SolScore

Security

SolScore handles real transactions with real money. We treat every line of code like it's protecting yours.

How It Works

1
Connect
2
Scan
3
Choose
4
Sign
5
Reclaim

We never touch your keys. You sign everything yourself.

Security Layers

Transaction Integrity

  • Instruction-level verification before and after on-chain submission
  • Cryptographic signature validation with ownership proof
  • Atomic writes with deduplication — no double-counting, no race conditions
  • Fees computed from verified on-chain data, never client claims

Non-Custodial by Design

  • Zero access to private keys — you sign everything yourself
  • Treasury address hardcoded and validated at startup
  • Fee structure visible before every transaction
  • SOL moves directly from your accounts to your wallet

Rate Limiting & Abuse Prevention

  • Distributed rate limiting across all endpoints with fail-closed behavior
  • Per-wallet and per-IP throttling on sensitive operations
  • Cumulative fee tracking prevents free-tier manipulation
  • Input validation, deduplication, and sanitization on every request

AI Containment

  • Locked personality with prompt injection defenses
  • Role injection blocked — only user and assistant messages accepted
  • User context sourced from database, not client-supplied values
  • Token and message limits enforced per conversation

Infrastructure Hardening

  • HSTS with preloading, CSP, clickjacking and MIME protection
  • CSRF validation on all state-changing endpoints
  • RPC concurrency controls prevent cascade failures
  • Timing-safe secret comparison on authentication endpoints

Defense in Depth

  • Every security control has at least one independent backup layer
  • On-chain verification cross-checks pre-submit analysis
  • Database operations fail closed — never optimistic on money flows
  • Wallet addresses stripped from logs to prevent correlation
Audited with FORTRESS

Hardened by the same framework we open-sourced.

FORTRESS is an adversarial security audit framework built by SolScore's developer and released free for the Claude Code community. SolScore has been through it — six+ rounds, every finding required a reproducible exploit, every fix verified before shipping.

446

Attack personas

25

Adversarial squads

9

Audit phases

Every finding mapped to

CWECVSS 4.0OWASP WebOWASP LLMOWASP AgenticNIST 800-53NIST SSDFDISA STIGMITRE ATT&CKMITRE ATLAS

Proof-of-exploit, not theory

Every finding requires exact file/line citation and a reproducible attack vector. Hand-waving doesn't ship.

Propose-and-approve, never auto-fix

FORTRESS surfaces fixes for human approval before any code changes. The developer stays in control.

See the rest of ClaudeSuiteclaude-fortress on GitHub

Security isn't a feature — it's the foundation. Every commit is audited. Every finding requires proof. Every fix is verified.