Pump Perps
PumpPerps is safe to use. No malicious code, no drainers, no wallet-signing tricks. Your funds stay in a custodial USDC wallet you control. One moderate server configuration issue found — fixable, not exploitable for fund theft.
Deductions
Any website can make authenticated requests using a logged-in user's session — could expose account data and balances to cross-site attackers.
Increases attack surface for clickjacking and XSS — no immediate exploit but lowers defense-in-depth posture.
Attackers can discover which emails are registered, enabling targeted phishing against PumpPerps users.
Not Scored (Token Metrics)
Mint authority (revoked)
Token metric — not a product security finding
Freeze authority (revoked)
Token metric — not a product security finding
Holder concentration (36.31% top 10)
Token market dynamics, not product security
Bundle activity (detected)
Launch-time trading behavior, not a product vulnerability
Deployer history (1 launch)
Token deployment history, not product security
Domain age (2 weeks)
Project maturity indicator, not a security vulnerability
Team anonymity (pseudonymous)
Social/marketing legitimacy, not product security
100 - 6 (TG-001 medium CORS) - 2 (TG-002 low headers) - 2 (TG-003 low email enum) = 90
Is this a rug?
Mint Authority
No one can create new tokens — minting is permanently disabled
Freeze Authority
No one can freeze your wallet or lock your tokens
Upgrade Authority
This is a token (not a program) — there is no upgradeable code on-chain
LP Status
Token trades on pump.fun's built-in AMM — no separate LP to lock
Deployer History
Deployer has only launched this one token — clean history, no prior rugs
Bundle Activity
Coordinated buying detected in the first few seconds after launch — common with sniper bots, not necessarily the team
What we found
Findings at a glance
0 critical, 0 high, 1 medium, 2 low — the medium finding is a server configuration issue that doesn't affect your funds or on-chain assets.
PumpPerps is a perpetual trading platform for pump.fun graduated tokens on Solana, offering up to 10x leverage with a rug-protection mechanism. The platform uses a custodial wallet architecture where users deposit USDC to trade — a design choice that fundamentally eliminates the most common attack vector in Solana DeFi (malicious browser wallet signing).
Our external review found no evidence of drainers, phishing, or malicious code. The frontend loads a single JavaScript bundle from its own domain with no external scripts, no hidden iframes, and no suspicious network activity. All 124 network requests during testing went to first-party or expected CDN domains only. The platform offers TOTP-based two-factor authentication and uses first-party analytics instead of third-party trackers.
We identified one medium-severity configuration issue: the server's CORS policy reflects any origin with credentials enabled, which could allow a malicious website to make authenticated API requests on behalf of logged-in users. This is a common Express misconfiguration and is straightforward to fix. Two low-severity issues were also found — missing security headers (no CSP, X-Frame-Options) and an email enumeration endpoint. None of these findings affect on-chain funds or token security.
On the token side, all authorities (mint, freeze, metadata update) are permanently revoked. The deployer wallet has only launched this one token. Bundle activity was detected at launch (coordinated buying in the first 60 seconds), which is typical sniper bot behavior on pump.fun and not definitively linked to the team. The token has 1,092 holders with moderate concentration (top 10 hold 36.31%). The project has a published whitepaper, documentation, terms of service, and privacy policy. The Twitter account (@pumpperps) shows verified status with organic engagement patterns.
| Scope Item | Status | Notes |
|---|---|---|
| Frontend security (public pages) | complete | Full Playwright scan — homepage, pools, trade, leaderboard, dashboard, feed, docs, links, FAQ, about. All pages rendered and screenshotted. Network requests intercepted. |
| Frontend security (authenticated) | complete | Authenticated via provided magic link token. Dashboard, settings, trade interface tested. API calls monitored. |
| Security headers | complete | Full HTTP header analysis via curl. HSTS, CORS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy checked. |
| Drainer and phishing detection | complete | JS bundle (1.5MB) fully analyzed for drainer patterns, eval(), dynamic code, external scripts, hidden iframes, clipboard hijacking, wallet signing patterns, and hardcoded secrets. All clean. |
| API security | complete | Probed all discovered API endpoints. CORS tested with foreign origin. Auth bypass tested. Common admin/debug paths checked (all SPA catch-all, no real endpoints). Email enumeration confirmed. |
| Wallet interaction analysis | complete | No signTransaction, signAllTransactions, or signMessage calls found in the frontend bundle. Platform uses custodial wallet model — users deposit USDC to assigned wallet addresses. |
| On-chain token analysis | complete | Mint/freeze/upgrade authority checked. Token metadata verified via IPFS. SPL Token-2022 with metadata extension confirmed. |
| Holder analysis | complete | Full paginated holder scan via Helius getTokenAccounts — 1,092 total holders. Top 20 analyzed via getTokenLargestAccounts. |
| Deployer analysis | complete | Deployer identified via first transaction. pump.fun CREATE history checked — only 1 launch. Current SOL balance: 11.38 SOL. |
| Bundle detection | complete | First 50 transactions analyzed. 8 slots with multi-wallet same-block activity detected. Early coordinated buying confirmed. |
| Domain analysis | complete | WHOIS: pumpperps.com registered 2026-03-19 via Namecheap. 1-year registration. Namecheap DNS. |
| Social and team analysis | complete | Twitter @pumpperps verified — 859 followers, 57 following, joined March 2026. Original branding. Community with 868 members. Whitepaper published. Team is pseudonymous. |
| Legal pages | complete | Terms of Service, Privacy Policy, whitepaper PDF (43KB) all accessible. |
Methodology
This audit was performed using TrenchGuard's AI-assisted review process with human oversight.
Token trades on pump.fun's native AMM (PUMP_AMM). No separate Raydium/Orca LP pool to lock or unlock.
Top 10 holders control 36.31% of supply across 1,092 total holders. Top holder owns 12.60% (wallet BKuWG1se...K4P6 — regular wallet, not LP or burn). Distribution is moderate for a pump.fun token of this age.
Coordinated buying detected in slots 409558495-409558521 (first 60 seconds). Slot 409558495: 3 wallets bought 30M-39M tokens simultaneously. Slot 409558496: 10 wallets in the same block. Includes wallets with similar Luitx prefixes suggesting same operator. Typical sniper/bot behavior on pump.fun launches — not definitively linked to deployer wallet Hd2x1b...o24F.
| ID | Severity | Title |
|---|---|---|
| TG-001 | medium | CORS Misconfiguration — Wildcard Origin Reflection with Credentials |
| TG-002 | low | Missing Security Headers |
| TG-003 | low | Email Enumeration via Authentication Endpoint |
| TG-004 | info | No Drainer, Phishing, or Malicious Patterns Detected |
| TG-005 | info | HSTS Properly Configured |
| TG-006 | info | Custodial Wallet Architecture Eliminates Browser Drain Risk |
| TG-007 | info | Two-Factor Authentication (TOTP) Available |
| TG-008 | info | First-Party Analytics Only — No Third-Party Tracking |
| TG-009 | info | Documentation, Whitepaper, and Legal Pages Published |
CORS Misconfiguration — Wildcard Origin Reflection with Credentials
Description
The server reflects any Origin header value in the Access-Control-Allow-Origin response header while also setting Access-Control-Allow-Credentials: true. This means any website on the internet can make authenticated cross-origin requests to PumpPerps API endpoints using the victim's session cookies. An attacker could create a malicious page that silently reads the victim's account data (/api/auth/me, /api/stats), balance information, or potentially triggers state-changing actions. Verified by sending Origin: https://evil.com — server responded with access-control-allow-origin: https://evil.com and access-control-allow-credentials: true.
Location
HTTP response headers on all /api/* endpoints# Request
curl -H "Origin: https://evil.com" https://pumpperps.com/api/stats
# Response headers
access-control-allow-credentials: true
access-control-allow-origin: https://evil.com
Remediation
Configure CORS to only allow specific trusted origins. Replace wildcard reflection with an explicit allowlist: ['https://pumpperps.com']. In Express, use the cors middleware with a strict origin option rather than reflecting the request origin.
Missing Security Headers
Description
Several recommended security headers are absent from HTTP responses: (1) No Content-Security-Policy — increases XSS risk if any injection point is found. (2) No X-Frame-Options — the site can be embedded in iframes on other domains, enabling clickjacking attacks. (3) No X-Content-Type-Options — browsers may MIME-sniff responses. (4) No Referrer-Policy — full URLs may leak in referrer headers. (5) No Permissions-Policy — browser features (camera, microphone, geolocation) not explicitly restricted. (6) X-Powered-By: Express is present, disclosing the backend framework.
Location
HTTP response headers# Present (good)
strict-transport-security: max-age=63072000; includeSubDomains
# Missing
Content-Security-Policy: (not set)
X-Frame-Options: (not set)
X-Content-Type-Options: (not set)
Referrer-Policy: (not set)
Permissions-Policy: (not set)
# Should be removed
X-Powered-By: Express
Remediation
Add security headers via Express middleware (helmet.js is recommended). At minimum: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin. Remove X-Powered-By with app.disable('x-powered-by'). Add a Content-Security-Policy appropriate for the SPA.
Email Enumeration via Authentication Endpoint
Description
The /api/auth/check-email endpoint returns different responses based on whether an email address is registered ({exists: true} vs {exists: false}). This allows an attacker to enumerate valid user email addresses, which can be used for targeted phishing campaigns, credential stuffing, or social engineering against PumpPerps users.
Location
POST /api/auth/check-email# Unregistered email
POST /api/auth/check-email {"email":"test@test.com"}
Response: {"exists":false,"hasTotpEnabled":false}
# Registered email
POST /api/auth/check-email {"email":"[REDACTED]"}
Response: {"exists":true,"hasTotpEnabled":false}
Remediation
Return a generic response regardless of whether the email exists. For example, always return {success: true, message: 'If this email is registered, a login link has been sent.'} and send the magic link in the background. This prevents enumeration while maintaining UX.
No Drainer, Phishing, or Malicious Patterns Detected
Comprehensive analysis of the frontend JavaScript bundle (1.5MB) and all network activity found no evidence of malicious behavior. Specifically verified: no eval() or dynamic code execution, no external script loading, no hidden iframes, no drainer contract interactions, no setApprovalForAll patterns, no clipboard hijacking (all clipboard usage is standard copy-to-clipboard UX), no data exfiltration to third-party domains. All 124 network requests during testing went exclusively to pumpperps.com, fonts.googleapis.com, fonts.gstatic.com, and cdn.dexscreener.com (for token images). First-party analytics only (custom heartbeat system).
HSTS Properly Configured
HTTP Strict Transport Security is correctly configured with a 2-year max-age and includeSubDomains directive, ensuring all connections are forced to HTTPS.
Custodial Wallet Architecture Eliminates Browser Drain Risk
PumpPerps uses a custodial wallet model where users deposit USDC to an assigned Solana wallet address. Trading happens off-chain within the platform. No signTransaction, signAllTransactions, or signMessage calls were found in the frontend bundle. This architecture completely eliminates the most common attack vector in Solana DeFi — malicious transaction signing from browser wallets. Users' external wallets are never connected to the platform for transaction signing.
Two-Factor Authentication (TOTP) Available
The platform offers TOTP-based two-factor authentication in the Settings page. Users can set up 2FA with an authenticator app. The setup flow uses standard QR code provisioning with manual secret backup. This is a strong security practice for a custodial trading platform.
First-Party Analytics Only — No Third-Party Tracking
The platform uses a custom first-party analytics system (heartbeat-based page tracking to /api/analytics/heartbeat) instead of third-party analytics services. No Google Analytics, no Meta Pixel, no tracking cookies from external domains. Session IDs are generated client-side using crypto.randomUUID() and stored in sessionStorage (cleared on tab close). This is a privacy-positive design choice.
Documentation, Whitepaper, and Legal Pages Published
The project has published comprehensive documentation including: a whitepaper and roadmap (PDF, 43KB), a docs section covering trading mechanics (long/short, pool tiers, fees, rug protection), Terms of Service, and Privacy Policy. The documentation explains the platform's mechanics transparently including fee structures, leverage limits, and rug protection mechanisms.
Opcode scores reflect product and code security only. Token market metrics (holder distribution, bundle activity, LP status, deployer history) are shown as informational context but do not impact the score.
This ensures that a well-built product with a messy token launch is scored fairly on its engineering merits, and a poorly-built product with a perfect token distribution is scored on its actual security gaps.
Standard Deductions
Fixed findings: 0. Partially fixed: half deduction. Info findings document positive confirmations.
Methodology
This audit was performed using TrenchGuard's AI-assisted review process with human oversight.
Disclaimer
This audit was performed by Opcode using AI-assisted review with human oversight. While we strive for thoroughness, no audit can guarantee the complete absence of vulnerabilities. This report is not financial or legal advice. Users should perform their own due diligence. © 2026Opcode — opcode.run