The following issues were found:

• Information Disclosure: No patch for this bug could be generated. Here is a description and location:
  Location: riskified-sdk/src/main/java/com/riskified/models/BankWirePaymentDetails.java:38:56
  Description: Broken/incorrect getters and setters in BankWirePaymentDetails (use of undefined 'self', incorrect assignments of Date to token, misspelled method names). The diff shows multiple mistakes in the added storedPayment* accessors:

• getStoredPaymentCreatedAt returns self.storedPaymentCreatedAt (Java has no 'self' variable) -> will not compile.
• setStoredPaymentCreatedAt assigns storedPaymentCreatedAt to token (String) instead of to storedPaymentCreatedAt (Date) -> type mismatch and overwrites a sensitive token field if it compiled.
• getStoredPaymentUpdateddAt is misspelled and uses self.storedPaymentUpdatedAt.
• setStoredPaymentUpdateddAt is misspelled and assigns to token as well.

Impact: these are immediate correctness errors that will cause compilation failures or, if somehow compiled, will corrupt the payment token field (sensitive data). A broken SDK class can cause application build/runtime failures (availability impact) and could cause inadvertent exposure/corruption of the payment token. This requires a code fix (security/functional patch).
Link to UI: https://zeropath.com/app/issues/57609b0f-dcdf-4fa6-aed1-4d939fc7f427

The following low severity issues were also found:

• Denial of Service (DOS): No patch for this bug could be generated. Here is a description and location:
  Location: riskified-sdk/src/main/java/com/riskified/models/Recipient.java:80:86
  Description: Compilation and logic errors in Recipient getters/setters (use of undefined 'self' and missing semicolon). The added walletId accessor methods use 'self' instead of 'this' and the setter is missing a terminating semicolon. These will cause compilation failures and prevent the SDK from being used.

Impact: build/runtime failures (availability). Additionally, incorrect field access could prevent correct serialization/deserialization of the walletId property.
Link to UI: https://zeropath.com/app/issues/cb80381d-e359-4754-805d-a42377435c02

• Denial of Service (DOS): No patch for this bug could be generated. Here is a description and location:
  Location: riskified-sdk/src/main/java/com/riskified/models/RiskIndicators.java:1:55
  Description: RiskIndicators.get(String, Class) uses an unchecked cast and can produce ClassCastException at runtime. The new RiskIndicators class exposes a generic getter that performs a raw unchecked cast: return (T) value;. If callers expect a particular type but the runtime value differs (e.g., deserialized JSON types), this will throw at runtime and can cause application failures (denial of service). Use of Class.cast with an isInstance check prevents unexpected ClassCastExceptions and makes the failure mode explicit.

Impact: Unexpected/malformed data from external sources (e.g., deserialized risk indicators) can cause runtime exceptions when code uses the typed getter, which is an availability and robustness issue. No evidence of remote code execution or injection in this diff.

Link to UI: https://zeropath.com/app/issues/a4735839-4a31-4130-a59f-b90d0eb8a85f

Reply to this PR with @zeropath-ai followed by a description of what change you want and we'll auto-submit a change to this PR to implement it.