Security

# what cannot happen

• Vault drain. The vault authority is PDA(["vault", nft_mint]). Only the program signing as that PDA can move the locked tokens, and only via unwrap_fox, which requires burning the NFT first.
• Admin seize. There is no admin instruction that touches your vault. No force_unwrap, no admin_withdraw. The upgrade authority can patch bugs in code — it cannot touch user state.
• Supply inflation. $wFOX is launched via pump.fun with mint authority set to null. The fox cap (1,000) is enforced in the program's pop_tier logic, not an admin flag.
• Front-run init. The initialize instruction is gated by Anchor ProgramData upgrade authority constraint. Only the deployer key can init the bank PDA.

# hardening measures

  init_if_needed              REMOVED   (reinit attack surface)
  initialize signer           GATED to ProgramData.upgrade_authority
  bank PDA                    SINGLETON, one-shot init
  transfer_checked            REQUIRED  (decimals verified onchain)
  Token2022 InterfaceAccount  BOTH classic + Token2022 mints accepted
  cross-wallet unwrap         TESTED    (vault follows NFT)
  adversarial test suite      wrong NFT / wrong vault rejected
  verifiable build            solana-verify, deterministic .so

# test coverage

  rust unit tests    passing  (tier accounting, cap, reuse)
  anchor integration passing  (wrap, unwrap, cross-wallet, adversarial, royalty)
  verifiable build   solana-verify  .so matches public repo commit

# keys + wallets

  deployer wallet    signs anchor deploy + initialize. cold backed.
  upgrade authority  same as deployer. can patch program bugs, cannot touch user state.
  royalty treasury   SEPARATE wallet. receives 5% secondary royalties.
  RPC key            server-side only in /api/rpc. never in client bundle.

# things that can still break (named honestly)

• Single VPS. The website is on one server. If it fails, the site goes down. The onchain program is unaffected — wrap and unwrap continue from any other client.
• Phantom warnings. New dApps occasionally show "could be malicious" until Phantom's review queue processes the domain. We submit 48–72h before announce.
• Wallet bugs. If a wallet mishandles Token2022 simulation, the user may see a wrong balance banner. We presimulate every wrap server-side and surface the actual result.