> ## Documentation Index
> Fetch the complete documentation index at: https://docs.hoodstar.fun/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Trust Model

> What the hoodstar.fun contracts can and cannot do — the trust model, admin surface, and audit status.

hoodstar.fun's security model is built on **absence of power**: the safest admin function is the one that doesn't exist. This page describes exactly what is and isn't possible.

## The token contract

Every launched token is a minimal ERC-20 (plus EIP-2612 permit) with the entire attack surface removed:

* **No owner.** The token has no admin at all after deployment.
* **No mint.** Supply is minted once (1B) and can never increase.
* **No pause, no blacklist, no transfer fees.** Transfers always work, for everyone, at face value.
* **Immutable metadata.** The metadata URI is set at launch and can never change.

## The launchpad contract

The launchpad holds curve funds and enforces the lifecycle. Its owner (the protocol) has exactly **three** powers:

| Power                       | Bound                                    |
| --------------------------- | ---------------------------------------- |
| Adjust trade fees           | Hard-capped at 5% total, in the contract |
| Change the treasury address | Only affects where protocol fees go      |
| Set the FeeLocker address   | One-time, at deployment                  |

That's the complete list. There is **no** function to withdraw curve ETH, pause trading, seize tokens, block graduation, or upgrade the contract logic.

## Locked liquidity

At graduation, the Uniswap v3 LP position is minted directly into the **FeeLocker** — a vault that is:

* **Immutable** — no upgrade path.
* **Ownerless** — no admin functions.
* **Withdrawal-free** — the code contains no function that can move the LP position out. Only swap *fees* can be collected, and those are split 50/50 creator/treasury by immutable configuration.

Locked means locked: the liquidity is provably unreachable by anyone, forever.

## Solvency invariants

* The curve's rounding always favors the pool: the constant product `k` can never decrease.
* The contract always holds enough real ETH to buy back every token sold on the curve (`realEth = virtualEth − virtualEth₀`).
* These invariants are covered by fuzz tests and fork tests against the live Uniswap deployment.

## Audit status

The contracts have undergone internal security review (including a fixed high-severity finding around pool-initialization griefing at migration, now mitigated with a bounded corrective swap). An independent third-party audit is planned; this page will link the report when published.

<Warning>
  Smart contract risk can never be zero, and locked liquidity does not protect you from a token's price going to zero. A creator can still buy early and sell on holders — those trades are public on-chain, so check the creator's activity before buying. See the [Risk Disclosure](/legal/risk-disclosure).
</Warning>

## Responsible disclosure

Found a vulnerability? Contact the team privately at **[contact@hoodstar.io](mailto:contact@hoodstar.io)** or via ticket in our [Discord](https://discord.gg/q8VwC8ZGp) — please don't disclose publicly before we've had a chance to respond.
