🛡️ Security Model

Plain-English breakdown of how drippyrewards.com handles wallet connections. You cannot be drained by signing in. Here's exactly why.

What we ASK your wallet to do

Action	We do this?	Why / Why not
Sign a message (proof of ownership)	YES	Proves you own the wallet. Cannot move funds. The wallet displays the exact text — read it.
Sign a transaction (move SOL or tokens)	ONLY for skin purchases	The one and only time we ask is when you explicitly click Buy skin for X SOL. The transaction is preview-shown to you BEFORE the wallet popup. Never automatic, never hidden.
Approve token spending (DeFi-style approve)	NEVER	This is the classic drain vector on other chains. We never request token approvals. There's nothing for us to "approve" on your behalf.
Send SOL silently in the background	IMPOSSIBLE	Solana wallets show every transaction to you for explicit approval. There is no way for a website to move funds without your click + your private key signing.
See your seed phrase / private key	IMPOSSIBLE	Your seed phrase never leaves your wallet. We have no API access to it. If anyone — including us — asks for your seed phrase, they're scamming you.

The signed message we ask for

When you click CONNECT WALLET, your wallet pops up showing a message like:

That's the entire payload. The :: number is a millisecond timestamp so the same signature can't be replayed later. Your wallet displays this verbatim — Phantom, Solflare, Backpack, Glow all do this. If you ever see a wallet popup showing a TRANSACTION (with "Send 0.1 SOL to X…") when you expected just a sign-in, cancel immediately.

How we verify signatures (server-side)

When your wallet signs the message, we verify it on our server using the standard ed25519 algorithm. The library we use is tweetnacl — the same audited cryptography library used by Solana itself.

Signature must be valid for the claimed public key (nacl.sign.detached.verify)
Message must include the wallet's first 8 characters (anti-substitution)
Timestamp must be within a 10-minute window (anti-replay)
Successful verification sets an HTTP-only, Secure, SameSite=Lax cookie signed with HMAC-SHA256 — your browser holds it but JavaScript can't read it (XSS protection)
Sessions expire after 7 days; you can sign out anytime to revoke immediately

Multi-wallet linking — same security

Linking a second/third/Nth wallet to your account works the same way: that wallet signs a message ("Link wallet B to primary A"), we verify the signature. No transactions, no fund movement. A wallet can only be linked to ONE account at a time so claim conflicts are impossible.

Skin purchases (when we ship them)

Buying a skin for SOL is the only time we'll ever ask your wallet to sign a real transaction. Here's exactly what happens:

You click BUY SHADOW – 0.20 SOL
The site shows you a confirmation: "You will send 0.20 SOL to [vault address]. This is the only transaction we'll request."
You click Continue
Your wallet pops up showing the transaction — destination address, amount, fee. Verify the destination matches what the site displayed.
You approve in your wallet
The site shows the on-chain transaction signature so you can verify on Solscan
Server verifies the tx on-chain (correct destination, correct amount, fresh, not previously redeemed) and unlocks the skin permanently for your wallet

The destination wallet for skin purchases is a Squads multi-signature vault — meaning multiple signers must approve before any funds can be moved out. Even our own team can't unilaterally withdraw your purchase.

HTTP security headers (browser-level protections)

The site sends these headers with every response:

Strict-Transport-Security — forces HTTPS, prevents downgrade attacks
X-Frame-Options: DENY — site cannot be embedded in iframes (clickjacking protection)
X-Content-Type-Options: nosniff — browser won't mis-interpret file types
Content-Security-Policy — only scripts from drippyrewards.com + fonts + Jupiter swap plugin can run
Referrer-Policy — limits what info we leak when you click external links
Permissions-Policy — disables camera, microphone, geolocation, USB, payment APIs

You can verify these yourself with curl -I https://drippyrewards.com/.

What we store

Your public wallet address (used for tier lookups)
Your optional username
Your linked wallets (after each signs a proof message)
Your chosen skin
Game scores you submit

We do not store private keys, seed phrases, or any data that could move your funds. We physically cannot — Solana wallets don't expose that information to websites.

Rate limiting & abuse protection

5 sign-in attempts per IP per minute, 10 per wallet per 5 minutes
One leaderboard submission per wallet per 20 seconds
Server-side validation on every request — we never trust client claims
Admin actions require a separate secret key (not your wallet)

Stuff to watch out for (general crypto safety)

Never share your seed phrase. No legitimate site, including ours, will ever ask for it.
Double-check the URL. Real site is drippyrewards.com. Bookmark it. Phishers buy lookalike domains (drippyreward.com, drippy-rewards.com).
Read what your wallet is showing. If a popup says "Send 1 SOL to unknown address" when you expected a sign-in, cancel.
Use a hardware wallet (Ledger via Phantom/Solflare) for large holdings. Hot wallets are fine for game play.
Use a separate wallet for game / dApp interactions from your cold storage. Our multi-wallet linking is built for this — link your cold wallet for tier credit, play with a side wallet.

Found a security issue?

Please report responsibly through our official channel before disclosing publicly. DM @DrippyRewards on X with the details. We aim to respond within 24 hours.

When reporting, please include: a clear description of the issue, steps to reproduce, the affected URL/endpoint, and (if applicable) a proof-of-concept. Do not share live exploit details publicly until we've had a chance to patch.

Last reviewed: 2026-06-11 · v2