Skip to main content
veto.fun’s security model is built on absence of power: the safest admin function is the one that doesn’t exist. This page describes exactly what is and isn’t possible.

The token contract

Every launched token is a minimal ERC-20 (plus EIP-2612 permit) with the entire attack surface removed:
  • No owner. The token has no admin at all after deployment.
  • No mint. Supply is minted once (1B) and can never increase.
  • No pause, no blacklist, no transfer fees. Transfers always work, for everyone, at face value.
  • Immutable metadata. The metadata URI is set at launch and can never change.

The launchpad contract

The launchpad holds curve funds and enforces the lifecycle. Its owner (the protocol) has exactly four powers: That’s the complete list. No token’s fees can ever be changed after launch. The snapshot model means fee changes cannot be applied retroactively, by anyone. There is no function to withdraw curve ETH, pause trading, seize tokens, block graduation, or upgrade the contract logic. Fee claims are permission-gated to their own beneficiaries: creator fees can be paid out only by the fee recipient or the platform’s claimer service (which distributes to recipients in batches), and protocol fees only by the treasury. No gate lets anyone redirect funds; payouts always go to the recorded recipient.

Locked liquidity

At graduation, the Uniswap v3 LP position is minted directly into the FeeLocker, a vault that is:
  • Immutable. No upgrade path.
  • Ownerless. No admin functions.
  • Withdrawal-free. The code contains no function that can move the LP position out. Only swap fees can be collected (by the token’s fee recipient, the treasury, or the platform’s claimer service), and those are split creator/treasury at the ratio snapshotted into the token at launch: 30/70 for tokens launched under the current config, unchangeable per token afterwards.
Locked means locked: the liquidity is provably unreachable by anyone, forever.

Solvency invariants

  • The curve’s rounding always favors the pool: the constant product k can never decrease.
  • The contract always holds enough real ETH to buy back every token sold on the curve (realEth = virtualEth − virtualEth₀).
  • These invariants are covered by fuzz tests and fork tests against the live Uniswap deployment.

Audit status

The contracts have undergone internal security review (including a fixed high-severity finding around pool-initialization griefing at migration, now mitigated with a bounded corrective swap). An independent third-party audit is planned; this page will link the report when published.
Smart contract risk can never be zero, and locked liquidity does not protect you from a token’s price going to zero. A creator can still buy early and sell on holders. Those trades are public on-chain, so check the creator’s activity before buying. See the Risk Disclosure.

Responsible disclosure

Found a vulnerability? Contact the team privately at contact@veto.fun or via ticket in our Discord. Please don’t disclose publicly before we’ve had a chance to respond.