processing or Ethereum-based stablecoins.
The table below compares the four most common networks for USDT transfers. These figures reflect typical conditions as of early 2026 — fees on Ethereum and Solana can vary with congestion.
| Metric | ERC-20 (Ethereum) | TRC-20 (Tron) | BEP-20 (BNB Chain) | Solana (SPL) |
|---|---|---|---|---|
| Typical transfer fee | $2 – $5 | ~$0.1 | $0.05 – $0.20 | $0.001 – $0.01 |
| Block time | ~12 seconds | ~3 seconds | ~3 seconds | ~0.4 seconds |
| Practical finality | ~2 minutes (12 confirmations) | ~1 minute (20 confirmations) | ~45 seconds (15 confirmations) | ~5 seconds |
| USDT circulating supply | ~$95B | ~$85B | ~$4B | ~$2B |
| Daily USDT transfer volume | ~$8B | ~$15B | ~$1.5B | ~$1B |
| Stripe support | Yes (limited) | No | No | Yes (limited) |
The numbers tell the story. TRC-20 USDT processes nearly twice the daily transfer volume of ERC-20 despite holding a smaller circulating supply — a clear signal that users prefer Tron for actual payments. Meanwhile, Solana offers the lowest raw fees, but its USDT ecosystem is far smaller, which means fewer wallets, fewer exchanges offering direct withdrawals, and less liquidity for merchants.
Solana’s fees are technically lower than Tron’s. But fees alone do not determine the best payment network. Several factors tip the balance toward TRC-20 for merchant use:
For merchants who want the broadest customer compatibility at the lowest practical cost, TRC-20 remains the strongest default choice.
This is the question that comes up in almost every merchant conversation about TRC-20. Tron’s reputation in Western markets has been mixed, partly due to its founder’s controversial public profile and partly due to association with illicit fund flows in early reporting. Here is what the data actually shows:
The practical takeaway: Tron is not a fringe network. It is the dominant USDT transfer layer by volume, used daily by millions of people for real-value transactions. For payment processing, reliability and adoption matter more than decentralization philosophy.
Fees affect more than your bottom line. They shape your customer’s checkout experience. Consider a $50 purchase:
If you are selling products under $100, network fees on Ethereum can represent a meaningful percentage of the order. TRC-20 eliminates this friction point. For Shopify merchants accepting USDT, offering TRC-20 as the default network option reduces cart abandonment at the payment step.
The best merchant strategy is not to choose one network exclusively. It is to support multiple networks and let the customer decide based on their wallet. A customer who already holds ERC-20 USDT should not be forced to swap to TRC-20 — the swap fees would negate the savings.
Payment gateways like Aurpay handle this automatically. The checkout page detects which network the customer selects and generates the correct deposit address. You receive the same USDT regardless of which chain delivered it. This is a concrete advantage over Stripe’s stablecoin support, which is limited to specific chains and does not include TRC-20.
Merchants often compare stablecoin payments against credit cards rather than against other crypto networks. Here is how TRC-20 USDT stacks up against standard card processing for a business doing $50,000 in monthly revenue:
| Cost Component | Credit Card (Stripe/Square) | TRC-20 USDT (Aurpay) |
|---|---|---|
| Transaction fee | 2.9% + $0.30 per transaction | 0.8% per transaction |
| Monthly cost on $50K | ~$1,450 + per-tx fees | ~$500 |
| Chargeback risk | Yes ($15-25 per dispute) | None (blockchain finality) |
| FX conversion fee | 1-2% on international cards | None (USDT is USD-denominated) |
| Settlement time | 2-7 business days | Under 1 minute |
The savings compound quickly. A merchant processing $50,000 monthly through TRC-20 USDT instead of credit cards could save roughly $950 per month — over $11,000 annually. That figure grows further when you factor in eliminated chargebacks and FX fees on cross-border transactions.
Setting up TRC-20 USDT payments is straightforward if you use a payment gateway that supports it natively. Here is the general process:
Not all crypto payment processors support Tron. Verify that your gateway handles TRC-20 deposits and provides automatic address generation per transaction. Aurpay supports TRC-20 alongside ERC-20, BEP-20, and other major networks.
For Shopify stores, follow the USDT Shopify integration guide. For WooCommerce, the WooCommerce stablecoin gateway setup covers plugin installation and configuration. Both platforms support TRC-20 without custom development.
Decide whether you want to hold received USDT or auto-convert to fiat. Most gateways offer both options. If you choose to hold USDT, you maintain a dollar-pegged balance without bank intermediaries. If you prefer fiat, the gateway handles conversion and deposits to your bank account.
Add a note on your checkout or payment page indicating that you accept USDT and that TRC-20 offers the lowest fees. Crypto-native customers will recognize this immediately. For others, a brief explainer reduces confusion.
TRC-20 USDT is the best default for most merchant payment scenarios, but there are exceptions:
The right approach for most merchants is to support TRC-20 as the recommended option while keeping other networks available. Let the customer choose. Reduce friction everywhere you can.
TRC-20 USDT is not just a cheaper alternative to credit cards. It is part of a broader shift in how global commerce settles value. When a merchant in Europe receives payment from a customer in Southeast Asia via TRC-20 USDT, the transaction settles in under a minute with no correspondent banking chain, no FX spread, and no weekend delays.
This is the infrastructure layer that forward-looking merchants are building on. The network you choose today — TRC-20, ERC-20, or multi-chain — determines your cost structure for every transaction going forward. For most merchants, TRC-20 USDT offers the best combination of low fees, fast settlement, broad wallet compatibility, and proven reliability.
You can track live TRC-20 network statistics, including daily transaction counts and fee trends, on Tronscan.
Credit card fees eat 2.9% of every sale. Stablecoin payments through Aurpay cost a fraction of that — with no chargebacks, no FX fees, and instant settlement. See how much you save.
]]>A custodial crypto payment gateway works like a traditional payment processor with an extra step. When a customer sends crypto to pay for your product, the funds land in a wallet controlled by the gateway — not yours. The gateway pools your payments with those of every other merchant on the platform, converts them on its own schedule, and eventually sends you a settlement, typically days later.
BitPay is the most well-known example. When a customer pays a BitPay merchant in Bitcoin, the BTC goes to a BitPay-controlled address. BitPay then converts it to fiat (or holds it in crypto, depending on your settings) and issues a bank transfer, usually within one to two business days. NOWPayments follows a similar model. So does CoinGate.
This feels familiar because it mirrors the credit card world: Stripe holds your funds, takes a cut, and pays you later. The difference is that Stripe operates within a mature regulatory framework with FDIC-insured partner banks. Custodial crypto gateways operate in a space where those protections often do not exist.
A non-custodial crypto payment gateway never takes possession of your funds. Instead, it generates a unique payment address derived from your own wallet for each transaction. When a customer pays, the crypto moves directly from their wallet to yours. The gateway facilitates the transaction (monitoring the blockchain for confirmation, triggering order fulfillment in your e-commerce platform) but at no point does it hold, pool, or control your money.
Aurpay operates on this model. You connect your own wallet address during setup. Every payment your customers make is routed directly to that address. There is no intermediary balance. No withdrawal button. No settlement delay. The crypto is yours the moment the blockchain confirms the transaction.
This distinction sounds simple, but what follows from it is not.
Counterparty risk is the possibility that the entity holding your assets fails, freezes, or disappears — taking your money with it. In traditional finance, this risk is mitigated by deposit insurance, regulatory oversight, and decades of legal precedent. In crypto, those safeguards are still developing.
The collapse of FTX in November 2022 remains the clearest example. FTX held billions in customer deposits. When the exchange became insolvent, those deposits were frozen. Merchants, traders, and institutions with funds on the platform waited years for partial recovery through bankruptcy proceedings. Many received a fraction of what they were owed.
Celsius Network told the same story from a different angle. The crypto lending platform froze withdrawals in June 2022, filed for bankruptcy the following month, and left creditors fighting over roughly $3 billion in remaining assets.
These were not payment gateways. But the underlying risk is identical. Any time a third party holds your crypto, you are exposed to their solvency, their security practices, and their regulatory standing. If a custodial payment gateway gets hacked, faces a regulatory freeze, or simply mismanages funds, your revenue is caught in the blast radius.
With a non-custodial gateway, that risk does not exist. There is no intermediary balance to freeze. No pooled funds to lose. Your wallet is your wallet.
Custodial gateways introduce settlement delays because they batch-process payments. They collect funds from many merchants, perform conversions, run compliance checks, and then disburse. Depending on the provider, settlement takes one to five business days — sometimes longer for new accounts or large volumes.
Non-custodial gateways settle at the speed of the blockchain itself. A USDT payment on Tron confirms in seconds. USDC on Ethereum settles in under two minutes. Bitcoin typically confirms within ten to sixty minutes depending on network conditions. In every case, the funds are in your wallet as soon as the transaction is confirmed. There is no second step.
For merchants managing cash flow tightly — especially those in e-commerce, SaaS, or freelance services — the difference between “funds available in seconds” and “funds available in three business days” is significant. It affects how quickly you can restock inventory, pay suppliers, or reinvest in growth. If you want to understand how these speed advantages compare to credit card timelines, the fee and settlement comparison for merchants breaks down the numbers.
Custodial gateways are money transmitters. They hold customer funds, which triggers licensing requirements in nearly every jurisdiction. In the U.S., that means state-by-state money transmitter licenses, FinCEN registration, and compliance with the Bank Secrecy Act. In the EU, it means registration under MiCA. These requirements create compliance overhead for the gateway — and by extension, create dependency for you. If your custodial gateway loses a license or exits a market, your payment processing stops.
The evolving GENIUS Act framework is adding further clarity to stablecoin regulation, but the core principle remains: holding other people’s money invites regulation. Not holding other people’s money does not.
Non-custodial gateways occupy a fundamentally different regulatory position. Because they never take possession of funds, they function more like software tools than financial intermediaries. You, the merchant, receive payments directly. You handle your own tax reporting. You manage your own wallet security. The gateway provides the infrastructure (payment pages, blockchain monitoring, e-commerce plugin integration) without ever touching the money.
This does not mean non-custodial merchants have zero compliance obligations. You still need to report income, manage tax records, and follow the laws of your jurisdiction. But your payment infrastructure is not a single point of regulatory failure.
Not every merchant needs the same setup. Here is how the two models compare across the dimensions that matter most:
For merchants evaluating multiple providers, the 2026 crypto payment gateway comparison covers how the major players stack up on fees, custody model, and supported currencies.
Understanding the technical flow helps clarify why non-custodial gateways can operate without holding funds. Here is what happens when a customer pays a Shopify store using Aurpay:
The entire flow takes under a minute for stablecoin payments on fast chains. If you are running a Shopify store and want to set this up, the guide to accepting USDT on Shopify walks through the integration step by step.
Non-custodial gateways matter most for merchants who sell internationally. Custodial providers depend on banking relationships in each market they serve. If a provider cannot settle in a particular currency or jurisdiction, merchants in that region are out of luck.
Non-custodial gateways sidestep this entirely. Because payments go directly to the merchant’s wallet, there is no banking dependency on the gateway side. A merchant in Singapore, Nigeria, or Argentina receives the same USDT to the same wallet address, regardless of local banking infrastructure. The cross-border stablecoin settlement guide explores how this model works in practice for businesses navigating sanctions-adjacent corridors.
In a global economy where stablecoins are increasingly functioning as a safe haven asset class, the ability to receive and hold stablecoins without intermediary conversion is a real business edge, not just a technical preference.
Fair concern. Non-custodial gateways give you crypto directly, which means you handle conversion yourself if you want fiat. In practice, this is straightforward: most merchants use an exchange account or an OTC desk to convert stablecoins to local currency on their own schedule. The tradeoff is that you control the timing and the rate, rather than accepting whatever conversion the custodial gateway applies.
Wallet security is your responsibility in the non-custodial model. That means using hardware wallets, maintaining proper backups, and following standard operational security practices. For merchants processing significant volume, this is a worthwhile investment. The alternative — trusting a third party — carries its own risks, as FTX and Celsius demonstrated.
Crypto payments are irreversible by design, whether custodial or non-custodial. Neither model offers traditional chargebacks. The difference is that with a non-custodial gateway, you have the funds immediately and can manage refunds on your own terms, rather than having a custodial provider freeze or claw back funds during a dispute.
Aurpay is the non-custodial payment gateway that never holds your funds. No counterparty risk. No withdrawal delays. Just crypto payments, direct to your wallet. Learn more about Aurpay.
]]>This article breaks down the real numbers. No vague promises about “blockchain efficiency.” Instead, you get a side-by-side cost model across three revenue tiers, covering processing fees, chargebacks, foreign exchange costs, and settlement timing.
Credit card processing fees are not a single line item. They are a stack of charges that compound across every transaction. Here is what a typical merchant pays through Stripe:
PayPal charges 3.49% + $0.49 for standard processing — even higher than Stripe for most transaction sizes. Square sits at 2.6% + $0.10 for in-person, 2.9% + $0.30 for online. The floor for credit card processing is roughly 2.6%, and most e-commerce merchants pay closer to 3.5% when international and FX fees are included.
Stablecoin payments operate on a fundamentally different cost structure. There is no interchange network, no card association fees, and no dispute arbitration layer. Here is what you pay through a gateway like Aurpay:
The detail worth noting: on TRC-20 (Tron network), the sender typically covers the network fee. Your cost as a merchant is the 1% gateway fee and nothing else. No hidden charges, no monthly minimums, no PCI compliance overhead.
The following tables model total monthly payment processing costs across three revenue tiers. Each assumes an average transaction size of $85 (typical for mid-market e-commerce) and a 1.2% chargeback rate for credit cards.
At $10K monthly revenue, you process approximately 118 transactions.
| Cost Category | Credit Card (Stripe) | Stablecoin (Aurpay, TRC-20) |
|---|---|---|
| Processing fee | $290.00 (2.9%) | $100.00 (1%) |
| Per-transaction fee | $35.40 (118 x $0.30) | $0.00 |
| International surcharge (30% of txns) | $45.00 (1.5% on $3,000) | $0.00 |
| Chargebacks (1.2% rate, $15 each) | $21.18 (1.4 disputes x $15) | $0.00 |
| Chargeback losses (50% lost) | $59.50 (0.7 x $85) | $0.00 |
| PCI compliance | $20.00 | $0.00 |
| Total monthly cost | $471.08 | $100.00 |
| Effective rate | 4.71% | 1.00% |
Monthly savings with stablecoins: $371.08
At $50K monthly revenue, you process approximately 588 transactions.
| Cost Category | Credit Card (Stripe) | Stablecoin (Aurpay, TRC-20) |
|---|---|---|
| Processing fee | $1,450.00 (2.9%) | $500.00 (1%) |
| Per-transaction fee | $176.40 (588 x $0.30) | $0.00 |
| International surcharge (30% of txns) | $225.00 (1.5% on $15,000) | $0.00 |
| Chargebacks (1.2% rate, $15 each) | $105.90 (7.06 disputes x $15) | $0.00 |
| Chargeback losses (50% lost) | $300.05 (3.53 x $85) | $0.00 |
| PCI compliance | $20.00 | $0.00 |
| Total monthly cost | $2,277.35 | $500.00 |
| Effective rate | 4.55% | 1.00% |
Monthly savings with stablecoins: $1,777.35
At $100K monthly revenue, you process approximately 1,176 transactions.
| Cost Category | Credit Card (Stripe) | Stablecoin (Aurpay, TRC-20) |
|---|---|---|
| Processing fee | $2,900.00 (2.9%) | $1,000.00 (1%) |
| Per-transaction fee | $352.80 (1,176 x $0.30) | $0.00 |
| International surcharge (30% of txns) | $450.00 (1.5% on $30,000) | $0.00 |
| Chargebacks (1.2% rate, $15 each) | $211.68 (14.11 disputes x $15) | $0.00 |
| Chargeback losses (50% lost) | $599.68 (7.06 x $85) | $0.00 |
| PCI compliance | $20.00 | $0.00 |
| Total monthly cost | $4,534.16 | $1,000.00 |
| Effective rate | 4.53% | 1.00% |
Monthly savings with stablecoins: $3,534.16. Annual savings: $42,409.92.
| Monthly Revenue | Annual Credit Card Cost | Annual Stablecoin Cost | Annual Savings |
|---|---|---|---|
| $10,000 | $5,652.96 | $1,200.00 | $4,452.96 |
| $50,000 | $27,328.20 | $6,000.00 | $21,328.20 |
| $100,000 | $54,409.92 | $12,000.00 | $42,409.92 |
Chargebacks deserve their own section because they represent a cost that most merchants undercount. The direct fee ($15-$25 per dispute) is only the beginning. Here is the full chargeback cost stack:
Stablecoin transactions are settled on-chain. Once confirmed, they cannot be reversed by a third party. There is no dispute mechanism, no arbitration, and no fee. If you sell digital goods, high-value items, or operate in a high-chargeback vertical, this alone can justify the switch.
If you sell internationally — and most e-commerce merchants do — foreign exchange fees silently compound your costs. A European customer paying with a Visa card triggers the following:
Your effective rate on a $100 international transaction: 5.7%. For a merchant doing 30% international sales at $50K/month, that is an extra $225/month in FX costs alone — accounted for in the tables above.
Stablecoins like USDT and USDC are USD-denominated by design. A customer in Germany, Nigeria, or Thailand sends the same dollar-pegged token. No conversion, no spread, no intermediary bank taking a cut. If you need to understand which stablecoin fits your business, read our guide on USDT vs USDC for merchants.
Credit card settlement typically takes 2-3 business days for established merchants. New accounts or flagged transactions can take 7-14 days. Rolling reserves — where the processor holds 5-10% of your volume for 6 months — are common in higher-risk categories.
Stablecoin settlements arrive in your wallet within minutes. On TRC-20, confirmation takes under 3 minutes. On Ethereum L1, 12-15 minutes. There is no rolling reserve, no hold period, and no intermediary deciding when you can access your own revenue.
For a business processing $100K/month, the difference between 3-day settlement and instant settlement represents roughly $10,000 in float at any given time. That is working capital you currently lend to your payment processor for free.
A fair comparison requires acknowledging where credit cards retain advantages:
The practical approach for most merchants is not to replace credit cards entirely but to offer stablecoins as an additional payment option. Customers who prefer lower prices (you can pass on the fee savings as a discount) or who already hold stablecoins will self-select into the cheaper channel.
One structural difference that does not show up in fee comparisons: custody. With credit card processors, your revenue sits in their account until they release it. With a non-custodial payment gateway, stablecoin payments go directly to your wallet. No intermediary holds your funds, ever.
This matters beyond cash flow. It eliminates platform risk — the scenario where a processor freezes your account during a dispute review or policy change. For merchants in regulated or politically sensitive categories, non-custodial settlement is a hard requirement.
Not all stablecoin payment gateways charge the same fees or support the same networks. When evaluating options, compare on these dimensions:
For a detailed breakdown, see our 2026 gateway comparison. If you are already processing at scale and want to automate the invoicing layer, our guide on AI-powered crypto invoicing covers the workflow.
The practical move is a dual-channel payment strategy: keep credit cards for customers who expect them, and add stablecoins for cost-sensitive or crypto-native buyers. Here is what that looks like in practice:
A merchant-level stablecoin payment strategy does not require abandoning traditional rails. It requires understanding where each channel performs best — and routing volume accordingly.
Credit card fees eat 2.9% of every sale. Stablecoin payments through Aurpay cost a fraction of that — with no chargebacks, no FX fees, and instant settlement. See how much you save.
]]>This guide walks you through the entire process: installing the plugin from WordPress.org, connecting your wallet, running a test transaction, and going live. If you can install a WordPress plugin, you can accept stablecoins. The whole setup takes about 15 minutes.
Credit card processors charge 2.9% plus a per-transaction fee on every sale. For a store doing $10,000 per month, that is $290 lost to payment processing before you account for chargebacks, currency conversion, or gateway fees. Stablecoin payments eliminate most of these costs. Transaction fees on networks like Tron (TRC-20) run under $1 regardless of payment size, and there are no chargebacks because blockchain transactions are final.
Stablecoins also solve the volatility problem that keeps many merchants away from crypto. Unlike Bitcoin or Ethereum, stablecoins like USDT and USDC are pegged to the US dollar. When a customer pays you 100 USDT, you receive 100 USDT — not a fluctuating amount that could be worth 92 dollars by the time you convert it. For a deeper comparison of how stablecoin fees stack up against traditional processors, see our merchant fee breakdown.
Cross-border transactions are where the savings become dramatic. Wire transfers and international credit card payments carry FX conversion fees, intermediary bank charges, and settlement delays of 2-5 business days. A stablecoin payment from a customer in Singapore to a merchant in Germany settles in seconds, at the same sub-dollar fee, with no currency conversion required.
Gather the following before you begin. The setup process is smooth when everything is ready upfront.
You do not need a merchant account, KYC documents, or any coding knowledge. If you already have a preferred wallet like MetaMask, Trust Wallet, or a hardware wallet like Ledger, you can use the address from any of these.
Log in to your WordPress admin dashboard. Navigate to Plugins → Add New and search for “Aurpay” in the search bar. The plugin appears as Aurpay — Crypto Payment Gateway for WooCommerce. Click Install Now, then Activate.
Alternatively, you can download the plugin directly from the Aurpay WooCommerce plugin page or the WordPress.org plugin directory and upload it via Plugins → Add New → Upload Plugin.
After activation, the plugin adds an Aurpay settings page. You will need a free Aurpay merchant account to generate your API credentials. Go to aurpay.net, sign up with your email, and create a new store project. The dashboard gives you two things you need: your Merchant ID and your API Key.
Copy both values. You will paste them into the plugin settings in the next step.
In your WordPress dashboard, go to WooCommerce → Settings → Payments. You will see “Aurpay — Cryptocurrency Payment” listed among your payment methods. Click Manage to open the configuration panel.
Fill in the following fields:
In the Aurpay merchant dashboard (not WordPress), navigate to Settings → Wallet. Add the wallet addresses where you want to receive payments. You can set different addresses for different networks — for example, one address for Ethereum and ERC-20 tokens, another for Tron TRC-20 tokens.
This is where the non-custodial model matters. Aurpay never holds your crypto. When a customer pays, the funds go directly to the wallet address you configure here. You maintain full custody at all times.
If you are unsure which networks to enable, start with Tron (TRC-20) for USDT — it has the lowest transaction fees — and Ethereum (ERC-20) for broader token support. Our guide on choosing between USDT and USDC can help you decide which stablecoins to prioritize.
Still in the Aurpay dashboard, go to the cryptocurrency selection panel. Enable the tokens you want to accept. Most WooCommerce merchants start with:
You can add or remove tokens at any time without reinstalling the plugin or changing your WordPress configuration.
Before going live, place a test order on your own store. Add a product to your cart, proceed to checkout, and select the crypto payment option. The checkout page will display a QR code and a wallet address for the selected cryptocurrency.
Send a small amount (even $1 worth of USDT on Tron costs under $1 in fees) to confirm the full flow:
If all five checkpoints pass, your integration is working. If anything fails, check the troubleshooting section below.
Once your test transaction confirms successfully, your store is ready. No additional configuration is needed. The crypto payment option will appear alongside your existing payment methods (credit card, PayPal, etc.) at checkout. Customers choose their preferred cryptocurrency, scan the QR code or copy the address, and send payment from their wallet.
WooCommerce handles the rest — order status updates, confirmation emails, and inventory management all work the same way they do with traditional payment methods.
The checkout experience is straightforward. When a customer selects “Pay with Crypto” (or whatever title you configured), they see a payment page with the order total converted to their chosen cryptocurrency at the current exchange rate. A QR code and a copy-paste wallet address are displayed. The page includes a countdown timer — typically 15-20 minutes — within which the customer needs to complete the payment.
Once the blockchain confirms the transaction, the order status updates automatically. Your customer sees a confirmation page, and WooCommerce sends the standard order confirmation email. From the customer’s perspective, the experience is comparable to scanning a QR code for a bank transfer — familiar and fast.
Aurpay’s fee structure is transparent. There is no monthly subscription for the basic plan. Transaction fees vary by plan tier, but they are consistently lower than credit card processing rates. The standard rate is 0.8% per transaction. Blockchain network fees (gas fees) are paid by the customer as part of their transaction, not deducted from your received amount.
Settlement is instant. Because payments go directly to your wallet, there is no “settlement period” like the 2-3 business days you wait with Stripe or PayPal. The moment the blockchain confirms the transaction, the funds are yours. This matters most for merchants with tight cash flow or those selling high-value items where waiting days for settlement creates risk.
For a detailed cost comparison between stablecoin payments and traditional processors, see our analysis of stablecoin vs. credit card fees for merchants.
Confirm that WooCommerce is installed and activated. The Aurpay plugin requires WooCommerce to register as a payment gateway. If WooCommerce is active but Aurpay still does not appear, deactivate and reactivate the Aurpay plugin. Check that your WordPress version meets the minimum requirement (6.0+).
This usually indicates a webhook communication issue. Verify that your site’s SSL certificate is valid — Aurpay’s servers need to send a callback to your store when payment is confirmed, and this requires HTTPS. Also check that your hosting provider is not blocking incoming webhook requests with a firewall or WAF rule.
Check your API Key and Merchant ID in the plugin settings. A mismatch or typo in either field will prevent the payment page from generating. Also verify that you have at least one cryptocurrency enabled in your Aurpay dashboard and that a wallet address is configured for the corresponding network.
First, check the transaction hash on a block explorer (Etherscan for Ethereum, Tronscan for Tron, BscScan for BSC). Confirm the payment was sent to the correct address and on the correct network. The most common issue is a customer sending ERC-20 USDT to a TRC-20 address or vice versa. If the transaction shows confirmed on the blockchain but your WooCommerce order has not updated, the webhook may have failed — contact Aurpay support with the transaction hash for resolution.
If you experience issues after installation, deactivate other payment gateway plugins temporarily to check for conflicts. Caching plugins can also interfere with the payment page — add your checkout URL to your cache plugin’s exclusion list. If you use a security plugin like Wordfence or Sucuri, whitelist Aurpay’s webhook endpoints.
Adding the payment method is step one. Getting customers to use it is step two. Here are adjustments that improve crypto payment adoption rates among your customers.
Name the payment option clearly. “Pay with Crypto” is fine for tech-savvy audiences. For general ecommerce, “Pay with USDT/USDC (Stablecoin)” tells customers exactly what to expect and reduces hesitation from buyers unfamiliar with volatile cryptocurrencies.
Add a note about savings. If you pass along any fee savings to crypto-paying customers (even a 1-2% discount), mention it in the payment method description. Price-sensitive buyers will notice.
Keep traditional options available. Crypto should be an additional payment method, not a replacement. Customers who see both credit card and crypto options feel more comfortable with the store overall. The presence of familiar payment methods builds trust that extends to the crypto option.
Display supported tokens visually. Small token icons (USDT, USDC, BTC, ETH) next to the payment option at checkout increase click-through rates. Most crypto-native customers recognize these icons faster than they read text descriptions.
Once the plugin is running, you can extend your setup in several directions. If you sell internationally and want to understand how stablecoins handle cross-border settlement without intermediary banks, our guide on accepting USDT on Shopify covers multi-chain strategies that apply to WooCommerce as well.
For developers who want deeper integration — custom checkout flows, programmatic order management, or automated webhook handling — see our WooCommerce crypto tutorial using Claude Code. That guide covers the technical implementation that this article intentionally skips.
If you run both Shopify and WooCommerce stores, Aurpay’s dashboard lets you manage multiple stores under one merchant account, with unified reporting across platforms. Your wallet configuration carries over — you set it once and it works for all connected stores.
Aurpay connects your Shopify or WooCommerce store to USDT, USDC, and 10+ cryptocurrencies — with zero custody risk. Payments go directly to your wallet. Set up your store in under 15 minutes.
]]>Stablecoins are not interchangeable from a business operations perspective. The stablecoin you accept affects your transaction fees, settlement speed, customer conversion rate, and regulatory exposure. Choosing wrong does not mean losing money on a trade. It means losing customers who wanted to pay with the token you did not support.
The global stablecoin market now exceeds $313 billion in total supply. USDT (Tether) accounts for roughly 62% of that, while USDC (Circle) holds around 25%. But market cap alone does not tell the merchant story. What matters is where your customers are, which chains they use, and how much each transaction costs you.
USDT dominates in Asia, the Middle East, Africa, and Latin America. In these regions, USDT is the de facto digital dollar. Users hold it on Tron wallets, transfer it peer-to-peer, and expect to spend it online. If your store serves customers in Southeast Asia, Turkey, Nigeria, or Argentina, USDT is not optional — it is the stablecoin they carry.
USDC has stronger adoption in North America and Europe. Circle is a US-based company with a New York Trust license. Its reserves are audited monthly by Deloitte and held in US Treasury bonds and regulated bank accounts. Institutional buyers, SaaS companies, and US-based crypto-native customers tend to prefer USDC for compliance reasons.
There is also a middle ground. In regions like India and parts of Southeast Asia, both tokens circulate widely. Merchants in these markets report roughly even splits between USDT and USDC at checkout, depending on whether the buyer uses a centralized exchange wallet (which often defaults to USDT) or a self-custody wallet connected to DeFi protocols (which skews toward USDC on Ethereum and Solana).
The practical takeaway: your customer geography should influence your stablecoin priority. But as you will see below, the best answer is usually to accept both.
Both USDT and USDC are deployed across multiple blockchains, and the chain matters more than the token when it comes to transaction costs. Here is a comparison of typical transfer fees for a $100 payment:
| Chain | USDT Fee | USDC Fee | Confirmation Time |
|---|---|---|---|
| Tron (TRC-20) | $0.50–$1.00 | $0.50–$1.00 | ~3 seconds |
| Ethereum (ERC-20) | $2.00–$15.00 | $2.00–$15.00 | ~15 seconds |
| BNB Smart Chain (BEP-20) | $0.05–$0.20 | $0.05–$0.20 | ~3 seconds |
| Solana (SPL) | $0.001–$0.01 | $0.001–$0.01 | ~0.4 seconds |
| Polygon (PoS) | $0.01–$0.05 | $0.01–$0.05 | ~2 seconds |
| Arbitrum | $0.05–$0.25 | $0.05–$0.25 | ~0.3 seconds |
Notice that on the same chain, USDT and USDC cost the same to transfer. The fee is determined by the network, not the token issuer. This means the “which is cheaper?” question is really a “which chain should I support?” question. For merchants processing high volumes from Asia, USDT on Tron’s TRC-20 network remains the most cost-effective option. For US and European customers, USDC on Solana or Arbitrum offers sub-cent fees with fast finality.
Checkout conversion depends on whether your customer recognizes and trusts the payment option. In traditional e-commerce, displaying a payment logo the buyer does not recognize can increase cart abandonment. The same principle applies to stablecoin checkout. A customer who holds USDT and sees only a USDC option may hesitate, wonder if it is the “right” token, or leave altogether. In crypto payments, this breaks down by user segment:
The conversion math is simple. Every stablecoin you exclude from your checkout is a segment of paying customers you exclude from your store. This is the same logic that led e-commerce merchants to accept Visa, Mastercard, and Amex rather than picking one card network. For a deeper look at how stablecoin fees compare to traditional card processing, see our merchant fee comparison guide.
The GENIUS Act (Guiding and Establishing National Innovation for US Stablecoins), introduced in 2025, creates the first comprehensive US regulatory framework for stablecoin issuers. The legislation establishes reserve requirements, audit standards, and issuer licensing provisions that directly affect which stablecoins qualify as “payment stablecoins” under US law.
Circle, the issuer of USDC, is well positioned under this framework. The company already publishes monthly reserve attestations, holds reserves in US Treasuries and cash at regulated banks, and operates under existing state money transmitter licenses. USDC is widely expected to meet GENIUS Act compliance requirements without major structural changes.
Tether, the issuer of USDT, faces a more complex path. While Tether has increased its reserve transparency in recent years, its offshore structure and historical scrutiny from US regulators create uncertainty about its status under the new framework. Tether has publicly stated it supports reasonable regulation, but the company is incorporated in the British Virgin Islands and primarily serves non-US markets.
For merchants, regulation is not abstract. It affects whether your payment processor can operate, whether your bank will accept stablecoin-related deposits, and whether your accountant can categorize the revenue cleanly. If you sell to US customers and need regulatory certainty, USDC gives you a clearer compliance posture today. If you sell globally, USDT remains the higher-volume token and is unlikely to disappear from non-US markets regardless of US legislation. For a detailed breakdown of how the GENIUS Act affects merchant payment processing, read our GENIUS Act compliance guide.
Both USDT and USDC settle in seconds to minutes, depending on the blockchain. Compare that to credit card payments, which take 2–3 business days and carry chargeback risk for up to 120 days. Stablecoin payments are final once confirmed on-chain. No chargebacks. No rolling reserves. No processor holds.
In terms of settlement speed, USDT and USDC are functionally identical on the same chain. A USDT payment on Tron confirms in the same time as a USDC payment on Tron. The settlement advantage is stablecoin-vs-fiat, not USDT-vs-USDC.
For merchants accustomed to traditional payment rails, the difference is dramatic. A credit card transaction initiated on Friday settles on Tuesday or Wednesday. A stablecoin transaction initiated on Friday settles in seconds, regardless of weekends, holidays, or banking hours. This is true for both USDT and USDC. The finality is on-chain, not dependent on banking infrastructure or processor batch schedules.
One difference worth noting: Circle offers USDC-native settlement rails through its APIs, which some larger merchants use for direct fiat off-ramping. Tether does not offer an equivalent merchant API. However, if you use a non-custodial payment gateway, this distinction is irrelevant — payments go directly to your wallet regardless of the token.
| Factor | USDT | USDC |
|---|---|---|
| Global market share | ~60% | ~20% |
| Strongest regions | Asia, LATAM, Middle East, Africa | North America, Europe |
| Chain coverage | Tron, Ethereum, BSC, Solana, Polygon, Arbitrum, others | Ethereum, Solana, Arbitrum, Base, Polygon, others |
| US regulatory clarity | Uncertain under GENIUS Act | Strong; Circle is US-regulated |
| Reserve transparency | Quarterly attestations | Monthly attestations (Deloitte) |
| Merchant API for off-ramp | No native offering | Circle Payments API available |
| Customer recognition (global) | Higher | Moderate |
| Customer recognition (US) | Moderate | Higher |
Choosing between USDT and USDC is a false dilemma. The merchant who accepts only USDT misses US institutional buyers. The merchant who accepts only USDC misses the majority of global stablecoin users. The winning strategy is the same one that every successful e-commerce store already follows with traditional payments: accept every method your customers use.
Stablecoins are not like choosing a single payment processor. There is no exclusivity agreement. No switching cost. No integration penalty for supporting both. The only requirement is a payment gateway that handles multi-token, multi-chain transactions and routes them to your wallet.
Consider the numbers. If USDT represents 60% of global stablecoin supply and USDC represents 20%, a merchant who accepts only USDC is invisible to the majority of stablecoin holders. A merchant who accepts only USDT may lose high-value US corporate accounts that require USDC for internal compliance. Neither compromise makes business sense when accepting both costs nothing extra.
This is especially true when you consider that stablecoin adoption is growing fastest in markets where stablecoins serve as a safe haven against local currency instability. Your next wave of customers may come from a region you did not initially target, paying with a stablecoin you did not expect. If your checkout supports both, you capture that revenue. If it does not, your competitor does.
The implementation path depends on your e-commerce platform, but the principle is the same: use a payment gateway that supports both USDT and USDC across major chains, and routes payments directly to your wallet without holding custody.
For Shopify stores, this means installing a crypto payment app and enabling stablecoin support in the settings. Our Shopify USDT integration guide walks through the process step by step. The same gateway handles USDC automatically.
For WooCommerce, BigCommerce, and custom builds, the approach is similar: add the payment gateway plugin, configure your wallet address, and select the tokens and chains you want to support. A well-designed merchant stablecoin strategy accounts for both current customer demographics and future expansion markets.
Regardless of platform, the integration timeline is short. Most merchants go from zero stablecoin acceptance to a live checkout in under an hour. The technical complexity is in the gateway, not in your store. You configure your wallet, select your tokens, and the gateway handles chain detection, payment verification, and settlement confirmation.
Implementation considerations:
Don’t choose between stablecoins. Aurpay lets your customers pay with USDT, USDC, or any major cryptocurrency — all routed directly to your wallet. Get started free.
]]>This MCP server connects Claude to a Lightning Network node running LND (Lightning Network Daemon). It exposes five tools that cover the core monitoring operations:
get_channel_balance — returns local and remote balances across all open channelslist_payments — queries recent outgoing payments with status, fees, and timestampsget_network_stats — pulls network-level data including total channels, total capacity, and average fee ratescheck_invoice_status — looks up an invoice by its payment hash and returns its current stateestimate_routing_fee — estimates the fee for routing a payment of a given amount to a destinationThe architecture follows the same pattern from our crypto payment MCP tutorial. Claude sends a tool call over stdio, the MCP server translates it into an HTTP request against the LND REST API, and returns structured data that Claude interprets in natural language. The difference is the data source: instead of a payment gateway REST API, you are talking directly to a Lightning node.
Why LND’s REST API? LND exposes both gRPC and REST interfaces. The REST API runs on port 8080 by default and covers most of the endpoints you need for monitoring. It is simpler to work with in a tutorial context since there is no protobuf compilation or gRPC client setup. For production deployments that need streaming subscriptions (real-time payment notifications via gRPC streams), you can extend this server later. Lightning Labs also released an official AI agent toolkit in February 2026 with an MCP server exposing 18 read-only tools via Lightning Node Connect (LNC). This tutorial builds a custom server from scratch so you understand every layer.
Before writing code, you need to understand what is available. The Lightning ecosystem offers several API options for node monitoring.
The LND REST API is the primary interface we will use. Key endpoints include:
/v1/balance/channels — Total balance across all channels (local, remote, pending, unsettled)/v1/payments — List of outgoing payments with status and fee details/v1/invoices — List of incoming invoices/v1/invoice/{r_hash_str} — Look up a specific invoice by hash/v1/graph/info — Network-level statistics/v1/channels — Detailed info on all open channels/v2/router/route — Query route and fee estimationAuthentication uses macaroons, which are bearer tokens with fine-grained permission scoping. LND ships with three default macaroons: admin.macaroon (full access), invoice.macaroon (invoice operations only), and readonly.macaroon (read-only access). For a monitoring server, readonly.macaroon is the correct choice. You also need the TLS certificate (tls.cert) to establish a secure connection.
If you run Core Lightning instead of LND, the CLN JSON-RPC API offers equivalent functionality. The tool schemas in this tutorial would stay the same; only the HTTP client layer changes. CLN uses a Unix socket or REST plugin for API access.
Services like Mempool.space and Amboss provide public APIs for network-wide statistics without requiring your own node. These are useful for the get_network_stats tool if you want network data without node access. For channel and payment monitoring, you need a direct node connection.
Before you start, make sure you have the following:
node --version.https://localhost:8080), the readonly.macaroon file (hex-encoded), and the tls.cert file. If you do not have a node, you can use a hosted provider like Voltage for testing.Create a new project and install dependencies:
mkdir lightning-mcp-monitor
cd lightning-mcp-monitor
npm init -y
npm install @modelcontextprotocol/sdk zod
npm install -D typescript @types/nodeSet up tsconfig.json:
{
"compilerOptions": {
"target": "ES2022",
"module": "Node16",
"moduleResolution": "Node16",
"outDir": "./dist",
"rootDir": "./src",
"strict": true,
"esModuleInterop": true,
"skipLibCheck": true
},
"include": ["src/**/*"]
}Update package.json to use ES modules:
{
"name": "lightning-mcp-monitor",
"version": "1.0.0",
"type": "module",
"scripts": {
"build": "tsc",
"start": "node dist/server.js"
}
}Now create src/server.ts and define the five tool schemas. Each schema tells Claude what the tool does and what parameters it accepts:
import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
import { z } from "zod";
import fs from "fs";
import https from "https";
// LND connection config from environment
const LND_REST_URL = process.env.LND_REST_URL || "https://localhost:8080";
const LND_MACAROON = process.env.LND_MACAROON || "";
const LND_TLS_CERT_PATH = process.env.LND_TLS_CERT_PATH || "";
if (!LND_MACAROON) {
console.error("LND_MACAROON environment variable is required (hex-encoded readonly.macaroon)");
process.exit(1);
}
const server = new McpServer({
name: "lightning-network-monitor",
version: "1.0.0",
});
// Tool 1: Channel balance
server.tool(
"get_channel_balance",
"Get the total balance across all open Lightning channels. Returns local balance (funds you can send), remote balance (funds you can receive), pending open balance, and unsettled balance.",
{},
async () => {
const data = await lndRequest("/v1/balance/channels");
return formatResponse(data);
}
);
// Tool 2: List payments
server.tool(
"list_payments",
"List recent outgoing Lightning payments. Returns payment hash, amount in satoshis, fee paid, status (SUCCEEDED, FAILED, IN_FLIGHT), and creation timestamp. Use include_incomplete to see in-flight payments.",
{
include_incomplete: z.boolean().default(false)
.describe("Include payments that are still in flight"),
max_payments: z.number().min(1).max(100).default(20)
.describe("Maximum number of payments to return"),
},
async ({ include_incomplete, max_payments }) => {
const params = new URLSearchParams({
include_incomplete: String(include_incomplete),
max_payments: String(max_payments),
reversed: "true",
});
const data = await lndRequest(`/v1/payments?${params.toString()}`);
return formatResponse(data);
}
);
// Tool 3: Network stats
server.tool(
"get_network_stats",
"Get Lightning Network graph statistics from this node's perspective. Returns total number of nodes, total channels, total network capacity in BTC, and this node's public key and alias.",
{},
async () => {
const data = await lndRequest("/v1/graph/info");
return formatResponse(data);
}
);
// Tool 4: Check invoice status
server.tool(
"check_invoice_status",
"Look up the status of a Lightning invoice by its payment hash (r_hash). Returns the invoice amount, memo, whether it has been settled, settle timestamp, and expiry details.",
{
payment_hash: z.string()
.describe("The payment hash (r_hash) of the invoice to look up, hex-encoded"),
},
async ({ payment_hash }) => {
const data = await lndRequest(`/v1/invoice/${payment_hash}`);
return formatResponse(data);
}
);
// Tool 5: Estimate routing fee
server.tool(
"estimate_routing_fee",
"Estimate the routing fee for sending a payment of a given amount to a destination node. Returns the estimated fee in satoshis and the estimated time lock delta.",
{
dest_pub_key: z.string()
.describe("The public key of the destination node (hex-encoded, 66 characters)"),
amount_sat: z.number().positive()
.describe("The payment amount in satoshis"),
},
async ({ dest_pub_key, amount_sat }) => {
const data = await lndRequest("/v2/router/route", {
method: "POST",
body: {
pub_key: dest_pub_key,
amt: String(amount_sat),
},
});
return formatResponse(data);
}
);Each tool description is written to help Claude decide when to use it. The descriptions mention return values explicitly — this gives Claude enough context to answer follow-up questions without making additional API calls.
LND’s REST API requires two credentials: a TLS certificate and a macaroon. The TLS cert establishes a secure connection (LND uses self-signed certificates by default), and the macaroon provides authentication and authorization.
Add the HTTP client above the tool definitions in src/server.ts:
// Build a custom HTTPS agent that trusts the LND TLS certificate
function createHttpsAgent(): https.Agent | undefined {
if (!LND_TLS_CERT_PATH) return undefined;
try {
const cert = fs.readFileSync(LND_TLS_CERT_PATH);
return new https.Agent({ ca: [cert] });
} catch (err) {
console.error(`Warning: Could not read TLS cert at ${LND_TLS_CERT_PATH}`);
return undefined;
}
}
const httpsAgent = createHttpsAgent();
interface LndRequestOptions {
method?: string;
body?: Record<string, unknown>;
}
async function lndRequest(
endpoint: string,
options: LndRequestOptions = {}
): Promise<unknown> {
const { method = "GET", body } = options;
const url = `${LND_REST_URL}${endpoint}`;
const headers: Record<string, string> = {
"Grpc-Metadata-macaroon": LND_MACAROON,
"Content-Type": "application/json",
"Accept": "application/json",
};
const fetchOptions: RequestInit & { dispatcher?: unknown } = {
method,
headers,
body: body ? JSON.stringify(body) : undefined,
};
// For self-signed certs, disable TLS verification in development
// In production, use the proper TLS cert via the HTTPS agent
if (LND_REST_URL.includes("localhost") || LND_REST_URL.includes("127.0.0.1")) {
// Node.js 18+ supports this via the --insecure-http-parser flag
// or by setting NODE_TLS_REJECT_UNAUTHORIZED=0 in env
}
const response = await fetch(url, fetchOptions);
if (!response.ok) {
const errorText = await response.text();
throw new Error(
`LND API error: ${response.status} ${response.statusText} — ${errorText}`
);
}
return response.json();
}
function formatResponse(data: unknown) {
return {
content: [
{
type: "text" as const,
text: JSON.stringify(data, null, 2),
},
],
};
}The critical header is Grpc-Metadata-macaroon. LND’s REST API expects the macaroon as a hex-encoded string in this header, not as a Bearer token. This is the most common mistake developers make when first connecting to LND. The macaroon file is binary, so you need to convert it to hex first:
# Convert your readonly.macaroon to hex
xxd -ps -u -c 1000 ~/.lnd/data/chain/bitcoin/mainnet/readonly.macaroonCopy that hex string and use it as the LND_MACAROON environment variable.
For the TLS certificate, LND generates a self-signed cert at ~/.lnd/tls.cert. In production, you pass this to the HTTPS agent so Node.js trusts the connection. For local development, you can set NODE_TLS_REJECT_UNAUTHORIZED=0 in your environment, but never do this in production.
The tool handlers above make raw API calls and return the full JSON response. For a better experience, you can transform the responses into cleaner formats that help Claude generate more useful answers. Here is an enhanced version of the channel balance handler:
server.tool(
"get_channel_balance",
"Get the total balance across all open Lightning channels. Returns local balance (funds you can send), remote balance (funds you can receive), pending open balance, and unsettled balance. All amounts are in satoshis.",
{},
async () => {
const raw = await lndRequest("/v1/balance/channels") as {
local_balance?: { sat: string };
remote_balance?: { sat: string };
pending_open_local_balance?: { sat: string };
pending_open_remote_balance?: { sat: string };
unsettled_local_balance?: { sat: string };
unsettled_remote_balance?: { sat: string };
};
const summary = {
local_balance_sat: parseInt(raw.local_balance?.sat || "0"),
remote_balance_sat: parseInt(raw.remote_balance?.sat || "0"),
pending_open_local_sat: parseInt(raw.pending_open_local_balance?.sat || "0"),
pending_open_remote_sat: parseInt(raw.pending_open_remote_balance?.sat || "0"),
unsettled_local_sat: parseInt(raw.unsettled_local_balance?.sat || "0"),
unsettled_remote_sat: parseInt(raw.unsettled_remote_balance?.sat || "0"),
total_sendable_sat: parseInt(raw.local_balance?.sat || "0"),
total_receivable_sat: parseInt(raw.remote_balance?.sat || "0"),
};
return formatResponse(summary);
}
);The transformation converts LND’s nested balance objects (which use string-encoded satoshis) into flat integer fields with descriptive names. It also adds computed fields like total_sendable_sat and total_receivable_sat that Claude can reference directly when answering questions like “how much can I send right now?”
Apply similar transformations to the payments handler to extract the fields that matter most:
server.tool(
"list_payments",
"List recent outgoing Lightning payments. Returns payment hash, amount in satoshis, fee paid in satoshis, status, creation date, and the number of attempted routes.",
{
include_incomplete: z.boolean().default(false)
.describe("Include payments that are still in flight"),
max_payments: z.number().min(1).max(100).default(20)
.describe("Maximum number of payments to return"),
},
async ({ include_incomplete, max_payments }) => {
const params = new URLSearchParams({
include_incomplete: String(include_incomplete),
max_payments: String(max_payments),
reversed: "true",
});
const raw = await lndRequest(`/v1/payments?${params.toString()}`) as {
payments?: Array<{
payment_hash: string;
value_sat: string;
fee_sat: string;
status: string;
creation_date: string;
htlcs?: unknown[];
}>;
};
const payments = (raw.payments || []).map((p) => ({
payment_hash: p.payment_hash,
amount_sat: parseInt(p.value_sat || "0"),
fee_sat: parseInt(p.fee_sat || "0"),
status: p.status,
created_at: new Date(parseInt(p.creation_date) * 1000).toISOString(),
routes_attempted: p.htlcs?.length || 0,
}));
return formatResponse({
total_payments: payments.length,
payments,
});
}
);Converting timestamps from Unix epoch to ISO 8601 is a small detail that makes a real difference. Claude can parse ISO dates and do relative time calculations (“this payment was 3 hours ago”) without you writing any date logic.
The five tools above handle on-demand queries. But Lightning payments settle in seconds, and you may want Claude to alert you when something happens: a new payment arrives, a channel goes offline, or a large HTLC routes through your node.
LND supports streaming via gRPC server-streaming RPCs. The REST API has limited streaming support through long-polling endpoints. For an MCP server, the cleanest approach is a polling-based subscription tool that checks for new events at a configurable interval.
Add a subscribe_invoices tool that polls for newly settled invoices:
server.tool(
"subscribe_invoices",
"Poll for recently settled invoices within a given time window. Returns invoices that were settled in the last N seconds. Use this to monitor incoming payments. Call it periodically or ask Claude to check for new payments.",
{
since_seconds: z.number().min(10).max(3600).default(60)
.describe("Look back window in seconds. Returns invoices settled within this period."),
},
async ({ since_seconds }) => {
const raw = await lndRequest("/v1/invoices?reversed=true&num_max_invoices=50") as {
invoices?: Array<{
memo: string;
value: string;
settled: boolean;
settle_date: string;
payment_request: string;
r_hash: string;
amt_paid_sat: string;
}>;
};
const cutoff = Math.floor(Date.now() / 1000) - since_seconds;
const recentSettled = (raw.invoices || [])
.filter((inv) => inv.settled && parseInt(inv.settle_date) > cutoff)
.map((inv) => ({
memo: inv.memo || "(no memo)",
amount_sat: parseInt(inv.amt_paid_sat || inv.value || "0"),
settled_at: new Date(parseInt(inv.settle_date) * 1000).toISOString(),
payment_hash: Buffer.from(inv.r_hash, "base64").toString("hex"),
}));
return formatResponse({
window_seconds: since_seconds,
settled_invoices: recentSettled.length,
invoices: recentSettled,
});
}
);This approach has trade-offs. Polling every 60 seconds is fine for a monitoring dashboard but will miss the sub-second settlement experience that makes Lightning special. For true real-time notifications, you would use LND’s gRPC SubscribeInvoices stream and push events to Claude via MCP notifications. The MCP protocol supports server-initiated notifications, but client support varies. Polling is the pragmatic starting point.
A more advanced pattern combines polling with a local event cache. Run a background process that subscribes to LND’s gRPC streams and writes events to a local SQLite database or in-memory queue. The MCP tool then queries the cache instead of hitting LND directly. This decouples the real-time event collection from the AI query layer.
Wire up the server transport and build:
async function main() {
const transport = new StdioServerTransport();
await server.connect(transport);
console.error("Lightning Network MCP monitor running on stdio");
}
main().catch((error) => {
console.error("Fatal error:", error);
process.exit(1);
});npx tscAdd the server to your Claude configuration. For Claude Desktop, edit claude_desktop_config.json:
{
"mcpServers": {
"lightning-monitor": {
"command": "node",
"args": ["/absolute/path/to/lightning-mcp-monitor/dist/server.js"],
"env": {
"LND_REST_URL": "https://your-node-ip:8080",
"LND_MACAROON": "0201036c6e6402f801...",
"LND_TLS_CERT_PATH": "/path/to/.lnd/tls.cert",
"NODE_TLS_REJECT_UNAUTHORIZED": "0"
}
}
}
}For Claude Code, add to .mcp.json in your project root:
{
"mcpServers": {
"lightning-monitor": {
"command": "node",
"args": ["./lightning-mcp-monitor/dist/server.js"],
"env": {
"LND_REST_URL": "https://your-node-ip:8080",
"LND_MACAROON": "0201036c6e6402f801...",
"LND_TLS_CERT_PATH": "/path/to/.lnd/tls.cert"
}
}
}
}Test with the MCP Inspector first:
LND_REST_URL=https://localhost:8080 \
LND_MACAROON=$(xxd -ps -u -c 1000 ~/.lnd/data/chain/bitcoin/mainnet/readonly.macaroon) \
LND_TLS_CERT_PATH=~/.lnd/tls.cert \
NODE_TLS_REJECT_UNAUTHORIZED=0 \
npx @modelcontextprotocol/inspector node dist/server.jsOnce verified, restart Claude and try these conversations:
You: “What’s my Lightning channel balance?”
Claude calls get_channel_balance and responds:
Your Lightning channel balance:
- Sendable (local): 2,450,000 sats (0.0245 BTC)
- Receivable (remote): 8,120,000 sats (0.0812 BTC)
- Pending open: 500,000 sats in 1 channel awaiting confirmation
- Unsettled: 0 sats
You have strong inbound liquidity — about 3.3x more capacity to receive than to send.You: “Show me payments from the last hour. Any failures?”
Claude calls list_payments with {"include_incomplete": true, "max_payments": 50}, filters by timestamp, and highlights failures:
In the last hour, you made 7 outgoing payments:
- 5 succeeded (total: 125,400 sats, fees: 12 sats)
- 1 failed (50,000 sats to 02a1b2c3... — no route found)
- 1 in-flight (10,000 sats — still pending)
Average routing fee: 2.4 sats per payment. The failed payment to 02a1b2c3 might need a direct channel or a larger fee limit.You: “What’s the cheapest route to send 100,000 sats to 02f8a3b7…?”
Claude calls estimate_routing_fee and returns:
Estimated route to 02f8a3b7...:
- Fee: 8 sats (0.008%)
- Time lock delta: 40 blocks
- Hops: 3
That's well within typical fee ranges for a payment this size.You: “Any new payments received in the last 5 minutes?”
Claude calls subscribe_invoices with {"since_seconds": 300}:
2 invoices settled in the last 5 minutes:
1. 50,000 sats — "Monthly VPN subscription" — settled at 14:23 UTC
2. 12,500 sats — (no memo) — settled at 14:21 UTC
Total received: 62,500 sats ($42.50 at current rates).A monitoring MCP server that connects to a live Lightning node carries real security responsibilities. Here is what to address before running this in production.
Never expose your admin macaroon through an MCP server. Use readonly.macaroon for monitoring. If you need custom permissions, bake a restricted macaroon:
# Create a macaroon with only balance and invoice read permissions
lncli bakemacaroon info:read offchain:read invoices:read --save_to=monitor.macaroonStore the hex-encoded macaroon in environment variables, never in code or config files checked into version control. Treat it like an API key, because it is one. For a deeper look at security patterns in Claude Code workflows, see our smart contract auditing guide.
LND’s REST API does not impose rate limits by default, but hammering your own node with requests degrades performance. Add a simple in-memory rate limiter to the lndRequest function:
let lastRequestTime = 0;
const MIN_REQUEST_INTERVAL_MS = 200; // Max 5 requests per second
async function lndRequest(
endpoint: string,
options: LndRequestOptions = {}
): Promise<unknown> {
const now = Date.now();
const elapsed = now - lastRequestTime;
if (elapsed < MIN_REQUEST_INTERVAL_MS) {
await new Promise((resolve) =>
setTimeout(resolve, MIN_REQUEST_INTERVAL_MS - elapsed)
);
}
lastRequestTime = Date.now();
// ... rest of the function
}Network stats and channel balances do not change every second. Cache responses with a short TTL to reduce load on your node:
const cache = new Map<string, { data: unknown; expires: number }>();
function getCached(key: string, ttlMs: number): unknown | null {
const entry = cache.get(key);
if (entry && entry.expires > Date.now()) return entry.data;
return null;
}
function setCache(key: string, data: unknown, ttlMs: number) {
cache.set(key, { data, expires: Date.now() + ttlMs });
}Use a 30-second TTL for channel balances and a 5-minute TTL for network stats. Payment lists and invoice lookups should not be cached — they need to reflect the latest state.
If you run multiple Lightning nodes (common for routing node operators), extend the server to accept a node identifier parameter. Store connection configs for each node and route requests to the appropriate LND instance. The tool schemas stay the same. Just add an optional node_id parameter to each tool.
LND returns specific error codes for common issues. Map these to helpful messages:
lnd.conf for restlisten.Lightning has grown well beyond a developer experiment into serious payment infrastructure. Merchants accepting Lightning get instant settlement with no 10-minute wait for on-chain confirmations and no chargeback risk. Fees are typically under 1 satoshi for payments under $100, making it cheaper than any credit card processor. The network has grown to over 15,000 nodes and 60,000+ channels in 2026, with total capacity exceeding 5,000 BTC.
For AI agents operating autonomously, Lightning is particularly compelling. An agent can make a micropayment of 100 satoshis ($0.07) without the $2-5 on-chain fee eating into the transaction. Lightning Labs built their AI agent toolkit for exactly this reason: instant settlement and programmatic payments fit naturally into autonomous commerce.
The monitoring server you built in this tutorial is the operations layer. Once your store accepts Lightning payments, you need visibility into channel health, payment flow, and routing performance. An MCP-connected Claude gives you that visibility through conversation rather than dashboards.
Aurpay’s Lightning Network integration gives your store instant Bitcoin settlement with near-zero fees. No node management required. We handle the infrastructure. Enable Lightning payments.
]]>USDT (Tether) is the default dollar-denominated token for buyers across Asia-Pacific, the Middle East, and Latin America. If your Shopify store serves international customers and you only accept USDC, you are leaving money on the table. Here is how to fix that.
Shopify’s built-in crypto checkout, powered by its partnership with Coinbase Commerce, supports USDC on the Base L2 network. That is a solid start for U.S.-based buyers who already hold USDC. But it creates three blind spots for merchants selling globally.
Limited token coverage. USDC accounts for roughly 25% of the stablecoin market. USDT holds the rest of the dominant share. Buyers in Southeast Asia, Turkey, Nigeria, and Brazil overwhelmingly use USDT because it is the most liquid stablecoin on centralized exchanges in those regions.
Single-chain constraint. Base is an Ethereum L2 with growing adoption, but most USDT circulates on Ethereum mainnet, Tron (TRC-20), and BNB Smart Chain. A checkout that only supports one network forces buyers to bridge tokens before paying — and most will abandon the cart instead.
Custodial settlement. With Coinbase Commerce, payments route through Coinbase. You do not hold the private keys during settlement. For merchants who want direct wallet-to-wallet payments, this is a dealbreaker. If you are curious about why custody matters, read more about how non-custodial payment gateways protect your funds.
Setting up USDT payments on Shopify takes about 15 minutes. Here is what you need ready before you begin.
No coding, no API keys, no developer needed. The entire setup happens through the Shopify admin panel and the Aurpay dashboard.
Go to the Aurpay Shopify integration page and click the install button. This redirects you to the Shopify App Store listing for Aurpay. Click “Add app” and authorize the installation on your store.
Once installed, you will see Aurpay listed under Settings > Payments in your Shopify admin. The plugin adds a new payment method at checkout — your existing payment methods (credit cards, PayPal, etc.) remain untouched.
Open the Aurpay dashboard from your Shopify admin. The first screen asks you to connect a wallet address. This is where customer payments will be sent directly — Aurpay never holds your funds.
You can add multiple wallet addresses for different networks:
Paste your wallet address for each network you want to support. Double-check every address — blockchain transactions are irreversible.
In the Aurpay dashboard, navigate to the token settings panel. Here you toggle on which cryptocurrencies your store accepts. For this guide, enable at minimum:
You can also enable BTC, ETH, and other tokens. Aurpay handles real-time price conversion at checkout, so customers always see the exact crypto amount owed based on the fiat price of their cart.
If you are weighing the pros and cons of each stablecoin, this comparison of USDT vs. USDC for merchants breaks down the differences in liquidity, fees, and regulatory posture.
Aurpay gives you two settlement options:
Keep crypto. Payments stay in USDT (or whichever token the buyer used) in your wallet. This works well if you want to hold stablecoins as a treasury reserve or reinvest in crypto-denominated inventory.
Auto-convert to fiat. Aurpay can route payments through a conversion partner so you receive USD, EUR, or other fiat currencies in your bank account. Conversion adds a small fee but eliminates volatility risk for non-stablecoin payments like BTC or ETH.
For most merchants accepting USDT specifically, keeping the stablecoins is the simpler path. USDT is pegged to the U.S. dollar, so there is no meaningful price fluctuation to worry about.
Before going live, place a test order on your own store. At checkout, select the Aurpay payment option. You will see a payment screen showing:
Send a small USDT payment from your own wallet to confirm it arrives. The Aurpay dashboard will show the transaction as confirmed once the blockchain reaches the required number of confirmations (usually 1-3 minutes on Tron, 2-5 minutes on Ethereum).
Once confirmed, the Shopify order status automatically updates to “Paid.” No manual reconciliation needed.
From the customer’s perspective, the experience is straightforward. At the Shopify checkout page, they see a “Pay with Crypto” option alongside traditional payment methods. Clicking it opens the Aurpay payment window.
The buyer selects their preferred token (USDT) and their preferred network (e.g., TRC-20). They then scan the QR code or copy the wallet address into their wallet app. After sending the payment, the page updates in real time as the transaction confirms on-chain.
No account creation required on the buyer’s side. No redirects to a third-party site. The entire flow stays within your Shopify storefront.
One of the practical reasons merchants add USDT payments is cost. Traditional payment processing eats into margins, especially on cross-border transactions.
| Payment Method | Processing Fee | Cross-Border Fee | Chargeback Risk |
|---|---|---|---|
| Credit Card (Stripe/Shopify Payments) | 2.9% + $0.30 | +1.0-1.5% | Yes |
| PayPal | 3.49% + $0.49 | +1.5% | Yes |
| USDT via Aurpay (TRC-20) | 0.8% | None | No |
On a $100 cross-border sale, credit cards cost roughly $4.20-4.70 in fees. USDT via Aurpay on Tron costs approximately $1 plus a negligible network fee. For a deeper breakdown, see how stablecoin payments compare to credit card fees for merchants.
There are zero chargebacks with blockchain payments. Once a USDT transaction confirms, it is final. This alone can save merchants thousands of dollars per year in disputed charges and fraud-related losses.
Receiving USDT is generally treated as receiving USD-equivalent income for tax purposes. You record the fair market value at the time of receipt — which, for USDT, is essentially $1 per token. Consult your accountant for jurisdiction-specific rules, but stablecoin accounting is far simpler than dealing with volatile crypto like BTC or ETH.
Aurpay tracks exact payment amounts. If a customer underpays, the order stays in “Pending” status and the customer is notified to send the remaining balance. Overpayments are flagged for manual resolution — you can issue a refund for the excess directly from your wallet.
Technically, yes — you could share a wallet address manually with customers. But you lose automated order tracking, real-time price conversion, multi-chain support, and the integrated Shopify checkout experience. For any store doing more than a handful of crypto transactions per month, a payment gateway is worth the setup time.
Yes. Shopify’s native USDC support and Aurpay’s USDT support can coexist. Customers see both options at checkout. In practice, most merchants prefer to consolidate crypto payments through a single gateway for simpler bookkeeping.
Once USDT is live on your store, you may want to explore adding other tokens. Aurpay supports BTC, ETH, USDC, DAI, and a range of altcoins through the same plugin. There is no additional setup — just toggle on new tokens in the dashboard.
If you are building a Shopify store from scratch and want to use AI tools to speed up the process, this guide on using AI to build a crypto checkout on Shopify covers the modern approach. And if you already have a store and want the general Aurpay walkthrough, the complete Aurpay Shopify setup guide covers the broader configuration.
Aurpay connects your Shopify or WooCommerce store to USDT, USDC, and 10+ cryptocurrencies — with zero custody risk. Payments go directly to your wallet. Set up your store in under 15 minutes.
]]>The supply-demand imbalance in smart contract security is severe. Thousands of new contracts deploy to EVM chains every week. The pool of experienced auditors grows slowly. Contest platforms like Code4rena and Sherlock have expanded the talent pool, but competitive auditing introduces its own trade-offs: findings cluster around low-hanging fruit, and complex business logic bugs often go undetected.
AI acts as a force multiplier. A model like Claude can scan an entire codebase in seconds, flagging patterns that match known vulnerability classes. It does not get fatigued after reviewing the fifteenth transferFrom call, and it will not skip the helper library buried three directories deep. It can also run on every commit, not just before a mainnet deployment.
The key insight is positioning AI at the right point in the development lifecycle. Used during development, not as a post-hoc replacement for professional audits, AI catches 60-80% of common issues before they compound into complex, interacting vulnerabilities. The remaining 20-40% is where human expertise in novel attack vectors, economic modeling, and governance design becomes irreplaceable.
Claude Code works best when it has explicit context about what you expect it to do. For smart contract auditing, that means configuring a CLAUDE.md file at your project root with audit-specific instructions, and structuring your project so Claude can navigate it efficiently.
Start with a clean project layout:
my-protocol/
├── CLAUDE.md # Audit instructions
├── contracts/
│ ├── core/
│ │ ├── Vault.sol
│ │ └── Router.sol
│ ├── interfaces/
│ │ └── IVault.sol
│ └── libraries/
│ └── MathLib.sol
├── test/
│ ├── Vault.t.sol
│ └── Router.t.sol
└── foundry.tomlThe project structure matters because Claude Code uses file exploration tools to navigate your codebase. Flat directories with hundreds of files slow down context gathering. Group contracts by function — core logic, interfaces, libraries — so Claude can identify the attack surface quickly.
Install the Solidity extensions for your environment. If you are using Claude Code in a terminal, ensure forge (Foundry) is available in your PATH. Claude can invoke Foundry commands to compile contracts, run tests, and verify that suggested fixes do not break existing functionality.
# Verify Foundry is available
forge --version
# Compile contracts before starting audit
forge buildA successful compilation step is non-negotiable before auditing. Claude needs access to the compiled artifacts and the compiler warnings to provide accurate analysis.
Ad hoc prompting produces inconsistent audit results. A structured workflow produces repeatable, comprehensive coverage. The SCAR framework breaks smart contract auditing into four sequential phases, each with a clear input and output.
Each phase builds on the previous one. Scanning without classification produces noise. Classification without analysis produces false confidence. Analysis without reporting produces tribal knowledge that lives in one developer’s head. The full pipeline turns Claude Code from a chatbot into an audit tool.
The scan phase targets known vulnerability classes from the OWASP Smart Contract Top 10. These are patterns with well-documented exploit histories and clear detection signatures.
Consider this simplified vault contract:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;
import "@openzeppelin/contracts/token/ERC20/IERC20.sol";
contract SimpleVault {
mapping(address => uint256) public balances;
IERC20 public token;
constructor(address _token) {
token = IERC20(_token);
}
function deposit(uint256 amount) external {
token.transferFrom(msg.sender, address(this), amount);
balances[msg.sender] += amount;
}
function withdraw(uint256 amount) external {
require(balances[msg.sender] >= amount, "Insufficient balance");
// Vulnerability: state change after external call
(bool success, ) = address(token).call(
abi.encodeWithSelector(token.transfer.selector, msg.sender, amount)
);
require(success, "Transfer failed");
balances[msg.sender] -= amount;
}
function emergencyWithdraw() external {
uint256 amount = balances[msg.sender];
balances[msg.sender] = 0;
// This function is safe: state change before external call
token.transfer(msg.sender, amount);
}
}When you ask Claude Code to scan this contract, it identifies the reentrancy vulnerability in withdraw(). The state update (balances[msg.sender] -= amount) happens after the external call (token.transfer). A malicious token contract could re-enter withdraw() before the balance is decremented, draining the vault.
Claude also correctly identifies that emergencyWithdraw() follows the Checks-Effects-Interactions pattern — state changes first, external call last — and is not vulnerable to reentrancy.
The scan phase covers these primary vulnerability classes:
onlyOwner modifiers, unprotected initialization functions, privilege escalation paths.call() without return value checks, silent failures in token transfersRaw scan results are not actionable without severity classification. A missing event emission and a reentrancy vulnerability in a vault holding $10 million TVL require fundamentally different response urgencies.
Claude applies a five-tier severity framework consistent with industry standards used by Immunefi and Code4rena:
| Severity | Criteria | Example |
|---|---|---|
| Critical | Direct loss of funds, no user interaction required | Reentrancy in withdraw function |
| High | Loss of funds with specific conditions, protocol-breaking state corruption | Access control bypass on privileged function |
| Medium | Conditional fund loss, griefing attacks, value leakage over time | Front-runnable liquidation with MEV extraction |
| Low | Best practice violations, minor inefficiencies with no direct fund risk | Missing zero-address checks on constructor params |
| Informational | Code quality, gas optimization, documentation gaps | Unused import, inconsistent naming convention |
For our SimpleVault example, Claude classifies the reentrancy in withdraw() as Critical: it allows direct fund extraction without special conditions beyond deploying a malicious contract. The low-level .call() usage compounds the risk because it forwards all available gas to the callee, giving an attacker ample execution budget for a re-entrant call.
Classification forces prioritization. Development teams with limited time should fix Critical and High findings before deployment. Medium findings warrant mitigation strategies. Low and Informational findings go into a backlog.
The analysis phase is where Claude Code adds the most value beyond simple pattern matching. Claude traces execution paths through multiple contracts, tracks state changes across function calls, and constructs concrete exploit scenarios.
Consider a more complex scenario where a router contract interacts with the vault:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;
import "./SimpleVault.sol";
contract Router {
SimpleVault public vault;
mapping(address => bool) public whitelisted;
address public admin;
modifier onlyAdmin() {
require(msg.sender == admin, "Not admin");
_;
}
constructor(address _vault) {
vault = SimpleVault(_vault);
admin = msg.sender;
}
function setWhitelist(address user, bool status) external onlyAdmin {
whitelisted[user] = status;
}
function routedDeposit(uint256 amount) external {
require(whitelisted[msg.sender], "Not whitelisted");
// Approves vault to spend router's tokens
vault.token().approve(address(vault), amount);
vault.deposit(amount);
}
// Missing: no onlyAdmin modifier
function updateVault(address newVault) external {
vault = SimpleVault(newVault);
}
}Claude identifies the missing access control on updateVault(). But the analysis goes deeper than flagging the missing modifier. Claude traces the impact chain:
updateVault() with a malicious contract addressSimpleVault interface but redirects depositsroutedDeposit(), the router approves the attacker’s contract to spend tokensCross-contract analysis is where AI auditing delivers the most value. A scanner checking Router.sol in isolation might flag the missing modifier as a Medium severity access control issue. Claude, with full project context, elevates it to Critical because it opens a path to indirect fund theft from whitelisted users.
Claude also validates business logic assumptions. If the protocol documentation states “only whitelisted users can deposit,” Claude checks whether that invariant holds across all entry points, not just the obvious ones. An AI agent interacting with these contracts would be equally vulnerable to a compromised router. This class of bug is particularly dangerous in autonomous commerce scenarios.
The final phase produces a structured audit report. Unstructured findings scattered across chat messages are difficult to track and act on. Claude generates reports in a consistent format that maps to development team workflows.
Here is the report structure Claude produces for each finding:
## [CRITICAL] Reentrancy in SimpleVault.withdraw()
**Contract:** SimpleVault.sol
**Function:** withdraw(uint256 amount)
**Lines:** 20-28
### Description
The withdraw function performs an external call to the token contract
before updating the sender's balance. An attacker can deploy a contract
with a malicious fallback function that re-enters withdraw() before
the balance is decremented, draining the vault.
### Proof of Concept
1. Attacker deposits 1 ETH worth of tokens
2. Attacker calls withdraw(1 ETH) from a contract with a receive()
function that calls withdraw(1 ETH) again
3. The re-entrant call succeeds because balances[attacker] has not
been decremented yet
4. Repeat until vault is drained
### Recommended Fix
Apply the Checks-Effects-Interactions pattern. Update state before
making the external call:
function withdraw(uint256 amount) external {
require(balances[msg.sender] >= amount, "Insufficient balance");
balances[msg.sender] -= amount;
token.transfer(msg.sender, amount);
}
Alternatively, use OpenZeppelin's ReentrancyGuard:
import "@openzeppelin/contracts/utils/ReentrancyGuard.sol";
### Test Case
function test_reentrancy_withdraw() public {
MaliciousReceiver attacker = new MaliciousReceiver(vault);
token.transfer(address(attacker), 1 ether);
attacker.attack();
// Expect revert or controlled behavior after fix
}Each finding includes a test case that developers can drop into their Foundry test suite. This closes the loop: the finding comes with a verifiable proof and a regression test that prevents reintroduction.
For payment infrastructure contracts, like those powering payment monitoring systems or settlement layers, the report also flags operational risks: what happens if an admin key is compromised, what the maximum extractable value is in a single transaction, and whether time-locks provide adequate response windows.
AI-assisted auditing has real blind spots that teams must understand before relying on it.
Novel attack vectors. AI models are trained on historical data. A genuinely new attack class with no precedent in training data will not be flagged. The DAO hack was novel in 2016. Read-only reentrancy was novel in 2023. The next novel vector will bypass AI scanners until the models are retrained on examples of it.
Economic exploits. Many DeFi attacks are not bugs in the traditional sense. They are economically rational behaviors that the protocol designers did not anticipate. Flash loan attacks, governance manipulation, and MEV extraction often involve perfectly valid contract interactions. Claude can reason about these if prompted, but it does not inherently model market dynamics or game theory.
Cross-protocol composability. A contract that is secure in isolation may be exploitable when composed with other protocols. If your vault integrates with Aave, Uniswap, and a custom oracle, the interaction surface grows combinatorially. Claude can analyze contracts it can see, but it cannot audit the deployed bytecode of third-party dependencies in real time.
Formal verification gaps. AI auditing is heuristic, not formal. It does not provide mathematical proofs of correctness. For contracts managing significant TVL, pair AI auditing with formal verification tools like Certora or Halmos to cover properties that require provable guarantees.
The recommended approach: use Claude Code for continuous development-phase auditing, engage a professional audit firm for pre-deployment review, and maintain a bug bounty program for post-deployment coverage. AI handles breadth and speed, while humans handle depth and novelty. The most secure protocols in 2026 use all three layers together.
The following template configures Claude Code for smart contract auditing. Save it as CLAUDE.md in your project root. Adapt the scope, severity definitions, and focus areas to your protocol.
# Smart Contract Audit Configuration
## Role
You are a senior smart contract security auditor. Your task is to
identify vulnerabilities, assess severity, and recommend fixes for
all Solidity contracts in this project.
## Audit Scope
- All files in contracts/core/ and contracts/libraries/
- Interfaces in contracts/interfaces/ are reference-only
- Test files are out of scope for vulnerability assessment
## Methodology: SCAR
Follow this sequence for every audit session:
1. **Scan** all in-scope contracts for known vulnerability patterns
2. **Classify** each finding by severity (Critical/High/Medium/Low/Info)
3. **Analyze** Critical and High findings with execution path tracing
4. **Report** all findings in the structured format below
## Vulnerability Checklist
Scan for these patterns in every contract:
- [ ] Reentrancy (state changes after external calls)
- [ ] Access control (missing modifiers, unprotected init)
- [ ] Unchecked external calls (low-level .call without checks)
- [ ] Integer issues (unchecked blocks, unsafe casting)
- [ ] Oracle manipulation (spot prices, short TWAP windows)
- [ ] Front-running (sandwich-vulnerable operations)
- [ ] Denial of service (unbounded loops, block gas limit)
- [ ] Timestamp dependence (block.timestamp manipulation)
- [ ] tx.origin authentication
- [ ] Delegatecall to untrusted contracts
## Severity Definitions
- **Critical**: Direct fund loss, no preconditions
- **High**: Fund loss with specific conditions, state corruption
- **Medium**: Conditional loss, griefing, value leakage
- **Low**: Best practice violations, no direct fund risk
- **Informational**: Code quality, gas optimization
## Report Format
For each finding, provide:
1. Severity tag and title
2. Affected contract, function, and line numbers
3. Description of the vulnerability
4. Step-by-step proof of concept
5. Recommended fix with code
6. Foundry test case for regression testing
## Rules
- Never skip a contract file, even if it looks simple
- Always check cross-contract interactions
- Flag any function that can be called by arbitrary addresses
- If a finding is uncertain, mark it as "Needs Manual Review"
- After completing the audit, summarize: total findings by severity,
overall risk assessment, and top 3 recommendationsThis template encodes the SCAR methodology directly into Claude’s context. When you open your project in Claude Code, it loads these instructions automatically and applies them consistently across audit sessions. You can extend it with protocol-specific invariants — for example, “the total supply of vault shares must always equal the sum of all user deposits” — to catch business logic violations unique to your protocol.
For teams building MCP-integrated payment systems, add a section covering payment-specific risks: double-spend scenarios, settlement finality checks, and refund logic edge cases. The template is a living document that improves with every audit cycle.
If you are new to using Claude Code for blockchain development more broadly, the Web3 development guide covers the foundational setup, project configuration, and workflow patterns that complement this audit-focused approach.
AI auditing is a strong first pass, but production contracts need professional review. Aurpay’s smart contract service provides comprehensive audits for payment infrastructure, DeFi protocols, and token contracts. Request an audit.
]]>If you have ever invoiced a client in crypto, you know the friction. You open a payment platform, manually enter the amount, pick a token, generate a wallet address, copy that address into an email, and hit send. Then you wait. You check the block explorer. You cross-reference the transaction hash against the invoice. You update your accounting spreadsheet. For a single invoice, this takes 10 to 15 minutes. For a business sending 50 invoices a month, it consumes entire workdays.
The pain points stack up quickly. Wallet address management becomes a bookkeeping nightmare when each client gets a unique deposit address. Currency conversion between fiat-denominated contracts and crypto-denominated payments introduces rounding errors. On-chain confirmations vary by network (12 seconds on Ethereum, 10 minutes on Bitcoin), and you need to monitor each one. Reconciliation means matching blockchain transactions to invoice line items, a process that most accounting software still does not handle natively.
Traditional invoicing platforms like FreshBooks and QuickBooks solved these problems for fiat years ago. Crypto invoicing is where fiat invoicing was in 2005: functional but painfully manual. AI changes that equation by collapsing the entire workflow into a single natural-language instruction.
An automated crypto invoicing system has three layers that work together. The first is an AI layer that interprets natural language and converts it into structured invoice data. The second is a crypto payment gateway that generates payment links, monitors on-chain transactions, and handles settlement. The third is an automation layer that connects these pieces: sending notifications, updating records, and triggering follow-up actions based on payment status.
Think of it as a pipeline. You speak to the AI in plain English. The AI produces a structured JSON object. That object hits a payment API. The API returns a payment link. The link gets delivered to your client. Webhooks report back when the payment lands on-chain. Your records update automatically. Each layer is independent and replaceable, but together they eliminate every manual step in the invoicing cycle.
The rest of this guide walks through each layer with working code you can adapt for your own business.
The first step is parsing a human sentence into machine-readable invoice data. Modern LLMs handle this reliably. You provide a system prompt that defines the output schema, and the model extracts the relevant fields from whatever the user types.
Here is a prompt template that works with Claude, GPT-4o, or any OpenAI-compatible API:
const systemPrompt = `You are an invoice data extractor. Given a natural language
instruction, extract the following fields and return valid JSON:
{
"client_name": "string",
"client_email": "string or null",
"amount": number,
"currency": "USDC" | "USDT" | "BTC" | "ETH",
"description": "string",
"due_date": "YYYY-MM-DD or null"
}
Rules:
- Default currency is USDC if not specified
- Default due date is 14 days from today if not specified
- Amount should be numeric (no dollar signs)
- If email is not provided, set to null`;
async function parseInvoiceInstruction(userMessage) {
const response = await openai.chat.completions.create({
model: "gpt-4o",
messages: [
{ role: "system", content: systemPrompt },
{ role: "user", content: userMessage }
],
response_format: { type: "json_object" }
});
return JSON.parse(response.choices[0].message.content);
}When you pass in “Invoice Acme Corp 2,500 USDT for the February smart contract audit, due March 30, send to [email protected],” the model returns:
{
"client_name": "Acme Corp",
"client_email": "[email protected]",
"amount": 2500,
"currency": "USDT",
"description": "February smart contract audit",
"due_date": "2026-03-30"
}This structured output becomes the input for the next step. The extraction is deterministic enough for production use. In testing across 200 sample instructions, field accuracy exceeded 98%. Edge cases like ambiguous currency references (“dollars” vs. “USDC”) are handled by the default rules in the system prompt.
With structured data in hand, the next step is creating a payment link through a crypto payment gateway. A gateway like Aurpay can generate hosted payment pages where your client pays in their preferred cryptocurrency. The code below shows the general pattern — adapt the endpoint and authentication to your gateway’s API:
async function createCryptoInvoice(invoiceData) {
const payload = {
amount: invoiceData.amount,
currency: invoiceData.currency,
description: invoiceData.description,
customer_name: invoiceData.client_name,
customer_email: invoiceData.client_email,
due_date: invoiceData.due_date,
supported_currencies: ["USDC", "USDT", "BTC", "ETH"],
callback_url: "https://your-app.com/webhooks/invoice-status",
redirect_url: "https://your-app.com/payment/thank-you"
};
const response = await fetch("https://api.your-gateway.com/v1/invoices", {
method: "POST",
headers: {
"Content-Type": "application/json",
"Authorization": `Bearer ${process.env.GATEWAY_API_KEY}`
},
body: JSON.stringify(payload)
});
return response.json();
}The response includes a unique invoice ID, a payment link, and a deposit wallet address generated specifically for this transaction. Multi-currency support means your client can choose to pay in USDC, USDT, BTC, or ETH regardless of how you denominated the invoice. The gateway handles the conversion math.
{
"invoice_id": "inv_8f3a2b1c",
"payment_url": "https://pay.your-gateway.com/inv_8f3a2b1c",
"deposit_address": "0x7a3b...9f2e",
"amount": 2500,
"currency": "USDT",
"status": "created",
"expires_at": "2026-03-30T23:59:59Z"
}Because Aurpay is non-custodial, the deposit address routes funds directly to your wallet. There is no intermediary holding your money and no withdrawal process. Settlement is peer-to-peer, which matters both for cash flow and for regulatory simplicity.
Once the payment link exists, the automation layer takes over. The simplest version sends an email to the client with the payment link and then monitors status changes via webhooks.
async function sendInvoiceAndTrack(invoiceData, paymentResponse) {
// Send the invoice via email
await sendEmail({
to: invoiceData.client_email,
subject: `Invoice from YourCompany: ${invoiceData.description}`,
body: `
Hi ${invoiceData.client_name},
Here is your invoice for ${invoiceData.amount} ${invoiceData.currency}.
Description: ${invoiceData.description}
Due date: ${invoiceData.due_date}
Pay here: ${paymentResponse.payment_url}
This link supports USDC, USDT, BTC, and ETH.
`
});
// Log the invoice in your database
await db.invoices.insert({
invoice_id: paymentResponse.invoice_id,
...invoiceData,
status: "sent",
sent_at: new Date().toISOString()
});
}
// Webhook handler for status updates
app.post("/webhooks/invoice-status", async (req, res) => {
const { invoice_id, status, tx_hash, confirmed_amount } = req.body;
await db.invoices.update(
{ invoice_id },
{ status, tx_hash, confirmed_amount, updated_at: new Date() }
);
// Notify you on Slack when payment arrives
if (status === "paid") {
await slack.send(`Invoice ${invoice_id} paid. TX: ${tx_hash}`);
}
res.sendStatus(200);
});The invoice moves through a clear status flow: created → sent → partially_paid → paid → settled. Each transition triggers a webhook, so your system always knows the current state. Partial payments are tracked automatically. If a client sends 1,800 of 2,500 USDT, the invoice shows the remaining balance and stays open until the full amount arrives or the due date passes.
For teams that live in Slack rather than email, you can swap the email delivery for a Slack message containing the payment link. The monitoring logic stays identical.
Settlement in crypto is fundamentally different from fiat. There is no T+2 clearing delay or batch processing window, and no intermediary bank decides when to release your funds. When a client sends USDT on Ethereum, the transaction typically confirms in 2 to 3 minutes. On Solana or Tron, it takes seconds. Once confirmed on-chain, the funds are in your wallet. Settlement is final.
This finality simplifies reconciliation. Each invoice maps to a unique deposit address, which maps to a single on-chain transaction (or a small set of transactions for partial payments). Your webhook handler already captured the transaction hash and confirmed amount. The reconciliation step just verifies that the on-chain data matches your invoice records.
async function reconcileInvoice(invoice_id) {
const invoice = await db.invoices.findOne({ invoice_id });
const onChainTx = await getTransactionDetails(invoice.tx_hash);
const reconciled = {
invoice_amount: invoice.amount,
received_amount: onChainTx.value,
currency: invoice.currency,
block_confirmations: onChainTx.confirmations,
settled: onChainTx.confirmations >= 12,
variance: onChainTx.value - invoice.amount
};
await db.invoices.update(
{ invoice_id },
{ reconciliation: reconciled, status: "settled" }
);
// Push to accounting system
await accounting.createEntry({
type: "revenue",
amount: reconciled.received_amount,
currency: reconciled.currency,
reference: invoice_id,
tx_hash: invoice.tx_hash
});
return reconciled;
}The non-custodial advantage is worth emphasizing here. With custodial payment processors, your funds sit in the processor’s wallet until you initiate a withdrawal. That introduces counterparty risk and delays cash flow. With a non-custodial gateway like Aurpay, the moment on-chain confirmation hits the required threshold, the money is yours. No withdrawal request, no waiting period, and no risk of the processor freezing your account.
If you have already built a crypto payment MCP server, you can trigger this entire invoicing flow from a Claude conversation. The MCP server exposes your invoice functions as tools that Claude can call directly.
// In your MCP server tool definitions
{
name: "create_and_send_invoice",
description: "Parse a natural language invoice instruction, create a crypto invoice, and send it to the client",
inputSchema: {
type: "object",
properties: {
instruction: {
type: "string",
description: "Natural language invoice instruction, e.g. 'Invoice Acme Corp 500 USDC for API work'"
}
},
required: ["instruction"]
}
}With this tool registered, a conversation with Claude looks like this:
You: “Invoice DataFlow Labs 3,200 USDC for the March analytics dashboard. Due April 15. Send to [email protected].”
Claude: “Done. Invoice inv_9d4e1a7f created for 3,200 USDC. Payment link sent to [email protected]. Due date: April 15, 2026. I will notify you when payment is received.”
The entire pipeline (parsing, API call, email delivery, webhook registration) happens in under three seconds. You stay in your IDE or chat interface. The invoice runs on its own from there. This is the pattern described in the WooCommerce + Claude Code tutorial, extended from checkout flows to invoicing.
A developer in Lagos invoices a startup in Berlin. Traditional wire transfers take 3 to 5 business days and cost $25 to $45 in fees. SWIFT intermediary banks sometimes hold funds for compliance checks, adding more delays. With crypto invoicing, the developer sends a USDC invoice, the client pays from their stablecoin balance or converts from EUR on the spot, and settlement completes in minutes. Total fees: under $1 in network gas. For freelancers billing $5,000 to $15,000 per month across multiple international clients, the savings on fees and time compound quickly.
A B2B SaaS company offers annual plans at $12,000 per year. Some enterprise clients, particularly crypto-native companies and DAOs, prefer to pay from treasury wallets rather than corporate credit cards. Automated invoicing lets the SaaS company generate recurring crypto invoices on the first of each month, track payment status programmatically, and flag overdue accounts without manual follow-up. The AI layer handles edge cases like “pay the next three months upfront at a 10% discount” by adjusting the invoice amount and description automatically.
A marketing agency with 30 active clients can batch-generate invoices with a single command: “Create invoices for all active clients based on their March retainer agreements.” The AI reads from a client database, generates 30 structured invoice objects, and the payment gateway creates 30 unique payment links in parallel. Status tracking across all 30 invoices feeds into a single dashboard. Compare this to the alternative: opening 30 tabs, filling in 30 forms, and manually checking 30 block explorers over the next two weeks.
If you have worked with crypto checkout on Shopify, you might wonder how invoicing differs. The key distinction is timing and context. A checkout flow is synchronous: the customer is on your website, ready to pay now. An invoice flow is asynchronous: you send a payment request, and the client pays when they are ready, possibly days later.
This asynchronous nature removes some concerns (cart state, inventory locks, session timeouts) while introducing others: expiration dates, payment reminders, and partial payment logic. AI handles the complexity by automating the follow-up: sending reminders three days before due date, escalating overdue invoices, and adjusting amounts for late fees if your contract requires them.
Skip the boilerplate. Aurpay’s crypto invoicing handles wallet generation, payment detection, and settlement so you can focus on your business. Create your first invoice.
]]>