Farmtardio

Security

How Farmtardio protects your funds and privacy.

Access Control

Wallet-Gated Authentication

Farmtardio uses Sign-In With Solana (SIWS) for authentication:

  • No Passwords - Your wallet is your login, no passwords to leak
  • Message Signing - Cryptographic proof of wallet ownership
  • Session Tokens - Short-lived JWTs for authenticated requests
  • Auto-Logout - Sessions expire after 24 hours of inactivity

Exchange Permissions

We request minimal permissions from exchanges:

  • Trading Only - Permission to place and cancel orders
  • No Withdrawals - We cannot withdraw your funds
  • Read Balance - View collateral for budget enforcement
  • Revocable - You can revoke access anytime

Fund Security

Where Your Funds Are

Your funds never leave the exchange:

  • Pacifica: Funds stay on Pacifica.fi under your control
  • Lighter: Funds stay on Lighter.xyz under your control
  • No Custody: Farmtardio never holds your funds
  • Direct Withdrawal: Withdraw directly from the exchange anytime

Risk Mitigation

Multiple safeguards protect against losses:

  • Stop-Losses: Every position has automatic stop-loss
  • Position Limits: Max position size prevents overexposure
  • Daily Caps: Trading stops at configured daily limit
  • Balance Checks: Pre-trade verification of sufficient collateral

Data Privacy

What We Store

Minimal data collection for functionality:

  • Wallet Address: For authentication and linking runs
  • API Keys: Encrypted exchange API credentials
  • Trade History: Execution logs for dashboard display
  • Settings: Risk levels, budgets, preferences

What We Don't Store

  • Private Keys: Never requested or stored
  • Seed Phrases: Never requested or stored
  • Withdrawal Credentials: Not needed for trading-only access
  • Personal Info: No KYC, email, or phone number required

Encryption

  • At Rest: API keys encrypted with AES-256
  • In Transit: All connections use TLS 1.3
  • Database: PostgreSQL with column-level encryption
  • Key Management: Secrets stored in environment variables, not code

Infrastructure Security

Hosting

  • Vercel: Frontend hosted on Vercel with automatic HTTPS
  • Railway: Backend workers on Railway with isolated environments
  • Postgres: Managed database with automatic backups
  • CDN: Assets served through Vercel's global edge network

Network Security

  • DDoS Protection: Cloudflare in front of all services
  • Rate Limiting: API endpoints rate-limited per wallet
  • CORS: Strict CORS policies for API access
  • IP Allowlisting: Worker IPs allowlisted on exchanges

Incident Response

Monitoring

  • Real-time error tracking and alerting
  • Automated health checks every 60 seconds
  • Failed authentication monitoring
  • Unusual trading pattern detection

In Case of Breach

If we detect a security issue:

  1. Immediate Shutdown: All automation stopped within 60 seconds
  2. User Notification: Email/Discord/Twitter announcement ASAP
  3. Access Revocation: Revoke all exchange API keys
  4. Forensics: Investigate root cause and impact
  5. Remediation: Fix issue before resuming service
  6. Transparency Report: Public post-mortem published

Smart Contract Risk

While Farmtardio doesn't use smart contracts directly, you are exposed to:

  • Exchange Risk: Pacifica and Lighter contracts have their own risks
  • Bridge Risk: If using bridges to move funds to L2s
  • Wallet Risk: Your Solana/EVM wallet security is your responsibility

Best Practices for Users

  • Use a dedicated wallet: Don't farm with your main wallet
  • Start small: Test with $100-500 before scaling up
  • Monitor daily: Check your runs at least once per day
  • Secure your wallet: Use hardware wallet if possible
  • Revoke unused permissions: Revoke API keys when not farming
  • Be skeptical: If something seems off, pause your runs

Questions about security?

We're happy to answer any security concerns. Reach out via Discord or Twitter.