TL;DR – The Short Version
- ✓Keys are generated in YOUR browser – never on our servers
- ✓We cannot see your keys – we don't receive them, store them, or have access to them
- ✓Works offline – disconnect from internet after loading to prove it
- ✓Open source – all code is auditable on GitHub
- ✓Verifiable – use DevTools to confirm zero data transmission
01Where Your Keys Are Generated
Main Thread
(UI / React)
Web Workers (parallel)
W1
Ed25519
W2
Ed25519
...
Ed25519
Wn
Ed25519
🔐 Keys Generated HERE
Using YOUR CPU cores • In YOUR browser's memory
Static files only (HTML, JS, CSS)
NO key data flows here
Delivers static files
Cannot compute keys
No memory access
NO key access
✓ What happens in YOUR browser
- • All JavaScript execution
- • All cryptographic operations
- • Random number generation
- • Key pair creation
- • Pattern matching
- • File downloads
✗ What our server CANNOT do
- • See your private keys
- • Access your browser memory
- • Execute code on your device
- • Intercept generated keys
- • Track your patterns
- • Identify you personally
02What We Store (Almost Nothing)
Community Statistics – The ONLY Data We Store
VanityMine displays community statistics (total attempts, addresses found). Here's exactly what gets stored:
// Our entire "database":
{
"totalAttempts": 847293847,
"totalFound": 12847
}
That's it. Two numbers. No user data, no keys, no patterns, no IP addresses, no cookies, no tracking. When you find an address, we receive ONE number: how many attempts it took. Nothing else.
✓ What IS stored
- • totalAttempts (one integer)
- • totalFound (one integer)
Stored anonymously in Upstash Redis
✗ What is NOT stored
- • No private keys
- • No public keys / addresses
- • No patterns searched
- • No IP addresses
- • No timestamps
- • No user identifiers
- • No cookies
- • No analytics
03Cryptographic Security
| Component | Technology | Standard |
|---|---|---|
| Key Algorithm | Ed25519 | RFC 8032 |
| Key Generation | Native Web Crypto API | W3C Standard |
| Random Numbers | crypto.getRandomValues() | Hardware-backed CSPRNG |
| Entropy | 256 bits | Industry standard |
| Address Encoding | Base58 | Solana compatible |
Key Security Check
After generating a key, VanityMine performs real-time security analysis:
- • Entropy verification – Confirms 256-bit entropy
- • CSPRNG check – Verifies cryptographically secure RNG
- • Chi-Square test – Statistical verification of randomness
- • Distribution analysis – Ensures uniform byte distribution
04Automated Security (CI/CD)
Every code change triggers automated security checks. All results are public and visible on GitHub.
Dependabot
Monitors all npm dependencies for known vulnerabilities. Automatically creates pull requests for security updates.
CodeQL
GitHub's semantic code analysis. Scans for security vulnerabilities, bugs, and code quality issues on every push.
npm audit
Runs in our CI pipeline to check for known CVEs (Common Vulnerabilities and Exposures) in all dependencies.
Codacy
Automated code quality and security analysis. Monitors code patterns, complexity, and potential vulnerabilities.
Lighthouse CI
Monitors performance, accessibility, and best practices. Ensures the site meets web standards.
Snyk
Real-time vulnerability monitoring for dependencies. Alerts on new security issues.
05HTTP Security Headers
| Header | Value | Purpose |
|---|---|---|
| Content-Security-Policy | Strict | Prevents XSS, blocks external scripts |
| Strict-Transport-Security | max-age=31536000 | Forces HTTPS for 1 year (HSTS) |
| X-Frame-Options | DENY | Prevents clickjacking |
| X-Content-Type-Options | nosniff | Prevents MIME sniffing |
| Referrer-Policy | strict-origin | Limits referrer information |
06How to Verify Yourself
Don't trust us – verify it yourself. Here are three methods to confirm that your keys never leave your browser:
1Network Monitor
- 1. Open DevTools (F12)
- 2. Go to Network tab
- 3. Clear existing requests
- 4. Generate an address
- 5. Watch: Zero requests
2Offline Test
- 1. Load VanityMine
- 2. Go offline (airplane mode)
- 3. Generate an address
- 4. It works!
3Code Review
- 1. Visit GitHub
- 2. Check
vanity.worker.source.ts - 3. Check
api/stats/route.ts - 4. Verify yourself
07Open Source Transparency
08External Security Audits
Our code is continuously monitored by independent third-party security services. Click any badge to view the full report.
Snyk
Dependency Vulnerabilities
MonitoredCodacy
Code Quality Analysis
MonitoredSocket.dev
Supply Chain Security
MonitoredCodeQL
Static Code Analysis
ActiveDependabot
Auto Security Updates
ActiveMozilla Observatory
HTTP Security Headers
Check ScoreAll security reports are public and independently verifiable.
Click any service above to view the full audit report.
09Common Questions
Can you steal my keys?
No. We physically cannot access your keys because they never leave your browser. There is no code path that transmits key data to any server. You can verify this by auditing our source code or monitoring network traffic.
What if your servers get hacked?
Even if our servers were compromised, attackers could not access your keys. The server only delivers static files – it never receives or processes keys. Your keys exist only in your browser's memory.
Are vanity addresses less secure?
No. The cryptographic security is identical to random addresses. The private key is generated using the same secure methods. Only the resulting public key (address) is filtered for your pattern.
Why do you collect community stats?
It's fun to see how many addresses the community has generated together! We designed it to be minimally invasive: just two anonymous counters, no user identification whatsoever.
Should I use this for large amounts?
For significant amounts, we recommend additional precautions: generate keys while offline, verify the key works with a small test transaction first, and consider using a hardware wallet for long-term storage.
Still Have Questions?
Security is our top priority. If you have any concerns or want to report a vulnerability, we want to hear from you.