Security First.

Your assets are protected by multiple layers of defense. Non-custodial architecture, on-chain enforcement, and open source transparency.

Trust checklist

10 / 10 passed.

Every security measure verified and enforced across the full stack.

Non-custodial architecture

Your wallet keys never leave your device in plaintext. Magpie cannot move funds on your behalf.

On-chain liquidation enforcement

Liquidation logic executes deterministically on Solana. No admin can override or delay it.

AES-256-GCM wallet encryption

All wallet material is encrypted at rest using AES-256-GCM with per-user initialization vectors.

Open source (full audit trail)

Both repositories are public. Every line of code and every commit is independently verifiable.

No admin key override

There is no privileged key that can bypass program logic or drain collateral accounts.

Input sanitization on all endpoints

Every API and bot command input is validated and sanitized before processing.

SSL/TLS on all connections

All traffic between the bot, the database, and external APIs is encrypted in transit.

Rate limiting on API endpoints

Aggressive rate limits prevent abuse, brute-force attacks, and denial-of-service attempts.

Zero secrets in public repositories

No API keys, credentials, or private keys exist in code or git history. Independently verified.

Automated credential rotation

Database passwords, API tokens, and encryption keys are rotated on a regular schedule.

Architecture

Defense in depth.

Five isolated layers between you and any potential threat. Every connection encrypted, every action verifiable.

User (Telegram)Bot

Encrypted comms via Telegram API

BotSolana Program

On-chain, deterministic execution

Wallet keysEncrypted store

AES-256-GCM encrypted at rest

CollateralLoan-scoped PDAs

Isolated per loan, never pooled

LiquidationOn-chain enforcement

No admin override possible

What we protect

Your assets. Your rules.

Your Wallet

Non-custodial. Export anytime. We never see your private key in plaintext.

Your Collateral

Held in loan-scoped addresses. Only the pledged bag is at risk, never your wallet balance.

Your Data

Minimal data collection. No email, no KYC, no tracking. Just your Telegram ID and wallet address.

Audit report

Internal Security Audit.

April 17, 2026

Severity	Count	Status
Critical	0	—
High	2	Resolved
Medium	4	Resolved
Low	3	Resolved

Key findings addressed

SSL enforcement on database connections

Input sanitization on token request API

Docker build context protection

SQL injection prevention hardening

Error message sanitization

Quote expiry and slippage protection

Credential rotation completed

Transparency

Don't trust. Verify.

Both repositories are fully open source. Every commit is publicly auditable. Zero secrets in code or git history — independently verified.

magpie-site magpie-bot

Zero secrets in code or git history

Every commit is publicly auditable

Independently verified by third-party review

Bug bounty

Found a vulnerability?
We want to know.

We take all reports seriously and respond within 24 hours.

Contact: Report via Telegram @magpie_capital_bot or open a GitHub issue

Scope: Smart contract, bot logic, API endpoints, wallet security

Responsible Disclosure Policy

If you discover a security issue, please report it privately before disclosing publicly. We commit to acknowledging your report within 24 hours, providing an initial assessment within 72 hours, and keeping you informed as we work toward a fix. We will not take legal action against researchers who follow responsible disclosure practices.

Security is not a feature.
It's the foundation.

Your bags deserve the highest standard of protection.

Launch on Telegram