Skip to main content
Security

Eight pillars.
Zero trust in chat.

Every Solana memecoin bot is one master-key leak away from disaster. Here is exactly how MoonHydra defends yours — and where the limits are.

🔐

AES-256-GCM at rest

Every Hydra Head private key is encrypted with AES-256-GCM before being saved to PostgreSQL. The master key lives only in the operator's environment — never in the repo, never in chat, never in logs. Each wallet has its own random IV; tampering invalidates the auth tag and decryption fails loudly.

🚫

Logs are redacted

Pino logger has explicit field-level redactors for encryptedKey, iv, authTag, secretKey, privateKey, and MASTER_ENCRYPTION_KEY. Even if a developer accidentally logs a wallet object, the secret fields are stripped with [REDACTED].

🔑

No key export, no seed phrases

Hydra Heads are generated server-side. We never send a private key over Telegram, never email it, never echo it back. To exit, use /withdraw — the bot signs a SOL transfer to any address you specify. No seed phrases are derived; the random keypair is the source of truth.

🐍

Burner wallets only

You can connect an existing wallet (Phantom / Solflare base58 export or Solana CLI keypair JSON), but only via the guarded flow: DM-only, multi-step warning, AES-256-GCM encryption the instant the key arrives, message auto-deletion, no log lines. Recommendation: only ever connect burner wallets you accept being entrusted to a trading bot. Seed phrases are NEVER accepted — single-wallet private keys only.

🌐

Operator-controlled infrastructure

MoonHydra runs on a single operator-managed stack — Railway for the bot, Postgres + Redis for state, Helius for Solana RPC. Every database query, every swap, every key decryption happens inside this perimeter. No third-party plugins. No untrusted middlemen between you and Jupiter.

No custody, no pooling

Each user has their own Hydra Heads. There is no shared treasury, no pooled wallet, no operator-controlled vault. The only signer for your trades is your encrypted keypair, decrypted into RAM only when a swap is actually executing.

🛑

Optional RugCheck buy gate

Off by default — enable it via /security in-bot and every /buy fetches the token's RugCheck score, refusing the trade if it exceeds your threshold: Strict (100), Default (500), or Loose (1000). The token card always shows the score before you commit, gate on or off. API failures fail open so an outage doesn't lock you out of legitimate trades.

🔐

Password + TOTP withdraw chain

Optional scrypt-hashed withdrawal password gates every /withdraw confirm. Optional TOTP 2FA (Google Authenticator / Authy / 1Password) layers on top. Brute-force lockout: 5 wrong attempts → 15 minute cooldown. Replay protection on TOTP via in-process per-user counter map rejecting same-code reuse within 90s. Same chain extends to /wallet → Replace Key and /wallet → Consolidate.

Threat model

Honest about what MoonHydra defends against — and what it can't.

⚠️ Operator server compromise

Attacker needs the database AND the master encryption key. Master key lives in Railway env vars, not in DB or repo. Even with full DB dump, wallets are unreadable without the key.

⚠️ Stolen Telegram account

Whoever controls your Telegram session controls your Hydra Heads. Enable Telegram 2FA. Use cloud-password protection. Treat Telegram security as wallet security.

⚠️ Rug-pull / honeypot token

Optional RugCheck buy gate (off by default — enable via /security in-bot) fetches a 0-1000 risk score on every /buy and refuses trades over your chosen threshold (100 / 500 / 1000). The token card always shows the score before you commit, whether the gate is on or not.

⚠️ Sandwich / MEV attack

Phase 3 routes all trades through Jito Block Engine bundles with a configurable tip. Bundled txs cannot be front-run by searchers. The tip field is already in the User schema; the swap-side wiring lands as part of Phase 3.

⚠️ Stolen password / brute-force withdraw

Withdrawal password is scrypt-hashed in the DB. Brute-force lockout triggers after 5 wrong attempts (15-minute cooldown). Optional TOTP layer adds a 6-digit code on top — Google Authenticator / Authy / 1Password compatible.

⚠️ TOTP code replay

In-process per-user counter rejects same-code reuse within 90 seconds. Setup messages auto-delete after first verify so the raw secret leaves Telegram chat history.

⚠️ Master key loss

IRRECOVERABLE. If the operator loses MASTER_ENCRYPTION_KEY, every Hydra Head's funds become permanently inaccessible. Mitigation: redundant secure backups of the key by the operator. Users should keep most funds OUT of Hydra Heads — only fund what you're actively trading.

⚠️ Telegram bot impersonation

The only legitimate bot is @moonhydrabot. Always verify the handle. Telegram's bot username system prevents collisions, but phishing channels with similar names exist. Bookmark t.me/moonhydrabot.

Built on standard primitives

MoonHydra's encryption is plain Node.js crypto.createCipheriv('aes-256-gcm', …) — no custom cryptography, no third-party dependencies in the security-critical path. AES-256-GCM is an industry-standard authenticated encryption scheme; its security has been studied and battle-tested for over a decade.

Internal round-trip tests verify the contract: encrypt → decrypt = identity, tampered ciphertext fails, tampered auth tag fails. Every release runs them automatically before deploy. Any deviation breaks the build.

Stay paranoid. Trade anyway.

Security is a process, not a feature. Use burners, withdraw profits, enable Telegram 2FA, never trust a bot with funds you can't afford to lose.

Open in Telegram