Security
Built for
institutional-grade trust.
Veltro is payment infrastructure. We take security as seriously as Stripe or Circle, but adapted to Web3 SMB needs: smart contracts audited, OFAC compliance native, zero custody architecture, transparent on-chain operations.
Architecture guarantees
Zero server-side signing
Veltro's backend never imports or stores any private key that controls user funds. The only keys used for transactions are in users' own wallets.
No custody — ever
Every Veltro contract routes funds payer → destination + fee wallet in the same transaction. The contract holds zero balance between calls.
Open source contracts
All four smart contracts are open source and verified on Basescan. You can read the exact code that executes your transactions before signing.
Permissionless renewals
Recurring subscriptions are pulled by anyone calling pullPayment(). The contract enforces the schedule and allowance; no Veltro-controlled key can drain a subscriber.
Deployed contracts (Base mainnet)
VeltroPaymentRouter
Basescan0x9eb6aD9537037493Bca33acE969011e84FFB9514
Routes single payments, 0.5 % fee
VeltroSubscriptionHub
Basescan0x4CaF13e938D92Bc273aC57ffb1dA0b569d192CBf
Recurring USDC pulls, 1 % fee per pull
VeltroDonationJar
Basescan0xdA28C87e066a5dC8E66Cb5BA0dfD085c5AcdE7Ca
Public donation pages, 0.5 % fee
Audits & testing
| Tool | Status | Result |
|---|---|---|
| Slither | Runs on every commit (CI) | 0 high/critical findings on v0.1 |
| Mythril | Runs on every release candidate | 0 high/critical findings on v0.1 |
| Foundry Forge | 75 tests, 128k fuzzing calls | 100% branch coverage |
| Third-party audit | Scheduled — pre mainnet scale-up | Pending |
Bug bounty
We pay for valid smart contract vulnerabilities. Severity-based bounties from $500 to $50,000 USDC. Responsible disclosure required.
security@veltro.online