Skip to main content

Transparency

JustPump is built on principles of radical transparency. Every operation is verifiable on-chain, ensuring users can trust the platform without relying on opaque backend processes.

All Trades Are On-Chain

  • Every buy, sell, and swap executes through Solana smart contracts
  • Transaction details are permanently recorded on the blockchain
  • Anyone can verify trades using Solana block explorers
  • No hidden or off-chain order matching
You can verify any JustPump transaction by searching the transaction signature on Solscan or Solana Explorer.

Deterministic Fee Distribution

Fees are calculated and distributed in a fully deterministic manner:
  • Fee percentages are hardcoded in smart contracts
  • Distribution happens automatically on every trade
  • No discretionary fee allocation by the team
  • All fee recipients are publicly known addresses
See the Fees Overview page for complete breakdowns of how fees are calculated and distributed.

Auditable Reward Logic

While reward eligibility is calculated off-chain for flexibility:
  • All payouts are on-chain and verifiable
  • Signed vouchers prevent unauthorized claims
  • Vault balances are publicly visible
  • Historical claim data is recorded on the blockchain

Security

JustPump implements multiple layers of security to protect users and their funds.

Minimal On-Chain Logic

The smart contracts follow a principle of simplicity:
  • Only essential logic lives on-chain
  • Fewer lines of code = smaller attack surface
  • Easier to audit and verify correctness
  • Lower gas costs for users
Complex logic introduces bugs and vulnerabilities. JustPump keeps on-chain code minimal and well-tested.

Signature-Based Authorization

Sensitive operations use cryptographic signatures for authorization:
  • Reward vouchers signed by authorized backend key
  • Claims verified on-chain before execution
  • Prevents unauthorized withdrawals from vaults
  • Public key is published for verification

Replay Protection

All signature-based operations include replay protection:
  • Unique identifiers for each voucher
  • Tracking of claimed vouchers on-chain
  • Expiration timestamps prevent stale claims
  • Prevents double-spending and duplicate claims

Rate Limiting and Abuse Detection

Backend systems monitor for suspicious activity:
  • Unusual trading patterns flagged for review
  • Claim attempts tracked to prevent abuse
  • Rate limits on sensitive operations
  • Automated alerts for anomalies
While these protections are implemented off-chain for flexibility, all enforcement actions result in on-chain state changes that are publicly auditable.

Anti-Rug Mechanisms

JustPump includes built-in protections against rug pulls and market manipulation.

10% Sell Limit

You can only sell up to 10% of circulating supply per transaction. Large holders must split sells across multiple transactions, making their actions visible and giving the community time to respond.

Permanent Liquidity Lock

After graduation, LP tokens are minted directly to the pool’s PDA and cannot be withdrawn. This ensures liquidity remains locked forever—no rug pull risk.

Mint Authority Revocation

When tokens graduate, the mint authority is revoked. No new tokens can be minted, preventing supply inflation attacks.

Canonical Pools Only

Only the launchpad program can create canonical AMM pools via CPI. This prevents fake pools from being created to confuse traders.

How the 10% Limit Works

Before every sell transaction on the bonding curve: 
max_sellable = (tokens_sold × 1000) / 10000  // 10% of circulating supply
require(tokens_to_sell <= max_sellable)
This is enforced on-chain in the smart contract—no way to bypass it.

Why Permanent Liquidity Lock Matters

Traditional AMMs allow liquidity providers to withdraw their LP tokens, removing liquidity and crashing the price (a “rug pull”). JustPump eliminates this risk:
  1. When a token graduates, LP tokens are minted to the pool’s Program Derived Address (PDA)
  2. There is no instruction in the smart contract to withdraw these LP tokens
  3. The pool PDA has no signing authority other than the program itself
  4. Result: Liquidity is permanently locked and cannot be removed
This is a unique architectural decision that prioritizes community protection over liquidity provider flexibility.

Smart Contract Architecture

Two-Program Design

JustPump uses a Cross-Program Invocation (CPI) architecture:
  1. Launchpad Program: Manages token creation and bonding curve trading
  2. AMM Program: Handles graduated token swaps with constant product formula
When a token graduates, the launchpad program calls the AMM program via CPI to create the canonical pool. The AMM validates that the caller is the authorized launchpad program before proceeding.

PDA-Based Security

All critical accounts use Program Derived Addresses (PDAs):
  • Seeds are deterministic and public
  • No private keys control PDAs (only the program can sign)
  • Eliminates private key compromise risk
  • Prevents unauthorized account access
Example PDA derivations: 
GlobalConfig: ["global"]
Coin: ["coin", mint_pubkey]
BondingCurve: ["bonding-curve", mint_pubkey]
Pool: ["pool", base_mint, quote_mint]

Checked Arithmetic

All mathematical operations use checked arithmetic:
  • .checked_add(), .checked_mul(), .checked_div()
  • Overflows/underflows cause transaction failures instead of silent errors
  • Prevents integer overflow attacks
  • Ensures calculations are always correct
Integer overflow vulnerabilities have been exploited in many DeFi hacks. JustPump uses Rust’s checked arithmetic throughout to prevent this entire class of bugs.

User Security Best Practices

While JustPump implements platform-level security, users must also protect themselves:

Wallet Security

Use Hardware Wallets

Store significant funds in hardware wallets like Ledger. Hot wallets are convenient but vulnerable to malware.

Verify Addresses

Always verify token mint addresses before trading. Scammers create fake tokens with similar names.

Check Signatures

Review transaction details in your wallet before approving. Never blindly approve transactions.

Revoke Permissions

Regularly audit and revoke token approvals you no longer need. Use tools like Solana token approval managers.

Trading Security

  • Start small: Test with small amounts before trading large volumes
  • DYOR: Research tokens before trading—even on JustPump, memecoins are risky
  • Beware of hype: Artificial hype and coordinated pumps are common—trade cautiously
  • Watch for red flags: New tokens with low activity may be manipulation targets
JustPump protects against platform-level risks, but cannot eliminate memecoin market risks. Always trade responsibly and only with funds you can afford to lose.

Audits and Code Review

Current Status

  • Smart contracts are open source (repository available on request)
  • Code follows Anchor Framework best practices
  • Extensive integration test suite

Planned Security Measures

  • Professional third-party audit before mainnet launch
  • Bug bounty program for responsible disclosure
  • Ongoing security monitoring and updates
If you discover a security vulnerability, please report it responsibly to [email protected]. Do not disclose publicly until the issue is resolved.

Incident Response

In the event of a security incident:
  1. Immediate Detection: Monitoring systems alert the team to anomalies
  2. Rapid Response: Team investigates and determines severity
  3. User Communication: If users are affected, announcements via official channels
  4. Mitigation: Smart contract upgrades (if needed) or user guidance
  5. Post-Mortem: Transparent report on what happened and how it was resolved
JustPump commits to transparent communication during security incidents. Users deserve to know what happened and how the platform is responding.

Decentralization and Control

Current Architecture

  • Smart contracts are deployed by the JustPump team
  • Backend systems (reward calculations, voucher signing) are centralized
  • On-chain operations are permissionless—anyone can trade

Progressive Decentralization

As the platform matures:
  • Smart contract upgrade authority may transition to multi-sig or DAO governance
  • Backend logic may become more transparent or decentralized
  • Community input on platform evolution
JustPump is currently a semi-centralized platform. The team has control over backend systems and smart contract upgrades. Use accordingly.

Transparency Reports

JustPump publishes regular transparency reports covering:
  • Total trading volume
  • Fee distributions by recipient
  • Vault balances (Cashback, Airdrop)
  • Reward distributions
  • Platform metrics

View Transparency Reports

Access historical data and platform statistics on the JustPump dashboard

Questions About Security?

If you have security questions or concerns: