Security Report
Why you won't get rugged. Verify every claim on-chain.
Last updated: April 2026
TL;DR
The smart contracts are open source with no admin withdraw instruction. Sells always work, even if the platform is paused. If the engine goes offline for 24 hours, you can rage-quit and pull your SOL out permissionlessly. The bonding curve is pure math — nobody holds liquidity keys.
1. Anti-Rug Mechanisms
These are the features that make it structurally impossible to rug you, even if we wanted to.
Bonding curve = math, not a liquidity pool
Your SOL isn't sitting in a Raydium pool with an LP token some dev can pull. It's locked in a constant-product bonding curve inside a Solana program. The price is determined by math. There is no LP token. There is no "remove liquidity" instruction.
You can ALWAYS sell
Sells work even when the platform is paused. Even if we hit a circuit breaker, even if the admin pauses the platform, even if the engine is offline — you can sell your tokens on the bonding curve and get SOL back. This is enforced by the smart contract, not a promise.
20% reserve always available for instant sells
When you buy, 20% of your SOL stays in the vault as liquid reserve. The rest goes to the engine for trading. That 20% is always there for sellers. The vault checks its actual balance before processing a sell — it can never send SOL it doesn't have.
Creator cannot drain funds
There is no instruction that lets a vault creator withdraw SOL from the vault. The creator only receives their share of trade fees — paid at the time of each buy/sell. The creator's wallet has zero authority over vault funds.
Separated keys with limited permissions
The system uses three separate keys (Admin, Engine, Creator) each with strictly limited capabilities. No single key can access user funds directly. Admin transfer requires a two-step process across separate transactions.
Emergency withdraw (rage-quit)
If the engine goes dark for longer than 24 hours, anyone can call an emergency withdraw. No admin needed. No engine needed. Completely permissionless. Token holders burn their tokens and receive pro-rata SOL from the vault.
Automatic circuit breakers
Multiple drawdown thresholds automatically restrict and then halt engine trading. Breakers can only escalate automatically — recovery requires explicit admin action. Sells still work in all modes.
On-chain math protections
The bonding curve enforces a constant-product invariant on every trade. Slippage protection is enforced on-chain for both user swaps and engine trades. Buybacks use time-weighted execution to prevent MEV.
2. Audit Status
All identified vulnerabilities have been fixed and verified.
6 rounds of security review
The smart contracts went through 6 rounds of internal security review conducted by a 10-agent specialized team covering security, penetration testing, smart contract analysis, backend, risk management, data engineering, DevOps, frontend, quant, and legal.
2 penetration test cycles
Dedicated red-team testing attempted to exploit the contracts and engine. All findings were addressed before deployment.
Pre-commit team review on every change
Every code change goes through a mandatory multi-agent review before committing. This happens on every single commit, not just major releases.
3. Honest Risks
We're not going to pretend everything is guaranteed. Here's what could go wrong.
The engine can lose money
2.87 Sharpe over 90 days and +78.6% over 2 years of backtesting. But past performance is not a guarantee. Circuit breakers limit losses, but those losses are real.
Solana network risk
If Solana goes down, you can't buy, sell, or withdraw. Your funds are safe in the program, but inaccessible during downtime.
Smart contract risk
6 internal audit rounds and 2 pentest cycles with 0 critical/high findings. But we have not had a formal third-party audit. The code is open source — verify it yourself.
DEX routing risk
Engine trades route through Jupiter. A bug or exploit in Jupiter could affect trades. On-chain protections limit but don't eliminate damage.
Oracle centralization
The engine pushes price data to on-chain oracles with rate limits and deviation caps. Decentralized oracle integration is planned for a future release.
4. Verify It Yourself
Don't trust this document. Verify.
The programs are open source. Inspect every instruction and its access control yourself.
Use a Solana explorer to look at the program accounts and verify the claimed configuration.
Every vault's state (reserves, mode, circuit breaker status) is readable on-chain.
If you're skeptical, wait for a pause event and try selling. It will work.
This report describes the security architecture as of the April 2026 deployment. The source code is the authoritative reference — if this document and the code disagree, the code is correct.
Satisfied? Launch a vault.
Backed by math, protected by code, verified on-chain.