Security
Flip's defensible primitive is the deterministic, non-subvertible execution boundary between the AI and the wallet.
The trust model
- The model proposes intent. It cannot widen what actually gets signed.
- Calldata is built by audited encoders. EVM via LiFi (battle-tested across millions of swaps and bridges); Solana via Jupiter's official aggregator and Flip-owned protocol adapters.
- Asset resolution is fail-closed. A bare unverified token symbol is REFUSED rather than guessed (Solana symbol collisions = fund-loss footgun). Pasted mints are looked up directly and accepted only if the aggregator returns valid decimals.
- Every step is pre-sign simulated. The unsigned transaction is run against on-chain state before the user is asked to sign. Slippage tolerance violations, insufficient balances, route failures all surface BEFORE the signature, not after.
- Idempotent platform-fee account creation. On Solana, the platform-fee account for any output token is created in the same transaction it's used, so Jupiter's fee-account-must-exist requirement is satisfied without losing trades to it.
What Flip is NOT
- Flip is not a custodian. Your keys stay in your wallet. Flip never holds funds.
- Flip is not a router. It composes intent into calldata that goes to LiFi, Jupiter, and protocol-native interfaces. Those are the routers.
- Flip is not a prompt-enforced sandbox. Safety is real deterministic gates (audited encoders, fail-closed resolution, simulation), not "the system prompt told the AI to be safe." Prompt enforcement is a sieve; functional guards are a wall.
Audits
External audits will be scheduled before any broad v1 distribution push. Until then the security claims here are backed by the implementation: audited encoders for EVM and Solana calldata, fail-closed token resolution, and the pre-sign simulateVersionedTx gate that runs every unsigned transaction against on-chain state before the user is asked to sign.