← Back to Home

Security

Last Updated: November 12, 2025

At LetterFi, security is our top priority. This page outlines our security measures, smart contract practices, and important safety guidelines for users.

1. Platform Security Overview

LetterFi is built on Binance Smart Chain (BSC) using battle-tested smart contract standards and security best practices. Our protocol implements multiple layers of security to protect users and their assets.

Our Security Principles:

  • Transparency through open-source code verification on BSCScan
  • Provably fair randomness using Chainlink VRF
  • Immutable smart contracts with tested logic
  • Minimal off-chain dependencies
  • Defense-in-depth approach

2. Smart Contract Security

2.1 Contract Architecture

LetterFi operates through multiple interconnected smart contracts:

Core Contracts:

  • NFT_Core - Letter NFT minting and ownership
  • DailyDraw - Daily community reward distributions
  • MegaJackpot - Progressive mega reward pool
  • BurnQuest - Word NFT crafting mechanics
  • WordCraft - Hero NFT creation system

Security Features:

  • Modular design limiting attack surface
  • Role-based access controls
  • Emergency pause functionality (if applicable)
  • Reentrancy protection
  • Integer overflow/underflow protection (Solidity 0.8+)

2.2 Randomness and Fairness

Chainlink VRF Integration:

  • All reward distributions use Chainlink VRF (Verifiable Random Function)
  • Cryptographically secure and verifiable randomness
  • On-chain proof of fairness
  • No possibility of manipulation by LetterFi team or third parties

Why Chainlink VRF:

  • Industry-standard oracle solution
  • Tamper-proof and transparent
  • Verifiable on BSCScan
  • Used by major DeFi protocols

Gas Optimization:

  • Winner selection algorithms optimized for 1000+ participants
  • Rejection sampling for efficient random selection
  • Low-level staticcall functions for gas efficiency (~50k gas vs 200k+)
  • Stateless design for scalability

2.3 Smart Contract Audits

Current Status:

  • Contracts deployed on BSC mainnet
  • Code verification on BSCScan (publicly viewable)
  • Internal security reviews completed
  • Testing on BSC testnet prior to mainnet deployment

Future Security Measures:

  • Professional third-party audit planned
  • Bug bounty program under consideration
  • Continuous monitoring and upgrades (if contracts are upgradeable)

Verified Contracts:

All LetterFi smart contracts are verified on BSCScan, allowing anyone to review the code:

  • Visit BSCScan.com
  • Search for LetterFi contract addresses
  • Review verified source code and transaction history

2.4 Known Limitations and Risks

Smart Contract Risks:

  • Despite our best efforts, smart contracts may contain undiscovered vulnerabilities
  • Smart contracts are immutable once deployed (unless specifically designed as upgradeable)
  • Bugs or exploits could result in loss of funds or NFTs
  • Blockchain transactions are irreversible

Network Dependencies:

  • BSC network availability and performance
  • Chainlink VRF oracle reliability
  • IPFS gateway availability for metadata
  • Gas price volatility affecting transaction costs

3. User Security Best Practices

3.1 Wallet Security

Protecting Your Private Keys:

CRITICAL: Your private keys = your assets. Never share them with anyone.

Do's:

  • Store seed phrases offline in a secure location (paper, metal backup)
  • Use hardware wallets (Ledger, Trezor) for large holdings
  • Enable two-factor authentication on wallet apps when available
  • Use strong, unique passwords for wallet applications
  • Keep your devices and wallet software updated
  • Use separate wallets for different purposes (trading, long-term storage)
  • Verify URLs before connecting your wallet (letterfi.xyz only)

Don'ts:

  • Never share your seed phrase or private key
  • Never enter your seed phrase on websites or in apps
  • Never screenshot or digitally store seed phrases
  • Never share wallet access with anyone claiming to be "support"
  • Never connect your wallet to suspicious or unverified websites
  • Never use public WiFi for crypto transactions without VPN

3.2 Transaction Safety

Before Signing Transactions:

Always verify:

  • Contract address matches official LetterFi contracts
  • Transaction details (amount, recipient, function)
  • Gas fees are reasonable
  • You're on the correct network (BSC mainnet)

Red Flags:

  • Unexpected wallet connection requests
  • Transactions requesting unlimited token approvals
  • Urgent messages pressuring immediate action
  • Transactions to unknown contract addresses
  • Suspiciously high gas fees
  • Requests to "validate" or "sync" your wallet

Safe Practices:

  • Start with small test transactions
  • Double-check recipient addresses
  • Verify contract interactions on BSCScan
  • Use simulation tools to preview transaction outcomes
  • Keep transaction history for records

3.3 Phishing Protection

Common Phishing Tactics:

Fake Websites:

  • Scammers create fake LetterFi websites with similar URLs
  • Always verify you're on the official letterfi.xyz domain
  • Bookmark the official website
  • Check for HTTPS/SSL certificate

Social Media Scams:

  • Fake LetterFi social media accounts
  • Fake "support" team members in Discord/Telegram
  • Fake giveaways requiring you to "connect" your wallet
  • Direct messages offering help (we never DM first)

Email Phishing:

  • Fake emails pretending to be from LetterFi
  • Links to fake websites
  • Requests for private keys or seed phrases
  • Urgent security warnings with suspicious links

Protection Measures:

  • Only trust official channels (linked from letterfi.xyz)
  • Verify social media accounts have verification badges
  • Never click links in unsolicited messages
  • LetterFi support will NEVER ask for private keys
  • LetterFi support will NEVER DM you first
  • Be skeptical of "too good to be true" offers

3.4 Official Communication Channels

Verified LetterFi Channels:

Security Verification:

  • All official links are listed on letterfi.xyz
  • Check for verification badges on social media
  • Contract addresses are published on docs.letterfi.xyz
  • Announcements only come from verified channels

4. Platform Infrastructure Security

4.1 Website Security

Technical Measures:

  • HTTPS/SSL encryption for all communications
  • Content Security Policy (CSP) headers
  • DDoS protection via Cloudflare or similar
  • Regular security updates and patches
  • Secure hosting infrastructure

Code Security:

  • Frontend code auditing
  • Dependency vulnerability scanning
  • Regular security updates
  • No storage of sensitive data in frontend

4.2 API and Backend Security

If applicable:

  • Rate limiting to prevent abuse
  • API authentication and authorization
  • Input validation and sanitization
  • SQL injection prevention
  • XSS protection
  • CSRF protection

4.3 Data Protection

Minimal Data Collection:

  • We don't store private keys or seed phrases
  • Wallet addresses only (publicly available on blockchain)
  • Minimal off-chain data
  • No sensitive personal information

Encryption:

  • All data transmission encrypted via HTTPS
  • Database encryption at rest (if applicable)
  • Secure backup procedures

5. Smart Contract Interaction Safety

5.1 Approved Contract Addresses

Official LetterFi Contracts on BSC Mainnet:

Always verify contract addresses on docs.letterfi.xyz before interacting

Verification Steps:

  1. Go to docs.letterfi.xyz/contracts
  2. Copy official contract address
  3. Verify on BSCScan
  4. Compare with wallet transaction request
  5. Only sign if addresses match exactly

5.2 Token Approvals

Understanding Approvals:

When you interact with LetterFi contracts, you may need to approve:

  • NFT transfers (ERC-721 setApprovalForAll)
  • Token spending (ERC-20 approve)

Best Practices:

  • Only approve trusted, verified contracts
  • Regularly review and revoke unnecessary approvals
  • Use tools like BSCScan's token approval checker
  • Minimize approval amounts when possible

Revoking Approvals:

Use services like revoke.cash or BSCScan to check and revoke token approvals.

5.3 Gas Fee Safety

Normal Gas Ranges:

  • NFT Minting: ~100,000-200,000 gas
  • NFT Transfer: ~50,000-100,000 gas
  • Reward Claims: ~80,000-150,000 gas
  • Word Crafting: ~150,000-250,000 gas

Red Flags:

  • Extremely high gas estimates (>500,000 gas for simple operations)
  • Unexpected "Out of Gas" errors
  • Gas prices 10x+ normal network rates

What to Do:

  • Check BSCScan gas tracker for current rates
  • Compare with normal transaction costs
  • Wait for lower network congestion
  • Cancel suspicious transactions

6. NFT Security

6.1 NFT Storage

Metadata Storage:

  • NFT metadata stored on IPFS (decentralized storage)
  • Permanent and immutable once published
  • Accessible via multiple IPFS gateways
  • No single point of failure

Ownership Records:

  • NFT ownership recorded on BSC blockchain
  • Immutable and tamper-proof
  • Verifiable by anyone via BSCScan
  • No centralized database to hack

6.2 NFT Transfer Safety

Before Transferring NFTs:

  • Verify recipient address (double-check every character)
  • Confirm you're using the correct network (BSC)
  • Start with a test transaction if transferring multiple NFTs
  • Understand that transfers are irreversible

Common Mistakes:

  • Sending to wrong address
  • Sending to contract addresses (may lock NFTs)
  • Sending to wrong blockchain (cross-chain errors)
  • Fat-finger errors in address entry

6.3 Marketplace Safety

When Trading on Secondary Markets:

Trusted Marketplaces:

  • OpenSea (verify correct chain and collection)
  • PancakeSwap NFT Marketplace
  • Other reputable BSC NFT marketplaces

Safety Checks:

  • Verify collection contract address
  • Check floor price on multiple platforms
  • Be wary of offers that seem too good to be true
  • Review trader history and reputation
  • Use escrow services when available

Red Flags:

  • Fake NFT collections with similar names
  • Suspiciously low prices
  • Marketplace sites you've never heard of
  • Direct wallet-to-wallet trades with strangers

7. Common Scams and How to Avoid Them

7.1 Types of Scams

1. Impersonation Scams

  • Fake LetterFi team members in Discord/Telegram
  • Fake support offering to "help" via DM
  • Fake social media accounts

How to Avoid:

  • Never trust unsolicited DMs
  • Verify team members in official channels only
  • LetterFi support will NEVER ask for private keys

2. Fake Airdrops

  • Scam websites offering "free" NFTs
  • Requiring wallet connection or approvals
  • Draining wallets after approval

How to Avoid:

  • Only trust announcements from official channels
  • Be skeptical of "free money" offers
  • Never connect wallet to unknown sites

8. Contact Us

For security-related questions or to report security issues, please contact us:

Important: If you discover a security vulnerability, please report it responsibly. Do not publicly disclose vulnerabilities until they have been addressed.