Pump Perps
Executive Summary
PumpPerps is a perpetual trading platform for pump.fun graduated tokens on Solana, offering up to 10x leverage with a rug-protection mechanism. The platform uses a custodial wallet architecture where users deposit USDC to trade — a design choice that fundamentally eliminates the most common attack vector in Solana DeFi (malicious browser wallet signing).
Our external review found no evidence of drainers, phishing, or malicious code. The frontend loads a single JavaScript bundle from its own domain with no external scripts, no hidden iframes, and no suspicious network activity. All 124 network requests during testing went to first-party or expected CDN domains only. The platform offers TOTP-based two-factor authentication and uses first-party analytics instead of third-party trackers.
We identified one medium-severity configuration issue: the server's CORS policy reflects any origin with credentials enabled, which could allow a malicious website to make authenticated API requests on behalf of logged-in users. This is a common Express misconfiguration and is straightforward to fix. Two low-severity issues were also found — missing security headers (no CSP, X-Frame-Options) and an email enumeration endpoint. None of these findings affect on-chain funds or token security.
On the token side, all authorities (mint, freeze, metadata update) are permanently revoked. The deployer wallet has only launched this one token. Bundle activity was detected at launch (coordinated buying in the first 60 seconds), which is typical sniper bot behavior on pump.fun and not definitively linked to the team. The token has 1,092 holders with moderate concentration (top 10 hold 36.31%). The project has a published whitepaper, documentation, terms of service, and privacy policy. The Twitter account (@pumpperps) shows verified status with organic engagement patterns.
Rug Risk Assessment
Audit Scope
| Scope Item | Status | Notes |
|---|---|---|
| Frontend security (public pages) | complete | Full Playwright scan — homepage, pools, trade, leaderboard, dashboard, feed, docs, links, FAQ, about. All pages rendered and screenshotted. Network requests intercepted. |
| Frontend security (authenticated) | complete | Authenticated via provided magic link token. Dashboard, settings, trade interface tested. API calls monitored. |
| Security headers | complete | Full HTTP header analysis via curl. HSTS, CORS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy checked. |
| Drainer and phishing detection | complete | JS bundle (1.5MB) fully analyzed for drainer patterns, eval(), dynamic code, external scripts, hidden iframes, clipboard hijacking, wallet signing patterns, and hardcoded secrets. All clean. |
| API security | complete | Probed all discovered API endpoints. CORS tested with foreign origin. Auth bypass tested. Common admin/debug paths checked (all SPA catch-all, no real endpoints). Email enumeration confirmed. |
| Wallet interaction analysis | complete | No signTransaction, signAllTransactions, or signMessage calls found in the frontend bundle. Platform uses custodial wallet model — users deposit USDC to assigned wallet addresses. |
| On-chain token analysis | complete | Mint/freeze/upgrade authority checked. Token metadata verified via IPFS. SPL Token-2022 with metadata extension confirmed. |
| Holder analysis | complete | Full paginated holder scan via Helius getTokenAccounts — 1,092 total holders. Top 20 analyzed via getTokenLargestAccounts. |
| Deployer analysis | complete | Deployer identified via first transaction. pump.fun CREATE history checked — only 1 launch. Current SOL balance: 11.38 SOL. |
| Bundle detection | complete | First 50 transactions analyzed. 8 slots with multi-wallet same-block activity detected. Early coordinated buying confirmed. |
| Domain analysis | complete | WHOIS: pumpperps.com registered 2026-03-19 via Namecheap. 1-year registration. Namecheap DNS. |
| Social and team analysis | complete | Twitter @pumpperps verified — 859 followers, 57 following, joined March 2026. Original branding. Community with 868 members. Whitepaper published. Team is pseudonymous. |
| Legal pages | complete | Terms of Service, Privacy Policy, whitepaper PDF (43KB) all accessible. |
Findings (9)
| ID | Severity | Title |
|---|---|---|
| TG-001 | medium | CORS Misconfiguration — Wildcard Origin Reflection with Credentials |
| TG-002 | low | Missing Security Headers |
| TG-003 | low | Email Enumeration via Authentication Endpoint |
| TG-004 | info | No Drainer, Phishing, or Malicious Patterns Detected |
| TG-005 | info | HSTS Properly Configured |
| TG-006 | info | Custodial Wallet Architecture Eliminates Browser Drain Risk |
| TG-007 | info | Two-Factor Authentication (TOTP) Available |
| TG-008 | info | First-Party Analytics Only — No Third-Party Tracking |
| TG-009 | info | Documentation, Whitepaper, and Legal Pages Published |
The server reflects any Origin header value in the Access-Control-Allow-Origin response header while also setting Access-Control-Allow-Credentials: true. This means any website on the internet can make authenticated cross-origin requests to PumpPerps API endpoints using the victim's session cookies. An attacker could create a malicious page that silently reads the victim's account data (/api/auth/me, /api/stats), balance information, or potentially triggers state-changing actions. Verified by sending Origin: https://evil.com — server responded with access-control-allow-origin: https://evil.com and access-control-allow-credentials: true.
HTTP response headers on all /api/* endpoints
# Request curl -H "Origin: https://evil.com" https://pumpperps.com/api/stats # Response headers access-control-allow-credentials: true access-control-allow-origin: https://evil.com
Configure CORS to only allow specific trusted origins. Replace wildcard reflection with an explicit allowlist: ['https://pumpperps.com']. In Express, use the cors middleware with a strict origin option rather than reflecting the request origin.
Several recommended security headers are absent from HTTP responses: (1) No Content-Security-Policy — increases XSS risk if any injection point is found. (2) No X-Frame-Options — the site can be embedded in iframes on other domains, enabling clickjacking attacks. (3) No X-Content-Type-Options — browsers may MIME-sniff responses. (4) No Referrer-Policy — full URLs may leak in referrer headers. (5) No Permissions-Policy — browser features (camera, microphone, geolocation) not explicitly restricted. (6) X-Powered-By: Express is present, disclosing the backend framework.
HTTP response headers
# Present (good) strict-transport-security: max-age=63072000; includeSubDomains # Missing Content-Security-Policy: (not set) X-Frame-Options: (not set) X-Content-Type-Options: (not set) Referrer-Policy: (not set) Permissions-Policy: (not set) # Should be removed X-Powered-By: Express
Add security headers via Express middleware (helmet.js is recommended). At minimum: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin. Remove X-Powered-By with app.disable('x-powered-by'). Add a Content-Security-Policy appropriate for the SPA.
The /api/auth/check-email endpoint returns different responses based on whether an email address is registered ({exists: true} vs {exists: false}). This allows an attacker to enumerate valid user email addresses, which can be used for targeted phishing campaigns, credential stuffing, or social engineering against PumpPerps users.
POST /api/auth/check-email
# Unregistered email
POST /api/auth/check-email {"email":"test@test.com"}
Response: {"exists":false,"hasTotpEnabled":false}
# Registered email
POST /api/auth/check-email {"email":"[REDACTED]"}
Response: {"exists":true,"hasTotpEnabled":false}
Return a generic response regardless of whether the email exists. For example, always return {success: true, message: 'If this email is registered, a login link has been sent.'} and send the magic link in the background. This prevents enumeration while maintaining UX.
Comprehensive analysis of the frontend JavaScript bundle (1.5MB) and all network activity found no evidence of malicious behavior. Specifically verified: no eval() or dynamic code execution, no external script loading, no hidden iframes, no drainer contract interactions, no setApprovalForAll patterns, no clipboard hijacking (all clipboard usage is standard copy-to-clipboard UX), no data exfiltration to third-party domains. All 124 network requests during testing went exclusively to pumpperps.com, fonts.googleapis.com, fonts.gstatic.com, and cdn.dexscreener.com (for token images). First-party analytics only (custom heartbeat system).
HTTP Strict Transport Security is correctly configured with a 2-year max-age and includeSubDomains directive, ensuring all connections are forced to HTTPS.
HTTP response headers
strict-transport-security: max-age=63072000; includeSubDomains
PumpPerps uses a custodial wallet model where users deposit USDC to an assigned Solana wallet address. Trading happens off-chain within the platform. No signTransaction, signAllTransactions, or signMessage calls were found in the frontend bundle. This architecture completely eliminates the most common attack vector in Solana DeFi — malicious transaction signing from browser wallets. Users' external wallets are never connected to the platform for transaction signing.
Frontend JS bundle analysis
The platform offers TOTP-based two-factor authentication in the Settings page. Users can set up 2FA with an authenticator app. The setup flow uses standard QR code provisioning with manual secret backup. This is a strong security practice for a custodial trading platform.
/settings page
The platform uses a custom first-party analytics system (heartbeat-based page tracking to /api/analytics/heartbeat) instead of third-party analytics services. No Google Analytics, no Meta Pixel, no tracking cookies from external domains. Session IDs are generated client-side using crypto.randomUUID() and stored in sessionStorage (cleared on tab close). This is a privacy-positive design choice.
Frontend JS bundle — heartbeat implementation
The project has published comprehensive documentation including: a whitepaper and roadmap (PDF, 43KB), a docs section covering trading mechanics (long/short, pool tiers, fees, rug protection), Terms of Service, and Privacy Policy. The documentation explains the platform's mechanics transparently including fee structures, leverage limits, and rug protection mechanisms.
pumpperps.com/whitepaper.pdf, /docs, /terms, /privacy
This audit was performed by Opcode using AI-assisted review with human oversight. No audit can guarantee the complete absence of vulnerabilities. This report is not financial or legal advice.
© 2026 Opcode — opcode.run