Security is critical for Solana tokens. Poor security leads to hacks, rug pulls, and loss of trust. This comprehensive checklist ensures you've covered all security aspects before and after token creation.
Use this checklist before launch, immediately after creation, and during regular security audits. Check off each item as you complete it. Don't skip steps - each one protects your token and your community.
1 Pre-Creation Security
Wallet Security Audit
Use hardware wallet: Hardware wallets (Ledger, Trezor) provide the best security. Avoid using software wallets for large amounts.
Secure seed phrase storage: Store seed phrase offline, never digitally. Use metal backup for fire/water protection. Never share or store online.
Enable 2FA where possible: Use two-factor authentication on all accounts. Authenticator apps are more secure than SMS.
Verify wallet authenticity: Only download wallets from official sources. Check URLs carefully to avoid phishing sites.
Platform Security
Verify platform legitimacy: Research the token creation platform. Check reviews, community feedback, and security history.
Check platform security history: Look for past security incidents. Avoid platforms with poor security track records.
Review platform code (if open source): If the platform is open source, review the code or have it audited. Understand how it works.
Network Security
Use official Solana RPC: Only connect to official Solana RPC endpoints. Avoid third-party RPCs that could intercept transactions.
Verify network connection: Ensure you're connected to Solana mainnet, not testnet or devnet, when creating real tokens.
Check for phishing sites: Verify URLs carefully. Phishing sites mimic legitimate platforms to steal credentials.
2 Token Creation Security
Authority Settings
Revoke mint authority (if fixed supply): If your token has a fixed supply, revoke mint authority immediately. This prevents unlimited token creation. See our authority guide.
Revoke freeze authority (if not needed): Freeze authority allows freezing token accounts. Revoke unless you need it for compliance.
Revoke update authority (if final): Update authority allows changing metadata. Revoke if your metadata is final to prevent changes.
Document authority decisions: Record which authorities you're keeping and why. This helps with transparency and future audits.
Metadata Security
Verify metadata accuracy: Double-check all metadata before creation. Name, symbol, description, and links should be correct.
Use official metadata standard: Follow Solana's metadata standards. This ensures compatibility and security.
Secure metadata storage: Ensure metadata is stored securely. Use reputable hosting for logo and metadata URLs.
Supply Security
Verify total supply: Confirm the total supply is correct before creation. This is permanent and cannot be changed.
Check for supply manipulation: Ensure no mechanisms allow unauthorized supply changes. Revoke mint authority if supply is fixed. If you plan to reduce supply over time, learn how token burn mechanisms work on Solana.
Document supply decisions: Record why you chose your supply amount. This helps with transparency and future planning.
3 Post-Creation Security
Verify Token on Block Explorer
Check all token details: Visit Solscan.io and verify name, symbol, supply, and all metadata match your expectations.
Verify authorities: Confirm which authorities are active and which are revoked. This is critical for security.
Confirm metadata: Verify logo, description, and social links appear correctly on the block explorer.
Verify supply: Confirm total supply matches what you intended. Check for any unexpected changes.
Authority Verification
Confirm revocations: Verify that authorities you intended to revoke are actually revoked. This is permanent and cannot be undone.
Document remaining authorities: Record which authorities you kept and why. This helps with transparency.
Create authority report: Document all authority settings. Share this with your community to build trust.
Wallet Security
Secure mint address: Save your token's mint address securely. You'll need it for listings, trading, and verification.
Backup all information: Create secure backups of all token information, wallet addresses, and important data.
Document wallet addresses: Record all relevant wallet addresses. Keep this information secure but accessible.
4 Liquidity Security
DEX Security
Use reputable DEXs: Only add liquidity to well-established DEXs like Raydium and Orca. Avoid unknown or new platforms. See our DEX comparison.
Verify DEX contracts: Before adding liquidity, verify you're interacting with the correct DEX contracts. Check contract addresses.
Check liquidity pool security: Research the DEX's security history. Avoid platforms with past security incidents.
Liquidity Management
Secure liquidity provider keys: If using LP tokens, secure them properly. Losing LP tokens means losing liquidity access.
Monitor liquidity pools: Regularly check your liquidity pools. Monitor for unusual activity or unexpected changes.
Plan for liquidity removal (if needed): If you need to remove liquidity, plan it carefully. Sudden removal can hurt your token's price.
5 Community Security
Social Media Security
Secure all accounts: Use strong, unique passwords for all social media accounts. Enable 2FA everywhere possible.
Enable 2FA: Two-factor authentication prevents unauthorized access. Use authenticator apps, not SMS.
Verify account authenticity: Use verified badges where possible. This helps prevent impersonation.
Monitor for impersonation: Regularly search for fake accounts using your name or branding. Report impersonators immediately.
Communication Security
Verify official channels: Always verify you're communicating through official channels. Scammers create fake groups and accounts.
Warn about scams: Regularly warn your community about common scams. Education is the best defense.
Monitor for phishing: Watch for phishing attempts targeting your community. Report and warn about suspicious links.
6 Ongoing Security
Regular Audits
Monthly security review: Conduct a full security review monthly. Use this checklist to ensure nothing is missed.
Authority status check: Regularly verify authority settings haven't changed. Unauthorized changes indicate a security breach.
Wallet security check: Review wallet security regularly. Update passwords, check for suspicious activity.
Monitoring
Monitor token transactions: Regularly check token transactions on block explorers. Watch for unusual activity.
Watch for suspicious activity: Large unexpected transactions, authority changes, or metadata updates could indicate issues.
Track wallet addresses: Monitor important wallet addresses. Set up alerts for large transactions if possible.
Common Security Mistakes to Avoid
Keeping Mint Authority
Keeping mint authority allows unlimited token creation, which destroys trust. Always revoke mint authority for fixed-supply tokens.
Not Revoking Freeze Authority
Freeze authority allows freezing token accounts. Unless needed for compliance, revoke it to show trust and decentralization.
Weak Wallet Security
Using software wallets for large amounts, storing seed phrases digitally, or sharing credentials leads to hacks. Use hardware wallets and secure storage.
Frequently Asked Questions
How do I verify my token is secure?
Verify your token is secure by: checking all authorities are correctly set (or revoked), verifying metadata on block explorer, confirming supply is correct, ensuring wallet security, and reviewing all security settings. Use this checklist to ensure nothing is missed.
What authorities should I revoke?
For maximum security, revoke mint authority (if fixed supply), freeze authority (unless needed for compliance), and update authority (if metadata is final). Keeping authorities allows manipulation, which reduces trust. See our authority revocation guide for details.
How often should I audit security?
Conduct a full security audit before launch, immediately after creation, and then monthly. Also audit after any major changes or if you suspect issues. Regular audits catch problems early and maintain security standards.
What are the biggest security risks?
The biggest risks are: keeping mint authority (allows unlimited token creation), weak wallet security (seed phrase exposure), phishing attacks, social media impersonation, and not revoking unnecessary authorities. Address these first.
How do I protect against rug pulls?
Protect against rug pulls by: revoking all unnecessary authorities, locking liquidity, using multi-sig wallets, being transparent about tokenomics, and building trust through consistent actions. See our security guide for comprehensive protection strategies.
Related Guides
Questions? Contact our team or learn more about us.
