> ## Documentation Index
> Fetch the complete documentation index at: https://docs.veto.fun/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Trust Model

> What the veto.fun contracts can and cannot do: the trust model, admin surface, and audit status.

veto.fun's security model is built on **absence of power**: the safest admin function is the one that doesn't exist. This page describes exactly what is and isn't possible.

## The token contract

Every launched token is a minimal ERC-20 (plus EIP-2612 permit) with the entire attack surface removed:

* **No owner.** The token has no admin at all after deployment.
* **No mint.** Supply is minted once (1B) and can never increase.
* **No pause, no blacklist, no transfer fees.** Transfers always work, for everyone, at face value.
* **Immutable metadata.** The metadata URI is set at launch and can never change.

## The launchpad contract

The launchpad holds curve funds and enforces the lifecycle. Its owner (the protocol) has exactly **four** powers:

| Power                             | Bound                                                                                                                                                                                |
| --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Tune the global fee config        | Hard caps in the contract (≤5% trade fee, ≤0.1 ETH creation fee); affects **future launches only**, since every existing token keeps the fee snapshot taken at its creation, forever |
| Rotate the claim-authority wallet | Can only *trigger* payouts; funds always flow to the recorded recipients                                                                                                             |
| Change the treasury address       | Only affects where protocol fees go                                                                                                                                                  |
| Set the FeeLocker address         | One-time, at deployment (already done)                                                                                                                                               |

That's the complete list. **No token's fees can ever be changed after launch.** The snapshot model means fee changes cannot be applied retroactively, by anyone. There is **no** function to withdraw curve ETH, pause trading, seize tokens, block graduation, or upgrade the contract logic.

Fee claims are permission-gated to their own beneficiaries: creator fees can be paid out only by the fee recipient or the platform's claimer service (which distributes to recipients in batches), and protocol fees only by the treasury. No gate lets anyone redirect funds; payouts always go to the recorded recipient.

## Locked liquidity

At graduation, the Uniswap v3 LP position is minted directly into the **FeeLocker**, a vault that is:

* **Immutable.** No upgrade path.
* **Ownerless.** No admin functions.
* **Withdrawal-free.** The code contains no function that can move the LP position out. Only swap *fees* can be collected (by the token's fee recipient, the treasury, or the platform's claimer service), and those are split creator/treasury at the ratio snapshotted into the token at launch: 30/70 for tokens launched under the current config, unchangeable per token afterwards.

Locked means locked: the liquidity is provably unreachable by anyone, forever.

## Solvency invariants

* The curve's rounding always favors the pool: the constant product `k` can never decrease.
* The contract always holds enough real ETH to buy back every token sold on the curve (`realEth = virtualEth − virtualEth₀`).
* These invariants are covered by fuzz tests and fork tests against the live Uniswap deployment.

## Audit status

The contracts have undergone internal security review (including a fixed high-severity finding around pool-initialization griefing at migration, now mitigated with a bounded corrective swap). An independent third-party audit is planned; this page will link the report when published.

<Warning>
  Smart contract risk can never be zero, and locked liquidity does not protect you from a token's price going to zero. A creator can still buy early and sell on holders. Those trades are public on-chain, so check the creator's activity before buying. See the [Risk Disclosure](/legal/risk-disclosure).
</Warning>

## Responsible disclosure

Found a vulnerability? Contact the team privately at **[contact@veto.fun](mailto:contact@veto.fun)** or via ticket in our [Discord](https://discord.gg/vetodotfun). Please don't disclose publicly before we've had a chance to respond.
