Skip to main content

​
Executive Summary

Raze.bot is a multi-wallet Solana trading platform that prioritizes user security through local transaction processing and client-side private key management. This audit documentation demonstrates that Raze.bot implements industry-standard security practices to ensure that private keys never leave the user’s device and all sensitive operations are performed locally.

​
πŸ” Core Security Principles

​
1. Local Private Key Management

Private keys are generated, stored, and used exclusively on the client-side:
AspectImplementation
Key GenerationNew wallets are created using Solana’s Keypair.generate() method locally in the browser
Key StoragePrivate keys are encrypted using AES encryption before storage
Key UsageTransaction signing occurs entirely in the browser using local keypairs
Zero Server TransmissionPrivate keys are never sent to any server or external service

​
2. Client-Side Transaction Signing

All transaction signing happens locally in the user’s browser: 
// Transaction signing is performed locally
const signTransaction = (transactionBase58: string, privateKey: string): string => {
  // Create keypair from private key (locally)
  const keypair = web3.Keypair.fromSecretKey(bs58.decode(privateKey));

  // Deserialize transaction
  const txBuffer = bs58.decode(transactionBase58);
  const transaction = web3.VersionedTransaction.deserialize(txBuffer);

  // Sign the transaction locally
  transaction.sign([keypair]);

  // Return signed transaction
  return bs58.encode(transaction.serialize());
};

​
3. Encrypted Local Storage

Wallet data is encrypted before storage:
FeatureDetails
Encryption MethodAES encryption using CryptoJS
Storage LocationsIndexedDB (primary) and localStorage (backup)
Key ProtectionEncryption key is hardcoded in client code (standard for client-side apps)
Migration SupportAutomatic migration from unencrypted to encrypted storage

​
πŸ›‘οΈ Security Architecture

​
Transaction Flow Security

1

Unsigned Transaction Request

  • Client requests unsigned transaction from server
  • Server returns transaction template without signatures
  • No private keys involved in this step
2

Local Transaction Signing

  • Client deserializes unsigned transaction
  • Private key is used locally to sign transaction
  • Signed transaction is serialized for transmission
3

Signed Transaction Submission

  • Only the signed transaction is sent to server
  • Server forwards to Jito Bundle Service or RPC
  • Private keys remain on client device

​
Wallet Management Security

​
Wallet Creation

export const createNewWallet = async (): Promise<WalletType> => {
  const keypair = Keypair.generate(); // Local generation
  const address = keypair.publicKey.toString();
  const privateKey = bs58.encode(keypair.secretKey);

  return {
    id: Date.now(),
    address,
    privateKey, // Stored locally only
    isActive: false
  };
};

​
Wallet Import

export const importWallet = async (
  privateKeyString: string
): Promise<{ wallet: WalletType | null; error?: string }> => {
  // Validation and keypair creation happens locally
  const privateKeyBytes = bs58.decode(privateKeyString);
  const keypair = Keypair.fromSecretKey(privateKeyBytes);
  const address = keypair.publicKey.toString();

  // Private key remains in local memory only
  return { 
    wallet: { 
      id: Date.now(), 
      address, 
      privateKey: privateKeyString, 
      isActive: false 
    } 
  };
};

​
Data Encryption Implementation

// Encryption utilities
const encryptData = (data: string): string => {
  return CryptoJS.AES.encrypt(data, ENCRYPTION_KEY).toString();
};

const decryptData = (encryptedData: string): string => {
  const bytes = CryptoJS.AES.decrypt(encryptedData, ENCRYPTION_KEY);
  return bytes.toString(CryptoJS.enc.Utf8);
};

// Secure wallet storage
export const saveWalletsToCookies = (wallets: WalletType[]): void => {
  const walletData = JSON.stringify(wallets);
  const encryptedData = encryptData(walletData); // Encrypt before storage
  localStorage.setItem(ENCRYPTED_STORAGE_KEY, encryptedData);
};

​
πŸ” Security Audit Findings

​
βœ… Strengths

  • Private keys are generated using secure Solana libraries
  • Keys never leave the client environment
  • All cryptographic operations performed locally
  • Transactions are signed client-side using local keypairs
  • Only signed transactions are transmitted to servers
  • No private key exposure during transaction processing
  • Wallet data encrypted using AES before storage
  • Multiple storage backends (IndexedDB + localStorage)
  • Automatic migration from unencrypted to encrypted storage
  • Open-source codebase allows for public security review
  • Clear separation between client and server responsibilities
  • Well-documented security practices

​
⚠️ Considerations

Client-Side Encryption KeyEncryption key is embedded in client code (standard limitation for client-side apps). Users should be aware that client-side encryption protects against casual access, not determined attackers with code access.
Browser Security DependencySecurity relies on browser’s built-in protections. Users should use updated browsers and avoid compromised devices.
Phishing ProtectionUsers must verify they’re using the official Raze.bot domain. No additional phishing protection mechanisms implemented.

​
πŸ› οΈ Security Dependencies

​
Core Security Libraries

LibraryPurpose
@solana/web3.jsOfficial Solana library for blockchain interactions
bs58Base58 encoding/decoding for Solana addresses and keys
crypto-jsAES encryption for local data protection
js-cookieSecure cookie management

​
Security-Relevant Dependencies

{
  "@solana/web3.js": "^1.95.8",
  "bs58": "^6.0.0",
  "crypto-js": "^4.2.0",
  "js-cookie": "^3.0.5"
}

​
πŸ”’ Best Practices Implemented

​
1. Principle of Least Privilege

  • Server only receives unsigned transaction templates and signed transactions
  • No unnecessary data transmission
  • Minimal server-side private data handling

​
2. Defense in Depth

  • Multiple storage mechanisms (IndexedDB + localStorage)
  • Encryption at rest
  • Client-side validation and error handling

​
3. Secure Development Practices

  • TypeScript for type safety
  • Comprehensive error handling
  • Input validation for private keys and transactions

​
πŸ“‹ Security Checklist

Private keys generated locally using secure libraries
Private keys never transmitted to servers
All transaction signing performed client-side
Wallet data encrypted before storage
Multiple storage backends for redundancy
Open-source code for transparency
Secure dependency management
Proper error handling and validation
Clear separation of client/server responsibilities

​
πŸ” Competitor Security Analysis

​
Overview

To provide context for Raze.bot’s security approach, we analyzed how major Solana trading bot competitors handle private keys and transaction security. This comparison highlights the varying approaches to user security in the trading bot ecosystem.

​
Security Trade-offs Analysis

FeatureRaze.botBullXGMGNPhotonAxiomPadre (Terminal)
Local Key Storageβœ…βŒβŒβ“βŒβŒ
Client-Side Signingβœ…β“β“β“β“β“
Zero Server Transmissionβœ…βŒβŒβŒβŒβŒ
Open Source Securityβœ…βŒβŒβŒβŒβŒ
βœ… = Implemented, ❌ = Not implemented, ❓ = Unclear/Unverified

​
🎯 Conclusion

Raze.bot implements a security-first architecture that ensures:

Private keys remain local

Never transmitted or stored on servers

Local transaction signing

All cryptographic operations performed in the browser

Encrypted storage

Wallet data protected at rest

Transparent security

Open-source code allows for public audit
Compared to competitors, Raze.bot offers the most secure approach to private key management by keeping all sensitive operations local to the user’s device. While some competitors offer additional features like MEV protection, Raze.bot’s focus on fundamental security principles provides users with the highest level of asset protection.
Users can confidently use Raze.bot knowing that their private keys and sensitive data remain under their complete control on their local device.

​
πŸ“ž Security Contact

For security-related questions or to report vulnerabilities:

GitHub Issues

Prefix with [SECURITY]

Support Center

Contact support directly
This security audit documentation demonstrates Raze.bot’s commitment to user security and transparency. The platform’s architecture ensures that users maintain complete control over their private keys while providing a seamless trading experience.