Run dependency audits, verify keypair integrity with 9 automated checks, and scan file permissions — the complete security toolkit.
- Node.js 18+, Rust toolchain (for cargo audit)
- Repository cloned locally
cd /path/to/pump-fun-sdktools/
├── verify-keypair.ts # 9-check keypair verification
├── audit-dependencies.sh # npm + cargo vulnerability scanner
├── check-file-permissions.sh # Finds keypairs with wrong permissions
└── README.md
The most important tool — verifies a keypair file is valid, secure, and functional:
import { verifyKeypair } from "../tools/verify-keypair";
// Basic verification
const result = await verifyKeypair("./my-keypair.json");
console.log(`Passed: ${result.passed}`);
console.log(`Public key: ${result.publicKey}`);
for (const check of result.checks) {
console.log(`${check.passed ? "✅" : "❌"} ${check.name}: ${check.message}`);
}| # | Check | What It Verifies |
|---|---|---|
| 1 | File exists | File is readable at the given path |
| 2 | Permissions | File permissions are exactly 0600 (owner read/write only) |
| 3 | Valid JSON | Contents parse as JSON |
| 4 | Array format | JSON is an array of exactly 64 numbers, each 0-255 |
| 5 | Keypair construction | Keypair.fromSecretKey() succeeds |
| 6 | Public key derivation | Derived public key matches expected bytes |
| 7 | Prefix match | Public key starts with expected prefix (optional) |
| 8 | Suffix match | Public key ends with expected suffix (optional) |
| 9 | Sign & verify | Signs a message and verifies the signature |
For vanity-generated keypairs, verify the address matches:
// Verify a vanity keypair with prefix "Pump"
const result = await verifyKeypair(
"./Pump7x9abc.json",
"Pump", // expectedPrefix
undefined // expectedSuffix (optional)
);
if (!result.passed) {
const failures = result.checks.filter((c) => !c.passed);
console.error("FAILED checks:", failures.map((f) => f.name));
}npx ts-node tools/verify-keypair.ts ./my-keypair.json
npx ts-node tools/verify-keypair.ts ./vanity.json Pump
npx ts-node tools/verify-keypair.ts ./vanity.json Pump SDKScan both Rust and TypeScript dependencies for known vulnerabilities:
bash tools/audit-dependencies.shRust dependencies (cargo audit):
# Installs cargo-audit if missing, then runs:
cargo audit
# Also checks license compliance:
cargo-license --jsonTypeScript dependencies (npm audit):
npm audit --audit-level=high
# License check:
npx license-checker --summaryShell script static analysis:
- Detects
curl | shpatterns (remote code execution risk) - Flags
evalusage (command injection risk) - Finds unquoted variables (word splitting risk)
- Scans for hardcoded secrets or API keys
=== Dependency Audit Report ===
[Rust] cargo audit ............ ✅ PASS (0 vulnerabilities)
[Rust] license check .......... ✅ PASS (all MIT/Apache-2.0)
[Node] npm audit .............. ✅ PASS (0 high/critical)
[Node] license check .......... ✅ PASS
[Shell] static analysis ....... ✅ PASS (0 issues)
Summary: 5/5 checks passed
Find keypair files with insecure permissions:
bash tools/check-file-permissions.sh- Scans for all
.jsonfiles in the project - Reads each file with
jqto check if it looks like a keypair (array of 64 numbers) - Skips known non-keypair files (
package.json,tsconfig.json, etc.) - For actual keypairs, verifies permissions are exactly
600
# Example output:
Scanning for keypair files...
Checked 127 JSON files, found 3 keypairs
✅ ./keys/vanity1.json ........... 600
❌ ./keys/vanity2.json ........... 644 ← INSECURE!
✅ ./keys/vanity3.json ........... 600
1 keypair(s) with insecure permissions!# Fix a single file
chmod 600 ./keys/vanity2.json
# Fix all keypair files at once
find . -name "*.json" -exec bash -c '
if jq -e "if type == \"array\" and length == 64 then true else false end" "$1" > /dev/null 2>&1; then
chmod 600 "$1"
echo "Fixed: $1"
fi
' _ {} \;Combine all tools into one script:
#!/usr/bin/env bash
set -euo pipefail
echo "=== Pump SDK Security Audit ==="
echo ""
FAILURES=0
# 1. Dependency audit
echo "--- Dependency Vulnerabilities ---"
if bash tools/audit-dependencies.sh; then
echo "✅ Dependencies clean"
else
echo "❌ Vulnerability found!"
FAILURES=$((FAILURES + 1))
fi
echo ""
# 2. File permissions
echo "--- Keypair Permissions ---"
if bash tools/check-file-permissions.sh; then
echo "✅ All keypairs secured"
else
echo "❌ Insecure keypair permissions!"
FAILURES=$((FAILURES + 1))
fi
echo ""
# 3. Verify all keypair files
echo "--- Keypair Integrity ---"
for kp in $(find . -path ./node_modules -prune -o -name "*.json" -print); do
if jq -e 'if type == "array" and length == 64 then true else false end' "$kp" > /dev/null 2>&1; then
if npx ts-node tools/verify-keypair.ts "$kp" > /dev/null 2>&1; then
echo " ✅ $kp"
else
echo " ❌ $kp FAILED verification!"
FAILURES=$((FAILURES + 1))
fi
fi
done
echo ""
# Summary
if [ "$FAILURES" -eq 0 ]; then
echo "🟢 All security checks passed"
exit 0
else
echo "🔴 $FAILURES check(s) failed"
exit 1
fiAdd to your GitHub Actions workflow:
name: Security Audit
on:
push:
branches: [main]
pull_request:
schedule:
- cron: '0 6 * * 1' # Weekly Monday 6am
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with: { node-version: '20' }
- uses: dtolnay/rust-toolchain@stable
- run: cargo install cargo-audit
- run: npm ci
- run: bash tools/audit-dependencies.sh
- run: bash tools/check-file-permissions.sh| Category | Tool | Frequency |
|---|---|---|
| Dependencies | audit-dependencies.sh |
Every PR + weekly |
| File permissions | check-file-permissions.sh |
Every PR |
| Keypair integrity | verify-keypair.ts |
After generation |
| Sign/verify test | verify-keypair.ts check #9 |
After generation |
| Prefix validation | verify-keypair.ts check #7 |
After vanity generation |
- See Tutorial 13 for generating keypairs to verify
- See Tutorial 30 for batch generation with built-in verification
- See Tutorial 38 for the full test suite