Anti-phishing promise
Vaulty will never:
- DM you on Telegram, Discord or email asking you to "verify" your wallet.
- Ask for your seed phrase, recovery words or private key.
- Run Google sign-in from anywhere other than
accounts.google.com. - Ask you to "import" or "re-authenticate" your wallet via a link.
The only domain that owns your passkey is vaulty.world. Report anything else to security@vaulty.world.
Live System Status
The Layers Between You & Loss
Bespoke Passkey & Biometric Login System
WebAuthn Open Standard
Built on the industry-leading WebAuthn standard — the same technology trusted by banks, governments, and enterprises worldwide. No proprietary magic.
Unique Key-Pair Per Device
Every passkey creates a unique public/private key-pair tied to your account and device. Only the public key is stored on our systems — no secrets ever shared.
Unified with Wallet Biometrics
Tightly integrated with your existing Vaulty biometric and PIN unlock flows. One familiar prompt — whether you are signing in or approving a transaction.
Resists Phishing & Leaks
Passkeys are bound to vaulty.world — they cannot be tricked by fake websites. No passwords to phish, no database to leak, no brute-force to crack.
Audited & Compliant
Our passkey implementation is reviewed alongside core wallet logic, WebAuthn credential handling, and session management. Fully compliant with FIDO2 best practices.
What's New — Enhanced Sign-In
The latest improvements to your passkey experience.
Sign in anywhere with a QR code
Scan from your phone to sign in on a new laptop or tablet in seconds. Your passkey never leaves the phone.
Instant recognition
Passkey prompt appears as soon as you start typing — no extra clicks needed.
Smoother transitions
Fewer pauses between screens, faster background loading for a seamless feel.
Move devices easily
Scan a QR code to add your passkey to a new phone or laptop in seconds.
Clearer trust controls
See last-used location and IP range; one-click "Revoke all other devices" any time.
Stronger sessions
Extra-short-lived tokens for sensitive actions — tighter security, same speed.
Better guidance
Simpler, clearer messages if your passkey isn't found or belongs to another device.
Why You May See an oauth.lovable.app URL
When you tap Continue using your Google account, your browser briefly transits oauth.lovable.app — the OAuth broker operated by our hosting provider (Lovable). It exchanges Google's response for a short-lived session token, then hands you back to vaulty.world. We never see your Google password, and the broker never sees your wallet keys.
If your browser shows a Safe Browsing warning on that URL, it usually relates to other apps that share the broker, not to Vaulty. We recommend signing in with a passkey or your Solana wallet (Phantom / Solflare) — those flows never leave vaulty.world.
- • Passkey sign-in — fully on vaulty.world, phish-proof.
- • Phantom / Solflare — wallet popup, no browser redirect.
- • Google — one quick redirect via the broker (above).
- • You can switch methods at any time in Account → Security.
Active Incidents
Guarded Actions, Live
Anti-Rug Status
| Safety Feature | Status | Description |
|---|---|---|
| 🚫Mint Authority | REVOKED | No new tokens can ever be created. Supply is fixed forever. |
| 🧊Freeze Authority | DISABLED | No accounts can be blacklisted or blocked from trading. |
| 🔥LP Tokens | BURNED | Liquidity pool ownership sent to dead address — cannot be removed. |
| ⏱️Principal Access | TIME-LOCKED | Cannot be moved instantly. 72-hour public notice required before any execution. |
| 🔐Admin Keys | MULTISIG | No single person holds the keys. 2-of-3 distributed control with timelock. |
| ✅Code Audit | VERIFIED | Smart contracts audited and verified secure by ChainGPT. |
Permanent Security Protocol
Reserve Vault · Security & Fund Management
The Reserve holds 100% of capital raised and all revenue generated by the ecosystem. It is secured by smart contract, governed by a 2 of 3 multisig with a 72-hour public timelock, and on a phased path to full DAO ownership.
2/3 multisig + 72h timelock. Founding team operates; every action publicly delayed and broadcast.
Multisig retained for emergencies; non-critical decisions opened to holder snapshot votes.
Complete community ownership. 1 $VAULTY = 1 vote. 60%+ majority required to execute any proposal.
| Safety Feature | Status | Description |
|---|---|---|
| 🚫Mint Authority | REVOKED | No new tokens can ever be created. Supply is fixed forever. |
| 🧊Freeze Authority | DISABLED | No accounts can be blacklisted or blocked from trading. |
| 🔥LP Tokens | BURNED | Liquidity pool ownership sent to dead address — cannot be removed. |
| ⏱️Principal Access | TIME-LOCKED | Cannot be moved instantly. 72-hour public notice required before any execution. |
| 🔐Admin Keys | MULTISIG | No single person holds the keys. 2-of-3 distributed control with timelock. |
| ✅Code Audit | VERIFIED | Smart contracts audited and verified secure by ChainGPT. |
Contact & Trust
General: hello@vaulty.world · Security: security@vaulty.world · Legal: legal@vaulty.world

