Security

# what cannot happen

• Vault drain. The vault authority is PDA(["vault", nft_mint]). Only the program, signing as that PDA, can move the locked tokens, and only via unwrap_bull, which requires burning the NFT.
• Admin seize. There is no admin instruction that touches your vault. No force_unwrap, no admin_withdraw. The upgrade authority can fix bugs in the code but cannot touch state directly.
• Supply inflation. $WBULL is launched via pump.fun with mint authority set to null. We can't print more tokens. The bull cap (1,000) is enforced in the program's pop_tier logic, not by an admin flag.
• Front run init. The initialize instruction is gated by an Anchor ProgramData upgrade authority constraint. Only the deployer signing with the upgrade key can init the bank PDA.

# what we did to harden the program

  init_if_needed              REMOVED  (reinit attack surface)
  initialize signer            GATED to ProgramData.upgrade_authority
  bank PDA                     SINGLETON, one shot init
  transfer_checked             REQUIRED (decimals verified onchain)
  Token2022 InterfaceAccount  BOTH classic + Token2022 mints accepted
  cross wallet unwrap          TESTED (vault follows NFT)
  adversarial test suite       wrong NFT / wrong vault rejected
  verifiable build             solana-verify, deterministic .so

# test coverage

  rust unit tests    passing  (tier accounting, cap, reuse)
  anchor integration passing  (wrap, unwrap, cross wallet, adversarial, royalty)
  verifiable build   solana-verify  .so matches the public repo commit

# keys + wallets

  deployer wallet       signs anchor deploy + initialize. cold backed.
  upgrade authority     same as deployer. can patch program bugs, cannot touch user state.
  royalty treasury      a SEPARATE wallet. receives 5% secondary royalties. not the deployer.
  RPC key (Helius)      server side only in /api/rpc. never in the client bundle.

# operational

• Same origin RPC proxy. The browser never talks to a public Solana RPC. It calls /api/rpc on our domain, which forwards to a paid Helius endpoint. No IP/region 403s.
• Method allowlist + rate limit. The proxy whitelists ~20 JSON RPC methods and rate limits per IP. Our RPC credits cannot be drained by a third party.
• Blue green zero downtime deploy. Two backend instances, atomic Caddy upstream swap with active health check failover. The website does not go down for a deploy or a crash.
• Runtime launchstate flip. Rolling the site between prelaunch and live is a single file write, no rebuild. Emergency rollback is subsecond.

# things that can still break (named honestly)

• Single VPS. The website is on one server. If that box / datacenter fails, the website is unreachable until we route around it (Cloudflare static fallback is the standing answer). The onchain program is unaffected. Wrap and unwrap continue from any other client.
• Phantom warnings. New dApps occasionally show "could be malicious" until Phantom's review queue processes the domain + program submission. We submit 48 to 72h before announce.
• Wallet bugs. If a user's wallet mishandles SPL token simulation, they may see a wrong banner. We presimulate every wrap server side and surface the actual sim result to avoid this.