Security & Trust
StakePoint is built on trustless infrastructure. All user funds are held in Program Derived Addresses on Solana mainnet — on-chain accounts with no private keys that cannot be accessed by StakePoint or any third party.
This page documents StakePoint's security design, on-chain disclosures, and best practices for users.
How Your Funds Are Protected
Program Derived Addresses (PDAs)
All locked and staked tokens are held in Program Derived Addresses — on-chain accounts with no private keys. The tokens inside a PDA cannot be accessed by anyone, including StakePoint, outside of the rules defined in the smart contract. Only the original wallet can withdraw tokens after the unlock time.
Squads 3-of-4 Multisig
The upgrade authority for the StakePoint smart contract is controlled by a 3-of-4 Squads multisig with hardware wallet signers. No single person can modify the program unilaterally. Any upgrade requires independent approval from multiple keyholders — protecting all user funds from unilateral changes.
Non-Custodial by Design
StakePoint never holds private keys, never takes custody of user tokens, and never requires KYC. Your wallet is your identity. All token locks and staking positions are owned entirely by the wallet that created them — not by StakePoint.
Verifiable On-Chain Program
The StakePoint smart contract is deployed on Solana mainnet and publicly visible. Anyone can inspect the program ID on Solscan to verify all on-chain activity independently. There is no hidden backend — all logic is executed transparently on-chain.
Security Disclosures
Program ID
gLHaGJsZ6G7AXZxoDL9EsSWkRbKAWhFHi73gVfNXuzKUpgrade Authority
Squads 3-of-4 multisig with hardware wallet signers
Custody Model
Non-custodial — StakePoint never holds user funds
Admin Override
None — locked tokens cannot be withdrawn before the unlock date by anyone including StakePoint
Private Keys
StakePoint holds no private keys for user wallets or token accounts
KYC Required
No — StakePoint is permissionless. Any Solana wallet can interact without registration
Network
Solana Mainnet
Smart Contract Review
The StakePoint smart contract has undergone a security review. The full report is publicly available.
Smart Contract Architecture
The StakePoint program is written in Rust using the Anchor framework and deployed on Solana mainnet. All locking and staking logic is enforced entirely on-chain with no off-chain dependencies.
Timelock Logic
Each lock record stores the wallet address, token mint, amount, and unlock timestamp. The program enforces that withdrawal is only possible after the unix timestamp has passed and only by the original locking wallet.
PDA Derivation
Token vaults are Program Derived Addresses seeded by the lock record. No private key exists for these accounts — they are controlled exclusively by the program logic.
Staking Pool Accounts
Each staking pool is a separate on-chain account storing reward configuration, total staked balance, and per-staker position data. Rewards are distributed proportionally based on staked share at the time of distribution.
Upgrade Authority
Program upgrades require approval from 3 of 4 Squads multisig keyholders, each using a hardware wallet. This prevents any single party from modifying the program unilaterally.
What StakePoint Cannot Do
Because all user funds are held in Program Derived Addresses enforced by the smart contract, StakePoint has no ability to perform the following actions — regardless of any circumstances:
Withdraw tokens from a lock before the unlock date
Access or move staked tokens from a staking pool
Override or modify a lock's unlock date after creation
Access user wallet private keys or seed phrases
Freeze or confiscate user token positions
Execute transactions on behalf of a user without their wallet signature
Token Locking & Liquidity Removal Risk
Solana token lockers are commonly used to reduce liquidity removal risk — often referred to as rug pull prevention — by locking LP tokens and team allocations on-chain so they cannot be withdrawn before the unlock date.
When a project locks LP tokens on StakePoint, the underlying liquidity in the trading pair cannot be withdrawn before the unlock date. This is enforced by the smart contract — not by StakePoint as a custodian. Investors can verify the lock independently on Solscan using the token mint address.
Locking tokens does not guarantee the success or legitimacy of a project. It is one transparency mechanism among several that investors should consider when evaluating a Solana token launch.
Security Best Practices for Users
Always verify you are on stakepoint.app before connecting your wallet
StakePoint will never send you a direct message asking for your seed phrase or private key
Bookmark stakepoint.app directly — do not click links from unknown sources
Verify lock details on Solscan using the token mint address before trusting any lock claim
Keep a small amount of SOL in your wallet to cover transaction fees when unlocking
StakePoint support will never ask for your private key or seed phrase under any circumstances
Responsible Disclosure
If you discover a security vulnerability in StakePoint's smart contract or web interface, please report it responsibly before public disclosure. Contact us at:
contact@stakepoint.appPlease include a description of the vulnerability, steps to reproduce, and potential impact. We will respond within 48 hours.
Bug Bounty
We offer recognition and rewards for responsible disclosure of critical vulnerabilities affecting user funds or smart contract integrity. Severity and reward are assessed on a case-by-case basis.