Security & transparency

• initialize - one-time bank setup at deploy. Locks the $TOKEN mint address.
• initialize_collection - one-time creation of the Metaplex Certified Collection NFT.
• wrap_poke - moves 1,000,000 $wPOKE from the caller into a vault PDA, mints them a fresh NFT, verifies the NFT into the collection. Caller is the only signer.
• unwrap_poke - burns the caller's poke NFT and returns 1,000,000 $wPOKE from the vault to the caller. The caller must hold the NFT in their ATA. Permissionless - anyone holding a poke can unwrap it.

The program holds no custody outside the per-NFT vault PDAs. Each vault's authority is derived from its NFT's mint address, so the locked tokens follow the NFT through every transfer (Magic Eden, Tensor, direct send). Every wrap/unwrap is initiated by the user and signed in their own wallet.

• 1,000,000,000 $wPOKE total supply (pump.fun-immutable)
• Exactly 1,000,000 $wPOKE locked per wrap
• Maximum 1,000 NFTs in circulation at any time
• NFT mint authority retired by Metaplex master edition (1-of-1)
• Vault authority is a PDA derived from the NFT mint

scripts/audit_chain.sh (reproducible from any RPC).

1. in_circulation == total_wrapped - total_unwrapped
2. live PokeAsset count == in_circulation
3. Σ vault.amount == in_circulation × 1,000,000 $wPOKE
4. Each live NFT mint has supply == 1
5. (next_tier - 1) - len(free_tiers) == in_circulation
6. All free_tier values fall in [1, 1,000]
7. collection_mint is set (Metaplex Certified Collection live)

• Reads on-chain state via Solana RPC (Helius)
• Builds wrap_poke / unwrap_poke instructions in the browser
• Asks your wallet to sign - every action is your signature
• Does not request any token approval, account delegation, or sign-and-broadcast permission. Each wrap and unwrap is its own one-shot transaction.
• Does not collect emails, store cookies, or run analytics scripts.