Firstance — pump.fun Automated Vault + Rule Engine (Solana / Anchor program).
- Program ID (mainnet):
FirstJpXgzGf2oBDsEa2eAqez2fKJdAUJi6R7gP7PXbj - The deployed binary carries an on-chain
security.txt(neodyme standard) that mirrors this policy. It is visible in the Solana Explorer Security tab.
Please report suspected vulnerabilities privately — do not open a public issue, disclose publicly, or exploit the finding on mainnet before we respond.
- Email: support@firstdoor.app
- X / Telegram: @Cryptomehis
Include, where possible:
- affected instruction / account / code path,
- a description of the impact (fund loss, freeze, authority bypass, etc.),
- reproduction steps or a proof-of-concept (devnet preferred),
- your assessment of severity.
- We aim to acknowledge your report within 72 hours.
- We will keep you updated on remediation progress.
- We request a 90-day coordinated-disclosure window (or until a fix ships, whichever comes first) before any public write-up.
- With your consent, we will credit you in the release notes / acknowledgements.
In scope
- The
pumpfun-vaultAnchor program (programs/pumpfun-vault/): vault logic, rule engine, oracle parsing, sell/withdraw/sweep/finalize instructions. - The off-chain keeper (
keeper/) where a bug leads to loss or misdirection of on-chain funds.
Out of scope
- Findings that require a compromised upgrade authority or keeper private key.
- Third-party programs (pump.fun / PumpSwap, Pyth, SPL) — report those upstream.
- Market/price movement, MEV, and generic RPC-availability issues.
⚠️ This program is unaudited — a third-party audit is recommended before relying on it with significant value.