My sister

I know some communities out there like to dog on us for being the only product live on mainnet, but here's what one round of automated security review found on a competitor's codebase It goes to show this is not an easy product to develop. Perpetual futures protocols are among the most complex DeFi primitives to build correctly. Here's a sample of what we found: 🔴 CRITICAL: Circuit Breaker Only Exists Off Chain The price movement safety check only runs in the keeper bot (TypeScript). The on chain program accepts ANY price from the authority keypair. Compromised key = unlimited price manipulation = full vault drain. There is no on chain enforcement by default. 🔴 CRITICAL: Engine State Returns Garbage Data on Mainnet - The market discovery parser hardcodes field offsets for one slab version but also processes mainnet and devnet slabs with completely different layouts. Every engine field (total OI, funding rate, mark price, liquidation cursors) reads from wrong memory offsets. The UI/keeper/cranker all operate on corrupted data. 🔴 CRITICAL: Admin Secret Length Leaked via Timing The admin authentication for the circuit breaker endpoint leaks the LENGTH of the API secret through timing side channels. Attacker discovers length first, then brute forces character by character. 🟠 HIGH: Zero Fee Exploit via Dust Trades Trading fee uses floor division. When notional × feeBps < 10000, fee = 0. Split a $1M trade into thousands of micro trades, each paying zero fees. Ironically their dynamic fee function correctly uses ceiling division. Inconsistency between the two. 🟠 HIGH: Fee Split Has No Sum Validation No check that LP + protocol + creator fee shares equal 100%. If they sum to less, the creator silently absorbs the gap. Example: configure 20% + 20% + 10% = 50%. Creator quietly takes the other 50% of all fees. 🟠 HIGH: Chainlink Oracle Has No Staleness Check Reads the latest price answer but never reads the timestamp. A feed that hasn't updated in days still returns a "valid" price. The OraclePrice interface doesn't even have a timestamp field, making it structurally impossible to check downstream. 🟠 HIGH: External Price APIs Trusted Without Cross Validation - DexScreener, Jupiter, and Pyth prices are fetched over HTTPS with zero response integrity checks. Returns the highest confidence source without comparing against other sources. DNS hijack on one API = arbitrary price injection. 🟠 HIGH: Keeper Registration Allows Arbitrary Mint Injection - An authorized caller can set any token mint address for any existing market. The oracle keeper then fetches prices for the WRONG token. No validation that the mint matches the original market. 🟠 HIGH: Solana Account Owner Never Checked fetchSlab() returns raw account data without verifying the owner matches the program ID. Attacker creates a fake account with valid magic bytes + crafted slab data. Any off chain consumer trusts the forged market state. 🟠 HIGH: Pyth Feed ID Parsing Inconsistency One function strips the 0x prefix from hex feed IDs. The sibling function doesn't. Wrong PDA derived = oracle reads fail = potential fallback to stale alternative oracle. 🟠 HIGH: Private Key Stored in localStorage Slab rent keypair secret stored in plaintext localStorage. Any XSS vector = immediate key theft. 🟠 HIGH: Rate Limiter Fails Open If the database has a connectivity blip, the faucet rate gate fails OPEN instead of closed. Trigger DB errors = unlimited minting. 🟠 HIGH: EMA Circuit Breaker Scales Linearly With Time - The price cap grows linearly with the number of slots since last crank. If no crank for a few days, circuit breaker allows 10,000%+ price swings in a single update. Alpha also clamps to 100% for large gaps meaning the EMA completely discards previous price and jumps to the new one. 🟡 MEDIUM: Fee Split Rounding Always Favors Creator LP and protocol shares use floor division. Creator gets the remainder. Even with creator set to 0%, creator receives 1 unit on every odd fee. Over millions of trades this adds up. 🟡 MEDIUM: Stale Oracle Fallback Has No Timestamp Gate When the keeper goes down, code falls back to lastEffectivePriceE6 which could be hours old. UI shows a staleness warning but nothing actually blocks trades at the stale price. 🟡 MEDIUM: Admin Middleware Doesn't Check Admin Users Table Auth middleware exists but doesn't verify against the actual admin users list. Pattern without substance. This was one round of review on a public repo. No manual exploitation, no fuzzing, no formal verification. Just reading the code. Building a perpetual futures protocol that doesn't lose user funds is genuinely hard. We take it seriously because we've seen what happens when you don't. 🫡

Oracle Service Update — March 30 Earlier today our oracle price feeds went stale for approximately 45 minutes. Here's what happened and what we did about it. What happened: A routine code update unintentionally restarted our price oracle service. The safeguards we built overnight (graduated price recovery system) successfully restored about half the oracles automatically. The remaining oracles hit a secondary timeout protection that required manual intervention to reset. Why the safeguards only partially worked: Our recovery system handled price gaps correctly but didn't account for a time based security check that locks oracles after extended downtime. It's a protection against price manipulation, good security, but it blocked our own recovery. What we changed: Oracle service is now isolated from unrelated code updates so this class of accidental restart can't happen again. Recovery system now runs continuously, not just on startup. Identified and resolved the timeout lock interaction. Current status: All oracles operational. Price feeds running normally. No positions were incorrectly liquidated during the downtime. We take uptime seriously. Thank you for your patience while we harden the system. We're getting close to having all the early edge cases locked down. 🫡

A founder asked me why his token launch flopped. 4 months of marketing. $50k in ads. 100k Bots on X. 352 holders on day one. I asked him one question: “How many people were waiting for this before you launched?” He didn’t have an answer. That was the answer. Another founder launched at 20m FDV, now at 70m FDV. He built a product and has 35k DAUs. You can’t buy community with a marketing budget. You can’t fake it on X anymore. You build it in the 2 years before you need it. The founders who crush token launches in this market don’t start marketing at launch. They start 24 months before.