security_review/audit/topics/nonce_and_mempool_replay.md

# SpaceCash Security Review Topic: nonce_and_mempool_replay

- Severity if failed: `critical`
- Status: `not_reviewed`
- Reviewer:
- Reviewed at:

## Required Questions

- [ ] Can a queued nonce be reused before mining?
- [ ] Can a mined nonce be resubmitted with a different payload hash?
- [ ] Can pending spends exceed available balance when combined?

## Expected Controls

- UNIQUE(sender, nonce)
- nonces table
- pending balance reservation

## Evidence Collected

- Source files reviewed:
- Commands/tests run:
- Artifacts reviewed:

## Findings

- None recorded yet.

## Closure Notes

- Decision: `not_reviewed`
- Notes: