Universal Crypto MCP

DEFI_TRADING_AUDIT.md•27.5 KiB

# 🔍 AUDIT REPORT: DeFi, Trading & Market Data Packages **Audit Agent 2 - Comprehensive Security & Architecture Review** **Repository:** universal-crypto-mcp **Audit Date:** January 30, 2026 **Auditor:** Agent 2 (DeFi/Trading Specialist) **Scope:** `/packages/defi/`, `/packages/trading/`, `/packages/market-data/`, `/memecoin-trading-bot/` --- ## Section 1: Executive Summary ### Overview The universal-crypto-mcp repository contains a comprehensive suite of DeFi, trading, and market data packages that provide MCP (Model Context Protocol) server integrations for cryptocurrency trading and protocol interactions. The system supports multiple blockchains (Ethereum, BSC, Solana) and integrates with major DeFi protocols (Aave, Compound, Uniswap, Curve, Yearn) and centralized exchanges (Binance). ### Supported Protocols and Exchanges - **DeFi Protocols:** Aave V3, Compound V3, Uniswap V3, Curve, GMX V2, Lido, Yearn, PancakeSwap, Raydium, Jupiter - **Exchanges:** Binance, Bybit (referenced) - **Chains:** Ethereum Mainnet, BSC, Solana, Arbitrum (L2 support) - **Data Providers:** CoinGecko, DexScreener, Birdeye, Dune Analytics, DefiLlama ### Critical Security Findings | Severity | Count | Summary | |----------|-------|---------| | 🔴 **Critical** | 3 | Private key handling in config, hardcoded slippage, missing input validation | | 🟠 **High** | 5 | No rate limiting, hardcoded RPC URLs, missing nonce management, race conditions | | 🟡 **Medium** | 8 | Incomplete error handling, mock data in production code, missing retry logic | | 🔵 **Low** | 6 | Code style, documentation gaps, missing type annotations | ### Overall Risk Assessment **🟠 MEDIUM-HIGH RISK** The codebase demonstrates solid architectural patterns and includes important safety features like transaction simulation and slippage protection. However, several critical security gaps exist, particularly around private key management, input validation, and race conditions in trading logic. These issues **MUST** be addressed before any production deployment involving real funds. --- ## Section 2: DeFi Package Architecture ### Protocol Integration Patterns The DeFi package (`/packages/defi/`) uses a **unified adapter pattern** that aggregates multiple protocol-specific MCP servers: ```typescript // packages/defi/unified-adapter.ts export class UnifiedDeFi { registerAll() { registerDeFiRatesTools(this.server); // Aave, Compound, Morpho registerBNBChainTools(this.server); // BSC, opBNB, Greenfield this.registerUnifiedTools(); // Dashboard aggregation } } ``` **Architecture Strengths:** - Clean separation between protocol-specific logic and unified interface - Consistent tool registration pattern using McpServer SDK - Good use of TypeScript interfaces for type safety ### Supported DeFi Protocols | Protocol | Path | Features | |----------|------|----------| | **Aave V3** | `protocols/aave-mcp/` | User positions, health factors, reserve data, liquidation monitoring | | **Compound V3** | `protocols/compound-v3-mcp/` | Supply/borrow rates, market data | | **Uniswap V3** | `protocols/uniswap-v3-mcp/` | Pool analytics, swap quotes, position management | | **Curve** | `protocols/curve-mcp/` | Pool data, LP analytics | | **GMX V2** | `protocols/gmx-v2-mcp/` | Perpetual trading data | | **Lido** | `protocols/lido-mcp/` | Staking information | | **Yearn** | `protocols/yearn-mcp/` | Vault strategies, yields | ### Smart Contract Interaction Patterns The Aave integration demonstrates the contract interaction pattern: ```typescript // protocols/aave-mcp/src/tools/index.ts const pool = new ethers.Contract(AAVE_V3_POOL, poolAbi, provider) const accountData = await pool.getUserAccountData(params.userAddress) ``` **Observations:** - ✅ Uses ethers.js v6 with proper ABI encoding - ✅ Read-only operations use view functions - ⚠️ Hardcoded contract addresses (should be configurable per network) - ⚠️ No contract address validation before calls ### Gas Estimation Strategies **Current Implementation:** Limited gas estimation is present. The memecoin bot uses: - Fixed `gasLimit: 500000` for PancakeSwap trades - `dynamicComputeUnitLimit: true` for Solana/Jupiter swaps **Gap:** No dynamic gas price estimation based on network congestion. ### Slippage Protection Mechanisms Slippage is handled via configuration: - Default 5% max slippage (`config.maxSlippage`) - Jupiter uses `slippageBps` parameter (basis points) - PancakeSwap uses `minAmountOut` calculations **Security Concern:** Static slippage values may be insufficient during high volatility. No adaptive slippage based on pool liquidity or market conditions. ### MEV Protection Considerations The MEV Bot MCP (`/packages/defi/bots/mev-bot-mcp/`) provides: - Arbitrage opportunity detection - Sandwich attack monitoring - Mempool scanning capabilities **Gap:** No MEV protection for user transactions (e.g., Flashbots integration, private mempools). --- ## Section 3: Trading Package Analysis ### Order Types Supported | Order Type | Binance | Jupiter/Raydium | PancakeSwap | |------------|---------|-----------------|-------------| | Market | ✅ | ✅ | ✅ | | Limit | ✅ | ❌ | ❌ | | Stop-Loss | ✅ | ❌ (simulated) | ❌ (simulated) | | Take-Profit | ✅ | ❌ (simulated) | ❌ (simulated) | | Trailing Stop | ❌ | ❌ (simulated) | ❌ (simulated) | Note: DEX integrations simulate stop-loss/take-profit via position monitoring rather than on-chain orders. ### Exchange Integrations **Binance MCP** (`/packages/trading/binance-mcp/src/index.ts`): - Full spot trading support - HMAC-SHA256 signature implementation - Public and authenticated endpoints - Response caching (5 second TTL) ```typescript private sign(queryString: string): string { return crypto.createHmac("sha256", this.apiSecret) .update(queryString) .digest("hex"); } ``` **Security Issue:** API secrets are stored in memory without encryption. ### Order Execution Flow 1. **Quote Request** → Get price from exchange/DEX 2. **Risk Check** → Validate position limits, daily loss limits 3. **Simulation** → Test transaction (Solana only) 4. **Execution** → Submit transaction/order 5. **Confirmation** → Wait for block confirmation 6. **Recording** → Save trade to database ### Position Management The trading packages implement: - Position tracking with entry price, current price, P&L - Stop-loss and take-profit triggers - Trailing stop implementation with highest price tracking - Daily loss circuit breaker ### Risk Management Features ```typescript // memecoin-trading-bot/src/risk/manager.ts assessTradeRisk(portfolio, token, priceData, action): RiskAssessment { // Daily loss limit check // Concurrent positions limit // Liquidity requirements // Position sizing } ``` **Implemented:** - ✅ Daily loss limits (configurable) - ✅ Maximum position size enforcement - ✅ Minimum liquidity requirements - ✅ Concurrent position limits **Missing:** - ❌ Correlation risk across positions - ❌ VaR (Value at Risk) calculations - ❌ Portfolio-level risk metrics ### Backtesting and Paper Trading Paper trading is implemented in `/packages/trading/memecoin-bot/src/services/paper-trading.ts` (referenced but not fully examined). **Gap:** No comprehensive backtesting framework observed in the audited scope. --- ## Section 4: Market Data Services ### Data Sources and Providers | Provider | Package Path | Data Types | |----------|--------------|------------| | **CoinGecko** | `market-data/coingecko/` | Prices, market caps, trending, OHLC | | **DexScreener** | `market-data/dexpaprika/` | DEX pair data, new listings | | **Birdeye** | Scanner integration | Solana token listings | | **Dune Analytics** | `market-data/dune-analytics-mcp/` | On-chain analytics | | **DefiLlama** | `market-data/defillama-mcp/` | TVL, protocol data | ### Real-time vs Historical Data - **Real-time:** WebSocket not implemented; polling-based updates - **Historical:** OHLC/kline data available from CoinGecko and Binance - **Polling Interval:** Configurable (default 5000ms for token scanning) **Gap:** No native WebSocket support for real-time price feeds. ### Data Normalization Patterns The unified adapter normalizes data from multiple sources: ```typescript // market-data/unified-adapter.ts overview.technicalAnalysis = { rsi: 65.5, macd: { signal: "bullish" }, bollingerBands: { position: "above_middle" }, attribution: "Kukapay crypto-indicators-mcp" }; ``` **Issue:** Contains hardcoded/mock data in the unified adapter. This should be replaced with actual API calls. ### Caching Strategies ```typescript // coingecko/src/index.ts private cache: Map<string, { data: unknown; timestamp: number }> = new Map(); private cacheTTL = 60000; // 1 minute cache ``` - Simple in-memory caching with TTL - Cache key includes endpoint + params - No cache invalidation on write operations ### Rate Limiting Handling **Current State:** - No explicit rate limiting implementation for outbound API calls - Basic timeout support (10-30 seconds) - No retry with exponential backoff **Security Risk:** API rate limits could be exceeded, causing service disruption. ### Failover Mechanisms **Not Implemented.** There's no: - Fallback data sources - Circuit breakers for failed providers - Health checks for external APIs --- ## Section 5: Security Analysis ### 🔴 Private Key Handling Review **CRITICAL ISSUES:** 1. **Private Keys in Environment Variables:** ```typescript // memecoin-trading-bot/src/config.ts privateKey: z.string().optional(), solanaPrivateKey: z.string().optional(), ``` Private keys are loaded directly from environment variables without encryption. 2. **Keys Stored in Memory:** ```typescript // memecoin-trading-bot/src/dex/raydium.ts const secretKey = bs58.decode(config.solanaPrivateKey); this.wallet = Keypair.fromSecretKey(secretKey); ``` No secure key management solution (e.g., HSM, KMS, or encrypted vaults). **Recommendation:** Implement secure key management: - Use hardware wallets or KMS for signing - Never store raw private keys in application memory - Use session-based key derivation ### Transaction Signing Security **Positive Findings:** - Transaction simulation before execution (Jupiter) - Block hash validation for transaction freshness **Issues:** - No signing transaction review/approval workflow - Automated signing without human confirmation for high-value trades ### Input Validation on Amounts **Partial Implementation:** ```typescript // config.ts - Zod validation maxPositionSize: z.number().positive().default(1000), stopLossPercent: z.number().min(1).max(50).default(5), ``` **Gaps:** - Token addresses not validated (checksum, format) - No validation for extreme amount values - User input from MCP tools not sanitized ### Integer Overflow/Underflow Protection **Positive:** - Uses `ethers.formatUnits()` and `ethers.parseUnits()` for BigNumber handling - Native BigInt used for Solana lamport calculations **Gap:** No explicit overflow checks for arithmetic operations. ### Reentrancy Considerations N/A for this codebase - reentrancy is a smart contract concern. However, state management during async operations could lead to race conditions (see below). ### Front-running Protections **Limited Implementation:** - Slippage protection provides some front-running mitigation - No private mempool integration (Flashbots, MEV Blocker) - No commit-reveal schemes ### API Key Storage and Rotation **Current:** ```typescript // Environment-based storage birdeyeApiKey: process.env.BIRDEYE_API_KEY, dexscreenerApiKey: process.env.DEXSCREENER_API_KEY, ``` **Issues:** - No key rotation mechanism - No encrypted storage - Keys may appear in logs (logging not sanitized) ### Audit Trail and Logging **Implemented:** - Transaction hashes logged - Trade execution logs - Database persistence for trades **Gaps:** - No structured logging (JSON format) - No sensitive data redaction - No audit log integrity protection ### Rate Limiting Implementations **NOT IMPLEMENTED** - Critical gap for: - External API calls (could exceed limits) - Internal tool execution (DoS protection) --- ## Section 6: Memecoin Trading Bot Review ### Bot Architecture Overview The memecoin trading bot exists in two locations: 1. `/memecoin-trading-bot/` - BSC/Solana multi-network bot 2. `/packages/trading/memecoin-bot/` - Solana-focused production bot **Architecture:** ``` ┌─────────────────────────────────────────┐ │ MemecoinTradingBot │ ├─────────┬──────────┬──────────┬─────────┤ │ Scanner │ Jupiter │ Analysis │ Risk │ │ Service │ Service │ Service │ Manager │ ├─────────┴──────────┴──────────┴─────────┤ │ Portfolio Manager │ ├─────────────────────────────────────────┤ │ Database Service │ └─────────────────────────────────────────┘ ``` ### Trading Strategies Implemented 1. **New Token Discovery** - Scans Birdeye/DexScreener for new listings 2. **Technical Analysis** - RSI, EMA, MACD, Bollinger Bands 3. **Confidence-Based Entry** - Trades only above 60% confidence threshold 4. **Multi-Factor Exit** - Stop-loss, take-profit, trailing stop, technical signals ### Risk Parameters and Limits | Parameter | Default | Configurable | |-----------|---------|--------------| | Max Position Size | 2 SOL | ✅ | | Min Position Size | 0.1 SOL | ✅ | | Max Slippage | 5% | ✅ | | Stop Loss | 20% | ✅ | | Take Profit | 100% | ✅ | | Trailing Stop | 15% | ✅ | | Max Daily Loss | 5 SOL | ✅ | | Min Liquidity | $10,000 | ✅ | | Max Market Cap | $1,000,000 | ✅ | ### Token Screening/Filtering ```typescript // services/scanner.ts meetsFilterCriteria(token: NewToken): Promise<boolean> { if (token.liquidity < config.minLiquidity) return false; if (token.marketCap > config.maxMarketCap) return false; if (token.volume24h < config.minVolume24h) return false; // Token age check } ``` ### Liquidity Analysis - Minimum liquidity threshold enforcement - Pool reserve checking via DEX contracts - Liquidity depth not analyzed (slippage on large orders not estimated) ### Rug Pull Detection **Implemented Checks:** ```typescript // services/analyzer.ts - Mint authority renounced ✅ - Freeze authority renounced ✅ - Top holder concentration ✅ - Liquidity lock verification ⚠️ (partial) - RugCheck.xyz API integration ✅ ``` **Honeypot Detection:** - Freeze authority check - No transaction simulation for sell test ### Sniper Functionality **Not Implemented** - No mempool sniping or pre-launch detection. ### Performance Optimizations - Parallel scanning from multiple data sources - In-memory caching for known tokens - Event-driven architecture with EventEmitter - Configurable scan intervals --- ## Section 7: Error Handling & Recovery ### Transaction Failure Handling ```typescript // services/jupiter.ts if (simulatedResponse.err) { return { success: false, error: `Simulation failed: ${JSON.stringify(simulatedResponse.err)}` }; } ``` **Positive:** Simulation failures prevent execution. **Gaps:** - No retry logic for transient failures - No differentiation between recoverable/unrecoverable errors ### Retry Mechanisms ```typescript // Binance integration signal: AbortSignal.timeout(this.timeout) ``` Basic timeout but no automatic retry with exponential backoff. **Recommendation:** Implement retry logic: ```typescript async function withRetry<T>(fn: () => Promise<T>, maxRetries = 3): Promise<T> ``` ### Partial Fill Handling **Not Implemented** - Orders assumed to be fully filled or failed. ### Network Error Recovery - RPC connection errors not specifically handled - No automatic reconnection for WebSocket connections - No health checks before critical operations ### State Reconciliation **Gap:** No mechanism to reconcile local state (positions) with on-chain state after restart or failure. ### Dead Letter Queues **Not Implemented** - Failed trades are logged but not queued for retry or manual review. ### Alert Mechanisms ```typescript // memecoin-trading-bot/src/utils/logger.ts await notifier.sendMessage('🤖 <b>Bot Started</b>'); await notifier.notifyAlert(`Failed to buy ${token.symbol}`); ``` Telegram notifications for critical events. No multi-channel alerting (email, PagerDuty, etc.). --- ## Section 8: Performance Analysis ### Latency Considerations | Operation | Typical Latency | Notes | |-----------|-----------------|-------| | Price fetch (CoinGecko) | 200-500ms | Cached for 60s | | Token scan (Birdeye) | 500-1000ms | Per batch | | Quote (Jupiter) | 300-500ms | Per token | | Transaction send | 500-2000ms | Network dependent | | Transaction confirm | 2000-30000ms | Block confirmation | **Critical Path:** Quote → Simulate → Sign → Send → Confirm (total 3-35 seconds) ### Batch Processing Capabilities ```typescript // coingecko - batch price fetching async getPricesBatch(coinIds: string[], currency = "usd") ``` Limited batch processing. Individual operations for most functions. ### Concurrent Request Handling ```typescript // Scanner uses parallel requests const [birdeyeTokens, dexscreenerTokens] = await Promise.all([ this.scanBirdeye(), this.scanDexScreener() ]); ``` **Issue:** No concurrency limits - could overwhelm rate limits. ### Memory Usage Patterns - In-memory caches without size limits - `knownTokens` Set grows unbounded - `priceHistory` Map retains 100 prices per token **Risk:** Memory leaks on long-running instances. ### Connection Pooling **Not Implemented** - Each request creates new connections. ### WebSocket Management **Limited** - Only Solana RPC uses WebSocket, configured via URL. --- ## Section 9: Testing Coverage ### Unit Test Coverage | Package | Test Files Found | Coverage Estimate | |---------|------------------|-------------------| | packages/defi | 260 files | 40-50% (mostly x402/chain-tools) | | packages/trading | 0 files | **0%** ❌ | | packages/market-data | 17 files | 20-30% | | memecoin-trading-bot | 0 files | **0%** ❌ | **Critical Gap:** Trading packages have **NO UNIT TESTS**. This is unacceptable for production code handling real funds. ### Integration Test Presence Some integration tests exist in `packages/defi/protocols/x402/` covering: - Payment flows - Testnet interactions - EVM mechanism testing ### Mock Implementations for Exchanges **Not Found** - No mock exchange clients for testing trade execution. ### Test Data Management No test fixtures or factories observed for: - Mock token data - Simulated market conditions - Edge case scenarios ### Mainnet Fork Testing Referenced in x402 package but not in trading packages. ### Edge Case Coverage **Critical Missing Tests:** - Extremely high slippage scenarios - API failure during trade execution - Partial fills - Concurrent position updates - Circuit breaker triggers - Token with malicious metadata --- ## Section 10: Code Quality Assessment ### Type Safety in Financial Calculations **Mixed Quality:** ```typescript // Good: Using ethers BigNumber ethers.formatUnits(accountData[0], 8) // Risky: Floating point arithmetic const price = Number(ethers.formatUnits(...)) const nativeAmount = positionValueUsd / 600 // Hardcoded price! ``` **Issue:** Mixing BigNumber and Number for financial calculations can lead to precision loss. ### BigNumber/Decimal Handling - ethers.js BigInt used for on-chain values - Native JavaScript numbers used for USD calculations - No Decimal library for precise arithmetic **Recommendation:** Use `decimal.js` or similar for all financial calculations. ### Null Safety Patterns ```typescript // Good pattern if (!quote) { console.log(`❌ Could not get quote for ${token.symbol}`); return; } ``` Generally good null checking, but some optional chaining missing. ### Async/Await Patterns - Consistent async/await usage - Promise.all for parallel operations - Missing error boundaries for concurrent operations ### Error Propagation ```typescript } catch (error: any) { Logger.error("Error getting user account:", error); throw new Error(`Failed to get user account: ${error.message}`); } ``` Errors are logged and re-thrown with context. However: - Stack traces sometimes lost - Error types not differentiated ### Logging Quality - Console logging predominant - Logger utility exists but basic - No log levels in production config - Sensitive data may be logged (API responses with balances) --- ## Section 11: Issues & Recommendations Table | Priority | Issue | Location | Description | Recommended Fix | Security Impact | |----------|-------|----------|-------------|-----------------|-----------------| | 🔴 Critical | Raw private key storage | `memecoin-trading-bot/src/config.ts` | Private keys stored in env vars and held in memory | Use KMS, hardware wallets, or secure enclaves | Fund theft if memory dumped | | 🔴 Critical | No input validation | Multiple MCP tools | User inputs not sanitized | Add Zod validation for all tool inputs | Injection attacks, crashes | | 🔴 Critical | Missing trading tests | `/packages/trading/` | 0% test coverage for trading logic | Add comprehensive test suite | Bugs cause financial loss | | 🟠 High | Hardcoded token prices | `memecoin-trading-bot/src/index.ts` L259 | BNB @ $600, SOL @ $150 hardcoded | Use live price feeds | Wrong position sizing | | 🟠 High | No rate limiting | All API calls | External APIs can be exceeded | Implement rate limiter | Service disruption | | 🟠 High | Race conditions | Position management | Concurrent position updates | Add mutex/locking | Double trades, state corruption | | 🟠 High | Unbounded memory | Scanner caches | `knownTokens` Set grows forever | Implement LRU cache | Memory exhaustion | | 🟠 High | Mock data in production | `market-data/unified-adapter.ts` | Hardcoded indicator values | Replace with real API calls | Incorrect trading signals | | 🟡 Medium | No retry logic | HTTP requests | Single attempt for all requests | Add exponential backoff | Failed trades | | 🟡 Medium | No failover | Data providers | No backup data sources | Implement circuit breaker pattern | Data unavailability | | 🟡 Medium | Floating-point math | Financial calculations | Number used for USD amounts | Use Decimal library | Precision loss | | 🟡 Medium | No state reconciliation | Position tracking | Local state can diverge from chain | Add reconciliation job | Incorrect P&L | | 🟡 Medium | Missing gas estimation | EVM transactions | Hardcoded gas limits | Dynamic gas estimation | Failed transactions | | 🟡 Medium | No transaction logging | Trade execution | Trades not persistently logged | Add comprehensive audit trail | Accountability gap | | 🟡 Medium | Hardcoded contract addresses | Aave tools | Network-specific addresses hardcoded | Make configurable per network | Wrong network calls | | 🔵 Low | Console logging | Throughout | Uses console.log instead of structured | Migrate to structured logger | Debugging difficulty | | 🔵 Low | Missing JSDoc | Trading services | Limited documentation | Add comprehensive JSDoc | Maintainability | | 🔵 Low | Inconsistent error types | Error handling | Generic Error used everywhere | Create custom error hierarchy | Poor error handling | | 🔵 Low | No health endpoints | MCP servers | No status/health checks | Add health check tools | Monitoring gap | | 🔵 Low | Missing attribution comments | Some files | Not all third-party code attributed | Add license headers | Legal compliance | | 🔵 Low | TypeScript strict mode | tsconfig.json | Not using strict mode | Enable strict mode | Type safety | --- ## Section 12: Action Items Summary ### 🔴 Critical Security Fixes (Must Do Before Production) 1. **Implement Secure Key Management** - Remove raw private keys from environment variables - Integrate with AWS KMS, HashiCorp Vault, or hardware wallets - Implement session-based signing with timeouts 2. **Add Comprehensive Input Validation** - Validate all MCP tool inputs with Zod schemas - Sanitize token addresses (checksum validation) - Add bounds checking for all numeric inputs 3. **Create Trading Test Suite** - Unit tests for risk management (min 80% coverage) - Integration tests for order execution - Mock exchange clients for deterministic testing - Edge case coverage (failures, partial fills) 4. **Fix Hardcoded Values** - Replace hardcoded token prices with live feeds - Make contract addresses network-configurable - Remove mock data from unified adapters ### 🟠 Important Functionality Improvements 5. **Implement Rate Limiting** - Add token bucket rate limiter for external APIs - Implement per-endpoint rate limits - Add rate limit headers parsing and backoff 6. **Add Retry Mechanism** - Exponential backoff with jitter - Differentiate retryable vs fatal errors - Maximum retry limits with circuit breaker 7. **Fix Memory Management** - Implement LRU caches with max size - Add cache expiration for scanner state - Monitor memory usage with metrics 8. **Add Race Condition Protection** - Implement mutex for position state updates - Use atomic database operations - Add transaction-level locking 9. **Implement State Reconciliation** - On-chain position verification on startup - Periodic reconciliation job - Alert on state divergence ### 🔵 Nice-to-Have Enhancements 10. **Improve Logging** - Migrate to structured JSON logging - Add log levels and filtering - Implement sensitive data redaction 11. **Add Monitoring** - Health check endpoints - Prometheus metrics - Performance dashboards 12. **Enhance Error Handling** - Create custom error hierarchy - Add error codes and documentation - Implement dead letter queues 13. **Documentation** - Add JSDoc to all public functions - Create API documentation - Document deployment procedures 14. **MEV Protection** - Integrate Flashbots or MEV Blocker - Add commit-reveal for large trades - Private RPC endpoints --- ## Appendix: Files Reviewed ### DeFi Package - `/packages/defi/unified-adapter.ts` - `/packages/defi/protocols/aave-mcp/src/index.ts` - `/packages/defi/protocols/aave-mcp/src/tools/index.ts` - `/packages/defi/protocols/uniswap-v3-mcp/src/index.ts` - `/packages/defi/bots/mev-bot-mcp/src/index.ts` ### Trading Package - `/packages/trading/unified-adapter.ts` - `/packages/trading/binance-mcp/src/index.ts` (580 lines) - `/packages/trading/memecoin-bot/src/bot.ts` (674 lines) - `/packages/trading/memecoin-bot/src/config/config.ts` - `/packages/trading/memecoin-bot/src/services/jupiter.ts` - `/packages/trading/memecoin-bot/src/services/solana.ts` - `/packages/trading/memecoin-bot/src/services/risk.ts` - `/packages/trading/memecoin-bot/src/services/scanner.ts` - `/packages/trading/memecoin-bot/src/services/analyzer.ts` - `/packages/trading/bots/src/mcp-tools.ts` ### Market Data Package - `/packages/market-data/unified-adapter.ts` (296 lines) - `/packages/market-data/coingecko/src/index.ts` (470 lines) ### Memecoin Trading Bot - `/memecoin-trading-bot/src/index.ts` (318 lines) - `/memecoin-trading-bot/src/config.ts` - `/memecoin-trading-bot/src/types.ts` - `/memecoin-trading-bot/src/risk/manager.ts` - `/memecoin-trading-bot/src/dex/pancakeswap.ts` - `/memecoin-trading-bot/src/dex/raydium.ts` ### Documentation - `/MEMECOIN-BOT.md` --- **Report Generated:** January 30, 2026 **Agent:** DeFi/Trading Security Auditor (Agent 2) **Word Count:** ~3,500 words

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/nirholas/universal-crypto-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

DEFI_TRADING_AUDIT.md•27.5 KiB