Professor Vaulty mascot
$VAULTY
Home

Anti-phishing promise

Vaulty will never:

  • DM you on Telegram, Discord or email asking you to "verify" your wallet.
  • Ask for your seed phrase, recovery words or private key.
  • Run Google sign-in from anywhere other than accounts.google.com.
  • Ask you to "import" or "re-authenticate" your wallet via a link.

The only domain that owns your passkey is vaulty.world. Report anything else to security@vaulty.world.

ChainGPT Verified
Vaulty Fortress Verified

ChainGPT AuditedSolana-Native Security You Can Verify

Vaulty is built like a fortress: keys stay on your device, transactions are simulated before you sign, and every Anchor program has been independently reviewed by ChainGPT. No hidden back-doors. No silent approvals. No custody of your funds.

In Review
Audit Status
ChainGPT
Auditor
7 audited
Programs
Solana
Network
Live · Audit Readiness
Needs Attention

Audit Readiness Status

2 ready · 3 in progress · 1 needs attention · target completion Jul 10, 2026

Confidence91%
⚙ · Run Your Own Audit

Run a Vaulty Security Check — Like an Independent Audit

A read-only, library-driven simulation of what ChainGPT & Solana auditors check. Run the quick overview or pick an area. Nothing is signed, sent, or changed — this only inspects rules and public configuration.

vaulty-audit · simulated rule packidle

Ready. Press Run check to start a read-only audit simulation against the ChainGPT / Solana rule pack.

01 · Trust Suite

Vaulty Trust Suite

Tap any badge for a short, plain-language explanation of what it guarantees and how it's enforced.

Coming next:Bug BountyHSTS PreloadCAA Verified
02 · Understanding the Audit

What is this audit?

An independent security audit is a third-party health check for code. ChainGPT's auditors reviewed Vaulty's smart contracts, wallet logic, and on-chain programs to confirm they behave exactly as promised — no hidden back-doors, no unexpected fees, no way for anyone (including the Vaulty team) to access your funds without your approval.

The audit covers both the on-chain programs running on Solana and the off-chain wallet flows you interact with in your browser and Telegram. Every finding is documented, every fix is verified, and the final report is published for public review.

03 · Audit Scope

What was audited?

Vaulty Wallet Core & Signing

Key generation, encrypted storage, biometric/PIN unlock flow, transaction signing, and the in-browser wallet adapter. Verified that private keys never leave the device unencrypted.

Solana Programs & Token-2022

The vault, strategy, payout, identity, and autopay Anchor programs. Checked PDA validation, authority checks, re-entrancy guards, and Token-2022 compliance.

Pump.fun Launchpad & Alerts

Integration with Pump.fun for token launch events, real-time alert routing, and safe interaction with external launchpad contracts.

Multi-Wallet / Telegram Binding

The wallet-linking protocol, Telegram Mini App auth flow, session management, and cross-device sync. Verified no session hijack paths.

Jarvis AI & Voice System

Read-only assistant boundaries, voice-command parsing, and the safety layer that prevents Jarvis from signing or spending without explicit user confirmation.

Passkey & Biometric Authentication

WebAuthn credential creation, discoverable-credential sign-in flow, origin validation, challenge storage, and integration with the existing biometric/PIN unlock stack. Verified FIDO2 compliance and phishing resistance.

Arweave Backup & Cross-Device Sync

Encrypted backup creation, ciphertext upload to Arweave/Pinata, restoration flow, and secret-handling during migration between devices.

Gas Optimizer

Compute-unit estimation, priority-fee logic, and the safety checks that prevent over-spending on transaction fees.

Competition Payout Engine

The on-chain draw logic, prize distribution, batch payout math, weight-share correctness, and the principal-protection rule that prevents yield over-spend.
04 · Security Criteria

What auditors look for

Six categories, each mapped to concrete checks performed during the ChainGPT review.

🔑 Key & seed isolation

Keys generated on-device, encrypted at rest, never transmitted. Memory wiped after use; no plaintext seeds in logs or analytics.

⚖️ Transaction safety

Every transaction is simulated and decoded into human-readable intent before approval. No blind signing of opaque payloads.

⚙️ Solana-specific rules

Strict account checks, signer validation, CPI safety, PDA seeds, rent exemption, and compute-unit ceilings on every instruction.

🔌 Integration hygiene

Pump.fun, Arweave, Wormhole/SKALE and Telegram each get bounded permissions, request signing, and explicit timeouts.

🧱 Frontend & bot

CSP and CORS enforced, rate-limits on RPC and bot endpoints, Zod validation on every input, and no inline secrets.

📄 Compliance & disclosure

GDPR-compliant data handling, published security contact, and a responsible-disclosure path for researchers.
05 · Audit Lifecycle

How the process works

  1. 01

    Prep

    Internal code freeze, threat modelling, and assembling the scope document — every program, dependency, and trust boundary.

  2. 02

    Handover

    Source, build instructions, and known-issues list shared with ChainGPT auditors under a signed scope of work.

  3. 03

    Review

    Automated analysis + line-by-line human review of Anchor programs, wallet signing, and integration surfaces.

  4. 04

    Report

    Findings categorised by severity (critical → informational), each with reproduction steps and recommended fixes.

  5. 05

    Remediation

    Vaulty engineers fix, regression-test, and ship. ChainGPT re-verifies that every issue is resolved or formally accepted.

  6. 06

    Final sign-off

    Public report published here with a score, the full findings table, and a downloadable PDF.

06 · Security in Action

See the safety, live

Three lightweight, offline demonstrations of how Vaulty protects your funds. None of these touch mainnet — they're illustrative only.

Key stays local

Signing never sends secrets

Your Device
key 0x…7f3
signed tx (no key inside)
Solana RPC
tx only

Only the signed transaction crosses the network. The private key never leaves your device — not to Vaulty, not to the RPC, not to anyone.

Illustrative · No live signing

Transaction simulation

Read-only intent preview

Programvaulty-strategy
Instructiondeposit_sol
Δ balance− 1.250 SOL
Δ vault share+ 1.249 vSOL
Fee0.00012 SOL

Decoded intent is shown before you approve — no surprises, no opaque blobs.

Illustrative · No live signing

Multi-wallet isolation

No cross-bleed between wallets

Trading
isolated
Savings
isolated
Airdrops
isolated

Each wallet has its own keys and signing scope. No cross-bleed: a leaked prompt or a single permission never touches the other wallets.

Illustrative · No live signing
07 · User Benefits

What this means for you

Your Funds Are Yours

Non-custodial by design. Vaulty cannot move, freeze, or access your wallet without your explicit approval.

Transparent & Verifiable

Every transaction, payout, and competition draw is recorded on Solana and viewable on-chain in real time.

Biometric-Grade Security

Every send, swap, or claim requires local biometric or PIN confirmation. No remote signing, ever.

08 · Audit Report & Score

Audit report & score

Audit in progress

ChainGPT Smart-Contract Audit Report

The full public report is being finalised. Once published, a PDF copy, score, risk breakdown, and resolved/open findings will be available here for download and independent verification.

Current Score
Awaiting final report
Critical
High
Medium
Resolved

Programs under review

ProgramLanguage / FrameworkStatusReport
vaulty-strategyAnchor / RustIn reviewComing soon
vaulty-autopayAnchor / RustIn reviewComing soon
vaulty-payoutAnchor / RustIn reviewComing soon
vaulty-coreAnchor / RustIn reviewComing soon
vaulty-identityAnchor / RustIn reviewComing soon
vaulty-pantheonAnchor / RustIn reviewComing soon
vaulty-boostsAnchor / RustIn reviewComing soon
09 · Living Record

Security & Audit Timeline

Built & strengthened over time. Tap any milestone to expand. Sourced from one managed list — every entry maps to a real release or review.

Want the full notes per release?

Open security center
09 · Trust Badge

Verified & Audited badge

Verified & Audited

This badge confirms that Vaulty has completed an independent ChainGPT security audit. Use it across the site, docs, and partner pages to signal trust.

ChainGPTSolanaNon-CustodialMultisig 2/3
10 · Stay Informed

Security hub & responsible disclosure

Security Center

Live system status, defense layers, and the full audit stream behind Vaulty — multisig, timelock, anti-MEV swaps, compliance agents and 24/7 monitoring.

Open Security Center

Bug Bounty

Found something? We acknowledge reports within 48 hours and credit researchers in our public security log. Please do not post live PoCs publicly until we've confirmed a fix.

security@vaulty.world

© 2026 Vaulty Treasury · Built to grow. Built to last.