Custody
Turnkey-managed signing. The escrow private key lives in a hardware-backed enclave at Turnkey. It is never read into our process, never written to disk, and never sits in env vars. A leaked Turnkey API key can still sign, but the key can be rotated instantly from the Turnkey dashboard with no redeploy.
Velocity caps
Every claim and refund passes hourly and daily outflow caps before it executes. An attacker pushing volume through the application trips the cap before draining the escrow.
Audit log
Every escrow signing operation lands in wallet_audit_log: rail, destination, amount, signature, ok or error. This is the forensics input for anything that goes wrong.
Real-time alerts
A Slack webhook fires on velocity-cap trip, low SOL gas balance, and outflow spikes. We learn within seconds, not the next morning.
Health-check cron
/api/cron/health runs every 15 minutes. It checks escrow SOL and USDC balances, raises alerts on anomalies, and feeds the public status page.
Kill switch
LENNY_PAUSED=true returns 503 from every claim route immediately. No redeploy needed. The right thing to do at the first sign of trouble.
Auto-refund
Expired transfers are returned to the sender by /api/cron/refund-expired every 6 hours. No manual reconciliation needed for the happy unhappy path.
Hashed claim tokens
The database stores SHA-256 hashes of claim tokens, not plaintext. A read-only DB leak no longer exposes live claim links.
Above-threshold OTP gate
Transfers at or above the OTP threshold (default $20) require a 6-digit code emailed to the recipient before the rail picker unlocks.
On the roadmap
Replace the hot-wallet model with an on-chain Solana escrow program: per-transfer PDA, sender-reclaim after timelock, recipient-claim with on-chain conditions. Until that ships, we treat the operating float as the maximum acceptable single-incident loss.
Report a security issue
Email security@lenny.chat. We respond within 24 hours and credit responsible disclosures in the changelog.