PENGY is a non-custodial Solana wallet where moving funds takes three independent factors — not just your recovery phrase. Steal the seed, and the vault stays shut.
Every standard wallet has one point of failure: the seed phrase. Phishing, malware, and drainer links all exploit the same thing — get the phrase once, and everything is gone in a single signature. PENGY removes that single point of failure.
Seed = full control. A phished or malware-stolen phrase drains every token instantly. No second line of defense, no way to claw it back.
Seed is one of three on-chain factors. A stolen phrase alone authorizes nothing — an attacker still needs your registered device and your password-derived auth key.
A withdrawal from a PENGY vault is authorized by a program on Solana that verifies all three factors before any funds move. Miss one, and the transaction is rejected on-chain.
Your standard non-custodial key. Necessary — but on its own, no longer sufficient to move a cent.
A device key registered to your vault on-chain. New devices face a timelock you can refuse — so a thief can't just add their own.
A key derived from your password via Argon2id, verified on-chain. Never stored, never leaves your device.
A second password that behaves exactly like your real one — same unlock, same transaction, nothing an attacker can detect. It silently alerts your emergency contacts.
On-chain daily withdrawal caps bound how much can move in any window, even if factors are met.
The vault has no external signing surface, which structurally closes the drainer-link attack.
Most consumer crypto losses come from a handful of repeatable attacks. PENGY is built to shut each of them down, not warn you after the fact.
On its own, a stolen seed authorizes nothing. Moving funds still needs your device and your password-derived key.
Even both together aren't enough — a withdrawal still requires your registered device, checked on-chain.
Your device alone can't move funds either. Losing your phone doesn't mean losing your money.
The vault exposes no external signing surface, so there's nothing for a malicious link or fake dApp to trick into signing.
Every transaction is decoded on your device and shown for real — the destination and amounts you see are the ones you sign. No blind signing.
A duress password opens the wallet exactly as your real one does — no delay, no error, nothing an attacker can observe. It silently alerts your emergency contacts, while velocity limits and timelocks bound what can leave.
Emergency-contact alerts comingA built-in token scanner surfaces what you need and flags risky tokens — honeypots and known scam patterns — right in the wallet. No jumping to a third-party site.
AI token intelligence comingSaved contacts mean you send to addresses you've verified once and trust — not a lookalike an attacker slipped into your history.
On-chain velocity limits and timelocks cap how much can move in any window — containing the damage even in a worst-case compromise.
Multi-factor custody raises a fair question: what happens when you lose one? Every factor in a PENGY vault has a way back — and none of them hand an attacker a shortcut.
Bring your seed and password to a new phone. It faces an on-chain timelock you can refuse from any device you still hold — so recovery works for you, and not for the thief holding your old one.
Live on devnetIf the device you registered first is gone for good, the primary role can be moved to another one you control — timelocked and cancellable, never instant.
Live on devnetA lost phrase means permanent lockout in every wallet — including this one. So set a timer: one to twenty years, pointed at a destination you control. Using your wallet resets it. If you're ever locked out for good, the vault sends your funds back to you instead of holding them forever. Visible in settings, cancellable from any device.
Recovery timer comingPENGY brings exchange-grade trading into a non-custodial wallet — limit orders, take-profit and stop-loss, built in. The power you'd expect from a centralized exchange, without ever handing over your keys.
Place limit orders that execute when the market hits your target — no bouncing to a centralized exchange, no custody handoff.
Automated exits that fire on your terms, on your own keys. Lock in gains or cap the downside without watching the chart.
Every trade is decoded on your device — the real token in, token out, and minimum received, read straight from the transaction bytes. No blind signing, ever.
PENGY keeps a small SOL fee reserve aside automatically, so you can always move or swap what you hold — no more owning tokens you can't touch because the wallet ran out of gas.
PENGY's vault is live on Solana devnet, with the core guarantees demonstrated as real on-chain transactions anyone can inspect. Every claim above is backed by a passing proof.
PENGY's no-blind-signing guarantee closes the drainer-link attack at the wallet. The roadmap carries that same protection forward — ending in a curated dApp ecosystem where every integration is vetted before it ever reaches you.
A full external security audit of the vault program — the gate between our proven devnet build and real user funds.
The audited wallet ships to Solana mainnet — the three-factor vault and integrated trading, live for real users.
A curated set of vetted dApps you can connect to without the usual risk — the wallet's no-blind-signing safety, extended to the apps you use.
Swaps routed to minimize sandwich and front-running losses — tight slippage enforced on-device, orders sent through MEV-protected submission.
Multi-factor custody is a real trade-off, not a magic trick. Here's what it actually means for you — including the parts nobody can fix for you.
Billions in consumer crypto are lost to seed-phrase theft every year. PENGY closes that gap structurally — and we're raising to complete a third-party audit and ship to mainnet.
Multi-factor, on-chain custody with a duress path indistinguishable under coercion — a security primitive no mainstream Solana wallet offers.
Live on devnet with six on-chain proofs and a clean self-assessment. This is shipped code, not a deck.
The raise funds a serious third-party security audit and the path to mainnet — the gate between here and real users.
Full-stack owner across the on-chain program, native app, and cryptography — shipping fast, proving on-chain.
Solo technical founder, dual French–Turkish, based in Istanbul. Full-stack across Rust/Anchor on-chain, native Android, and the client app.
Previously shipped MemeRace and Daily Candle to the Solana dApp Store, and built Chain Guardian — a transaction-safety tool published in the MetaMask Snaps directory under Security, reviewed and listed by MetaMask. A track record of shipping security tooling where wallets vet it.
Join the waitlist for early access. No spam — just a note when PENGY opens up.