Published Reports

Trade.fun is a memecoin trading terminal in the same niche as BullX and Photon — built for speed, with one-click trades and quick send flows by design. The on-chain side is solid: most of the team's supply is locked in 3–4 year Streamflow vests, mint and freeze authorities are revoked, and wallets are non-custodial via Turnkey, a regulated key-management provider. The product itself is mostly clean, with a few defense-in-depth gaps the team should close (session tokens in browser storage, missing CSP header). Safe to use for the trader audience it was built for, and a real on-chain commitment from the team behind it.

Dr. Fraudsworth's Finance Factory has well-engineered smart contracts with formal verification, but three medium issues — a source-to-binary treasury mismatch, a mutable transfer hook whitelist, and a CSP weakness — prevent a clean PASS. No funds are at risk today, but the build process gaps and mutable whitelist deserve attention.

PumpPerps is safe to use. No malicious code, no drainers, no wallet-signing tricks. Your funds stay in a custodial USDC wallet you control. One moderate server configuration issue found — fixable, not exploitable for fund theft.

Nuero is safe to use. No malicious code, no drainers, no hidden wallet interactions. Your keys and funds stay under your control.

PERK is a technically solid perpetual futures protocol with real formal verification (Kani proofs), but it actively misrepresents its audit history. The README claims 'OtterSec verified', and the repo contains 53 files named after real firms (Pashov, Apex) — but every file is AI-generated. No real third-party security audits exist. The code has no critical bugs, but fabricating audit provenance is a serious trust violation.

Swarms is a real, active AI infrastructure project with a doxxed founder and clean token — but the framework has a high-severity bug where your AI provider API key can be sent to Swarms servers if you turn on their optional telemetry feature, plus the official docs contain a dangerous example that posts a Solana private key to a third-party API.

Percolator Launch has impressive engineering with formal verification and 134K lines of code, but critical smart contract bugs in the staking layer and an unsafe_close drain capability need to be fixed before mainnet deployment.