Security
Non-Custodial Design
MORE never holds your funds. Here's how:
Your keys, your crypto: Your savings wallet is secured by Turnkey and accessible only via your authentication. We don't have your private keys.
Limited permissions: When you import a wallet, we can only sign transactions to the Morpho vault contract. This is enforced by Turnkey's policy system.
Atomic transactions: Deposits go directly from your wallet to Morpho in one transaction. Funds never sit with us.
Telegram-safe key management: Private keys are never sent through Telegram chat. Import and export happen in the Telegram Mini App through Turnkey's secure iframe.
What We Can't Do
| Action | Possible? |
|---|---|
| Access your private keys | No |
| Move funds to any address | No |
| Prevent you from withdrawing | No |
| Deposit to Morpho vault | Yes (only this) |
| Read chats outside the MORE bot | No |
Security Layers
- Turnkey: Institutional-grade wallet infrastructure with hardware-backed key storage
- Policy enforcement: Transactions restricted to the vault contract only
- Smart contract: Uses OpenZeppelin libraries, reentrancy protection, immutable
- Morpho vault: Multiple audits, $1B+ TVL, non-custodial
- Telegram verification: Telegram auth data and one-time link tokens protect account linking
Telegram Security
- Bot-to-app calls use an internal API secret
- Web login tokens are short-lived and one-time use
- Account link tokens are short-lived and one-time use
- A Telegram account can only link to one MORE account
- A MORE account can only link to one Telegram account
- Private keys stay inside Turnkey's secure flow
Risks
All DeFi carries risk. Theoretical risks include smart contract bugs, third-party compromise (Turnkey, Morpho), and market conditions (USDC depeg). We use battle-tested libraries and audited protocols to minimize these.
Emergency Response
We can pause the system and rescue stuck tokens if needed. We communicate on X.