Live on Solana devnet · 6 on-chain security proofs

A stolen seed can't drain your wallet.

PENGY is a non-custodial Solana wallet where moving funds takes three independent factors — not just your recovery phrase. Steal the seed, and the vault stays shut.

Withdrawal attempt Sealed
Recovery seed
12-word phrase
holding
Registered device
on-chain device key
required
Auth key
Argon2id-derived
required
Seed stolen. Funds safe.
The flaw in every wallet

Whoever holds the phrase holds the funds.

Every standard wallet has one point of failure: the seed phrase. Phishing, malware, and drainer links all exploit the same thing — get the phrase once, and everything is gone in a single signature. PENGY removes that single point of failure.

Standard wallet

Seed = full control. A phished or malware-stolen phrase drains every token instantly. No second line of defense, no way to claw it back.

PENGY vault

Seed is one of three on-chain factors. A stolen phrase alone authorizes nothing — an attacker still needs your registered device and your password-derived auth key.

How PENGY works

Three factors, checked on-chain. Not one.

A withdrawal from a PENGY vault is authorized by a program on Solana that verifies all three factors before any funds move. Miss one, and the transaction is rejected on-chain.

01

Recovery seed

Your standard non-custodial key. Necessary — but on its own, no longer sufficient to move a cent.

02

Registered device

A device key registered to your vault on-chain. New devices face a timelock you can refuse — so a thief can't just add their own.

03

Auth key

A key derived from your password via Argon2id, verified on-chain. Never stored, never leaves your device.

Duress mode

A second password that behaves exactly like your real one — same unlock, same transaction, nothing an attacker can detect. It silently alerts your emergency contacts.

Velocity limits

On-chain daily withdrawal caps bound how much can move in any window, even if factors are met.

No dApp-signing surface

The vault has no external signing surface, which structurally closes the drainer-link attack.

Start with a standard wallet in seconds — activate the vault when you're ready to protect real funds
What we shut down

The attacks that empty wallets — closed by design.

Most consumer crypto losses come from a handful of repeatable attacks. PENGY is built to shut each of them down, not warn you after the fact.

Stolen recovery phrase

On its own, a stolen seed authorizes nothing. Moving funds still needs your device and your password-derived key.

Seed and password stolen

Even both together aren't enough — a withdrawal still requires your registered device, checked on-chain.

Lost or stolen phone

Your device alone can't move funds either. Losing your phone doesn't mean losing your money.

Phishing & drainer links

The vault exposes no external signing surface, so there's nothing for a malicious link or fake dApp to trick into signing.

Malicious transactions

Every transaction is decoded on your device and shown for real — the destination and amounts you see are the ones you sign. No blind signing.

Coercion & forced access

A duress password opens the wallet exactly as your real one does — no delay, no error, nothing an attacker can observe. It silently alerts your emergency contacts, while velocity limits and timelocks bound what can leave.

Emergency-contact alerts coming

Scam & honeypot tokens

A built-in token scanner surfaces what you need and flags risky tokens — honeypots and known scam patterns — right in the wallet. No jumping to a third-party site.

AI token intelligence coming

Address poisoning

Saved contacts mean you send to addresses you've verified once and trust — not a lookalike an attacker slipped into your history.

Runaway losses

On-chain velocity limits and timelocks cap how much can move in any window — containing the damage even in a worst-case compromise.

Losing a factor

Three factors for a thief to beat. Not three ways to lose your funds.

Multi-factor custody raises a fair question: what happens when you lose one? Every factor in a PENGY vault has a way back — and none of them hand an attacker a shortcut.

Lost phone

Register a new device

Bring your seed and password to a new phone. It faces an on-chain timelock you can refuse from any device you still hold — so recovery works for you, and not for the thief holding your old one.

Live on devnet
Dead device

Reassign your primary

If the device you registered first is gone for good, the primary role can be moved to another one you control — timelocked and cancellable, never instant.

Live on devnet
Lost seed phrase

Recovery timer

A lost phrase means permanent lockout in every wallet — including this one. So set a timer: one to twenty years, pointed at a destination you control. Using your wallet resets it. If you're ever locked out for good, the vault sends your funds back to you instead of holding them forever. Visible in settings, cancellable from any device.

Recovery timer coming
Every recovery path is timelocked and cancellable — never instant, never silent
The experience

Trade like an exchange. Hold like it's yours.

PENGY brings exchange-grade trading into a non-custodial wallet — limit orders, take-profit and stop-loss, built in. The power you'd expect from a centralized exchange, without ever handing over your keys.

Limit orders

Set your price

Place limit orders that execute when the market hits your target — no bouncing to a centralized exchange, no custody handoff.

TP / SL

Take-profit & stop-loss

Automated exits that fire on your terms, on your own keys. Lock in gains or cap the downside without watching the chart.

Verified signing

What you see is what you sign

Every trade is decoded on your device — the real token in, token out, and minimum received, read straight from the transaction bytes. No blind signing, ever.

Fee reserve

Never stuck without gas

PENGY keeps a small SOL fee reserve aside automatically, so you can always move or swap what you hold — no more owning tokens you can't touch because the wallet ran out of gas.

Self-custodial throughout — your funds never leave your control
Proven on-chain, not on paper

The security model runs — and it's provable.

PENGY's vault is live on Solana devnet, with the core guarantees demonstrated as real on-chain transactions anyone can inspect. Every claim above is backed by a passing proof.

Three-factor withdrawal succeedsPASS
Seed-only attacker is rejectedPASS
Over-limit withdrawal is rejectedPASS
Duress path is indistinguishablePASS
Duplicate device registration blockedPASS
Vault cancel can't be griefedPASS
0 / 0
Critical & High findings in our pre-audit self-assessment. Audit-ready, external audit next.
Vault program · devnet
2ckQ7mp3QEoY6j8GmE6AEfPRnXPg4bHMZpmnYioSt93k
View on Solana Explorer →
What's next

The safety of the vault, extended outward.

PENGY's no-blind-signing guarantee closes the drainer-link attack at the wallet. The roadmap carries that same protection forward — ending in a curated dApp ecosystem where every integration is vetted before it ever reaches you.

Next

Third-party audit

A full external security audit of the vault program — the gate between our proven devnet build and real user funds.

Then

Mainnet launch

The audited wallet ships to Solana mainnet — the three-factor vault and integrated trading, live for real users.

Later

Whitelisted dApp ecosystem

A curated set of vetted dApps you can connect to without the usual risk — the wallet's no-blind-signing safety, extended to the apps you use.

Later

MEV-aware execution

Swaps routed to minimize sandwich and front-running losses — tight slippage enforced on-device, orders sent through MEV-protected submission.

Straight answers

The questions a security wallet should answer.

Multi-factor custody is a real trade-off, not a magic trick. Here's what it actually means for you — including the parts nobody can fix for you.

What if I forget my password?
Your auth key is derived from your password and never stored anywhere — not on your device, not on-chain, not with us. That's exactly what makes it a real factor, and it's also why nobody, PENGY included, can reset it for you. It's the reason the recovery timer exists: a vault you can no longer open eventually returns its funds to a destination you chose in advance.
What if I lose my recovery phrase?
Your seed is still necessary to move funds, and we can't regenerate it — a lost phrase means permanent lockout in every non-custodial wallet, including this one. The recovery timer is the route back, and it's something you set up before you need it rather than after.
What if I lose my phone?
Register a new device with your seed and password. The new device faces an on-chain timelock that any device you still hold can refuse — so the path back is open to you and closed to a thief. If the phone you registered first is gone permanently, the primary role can be reassigned the same way. See Recovery.
What if PENGY disappears?
The vault program lives on Solana, not on our servers, and your keys never leave your device. The rules that release your funds are on-chain and publicly inspectable — they don't depend on this company continuing to exist.
Is the code public?
The vault program is deployed on Solana devnet, and the rules governing every withdrawal are inspectable on-chain by anyone — you can read them at the program address. The codebase is currently under external security review ahead of a full third-party audit, which is the gate before mainnet.
Does PENGY ever hold my funds?
No. PENGY is non-custodial throughout — your seed, your password-derived key, and your device key are yours alone. We can't move your funds, freeze them, or recover them for you. That's the trade: real custody, with real recovery paths that only you control.
For investors

Consumer self-custody's biggest unsolved problem is theft.

Billions in consumer crypto are lost to seed-phrase theft every year. PENGY closes that gap structurally — and we're raising to complete a third-party audit and ship to mainnet.

A real wedge, not a feature

Multi-factor, on-chain custody with a duress path indistinguishable under coercion — a security primitive no mainstream Solana wallet offers.

Built and proven, pre-audit

Live on devnet with six on-chain proofs and a clean self-assessment. This is shipped code, not a deck.

Clear use of funds

The raise funds a serious third-party security audit and the path to mainnet — the gate between here and real users.

Solo-founder velocity

Full-stack owner across the on-chain program, native app, and cryptography — shipping fast, proving on-chain.

The founder

Solo technical founder, dual French–Turkish, based in Istanbul. Full-stack across Rust/Anchor on-chain, native Android, and the client app.

Previously shipped MemeRace and Daily Candle to the Solana dApp Store, and built Chain Guardian — a transaction-safety tool published in the MetaMask Snaps directory under Security, reviewed and listed by MetaMask. A track record of shipping security tooling where wallets vet it.

Be first to hold an unstealable wallet.

Join the waitlist for early access. No spam — just a note when PENGY opens up.

You're on the list. Welcome aboard. ✦
We'll only use your email to tell you when access opens.