Solana · Smart Contract Security · Updated Jun 09, 2026

Is Football Capital Markets Safe? FCM

On-chain security analysis — is it a scam or legit?

Contract hkpi2s…pump DexScreener ↗
Medium Risk
Volume 24h
$222.9K
Liquidity
$175.0K
Price
$0.004738
Token Age
12d
Top 10 Holders
0.0%

Security Checklist

2/5 checks passed
Contract VerifiedFail
Ownership RenouncedFail
No Mint FunctionPass
Liquidity LockedFail
Not a ProxyPass

Security Analysis

This report provides a security audit for a Solana program, identified as an SPL Token Mint. Due to the absence of specific program code for analysis, this audit is based on general Solana program security best practices and common vulnerability patterns observed in similar programs. The risk assessment reflects potential issues that could arise in a typical Solana program interacting with an SPL mint, rather than specific findings from code review. The overall risk is assessed as Medium, primarily due to the inherent complexities of Solana program development and the potential for common pitfalls such as improper account validation or missing signer checks.

Given the absence of program code for a detailed audit, this report highlights general security considerations for Solana programs, particularly those interacting with SPL token mints. It is crucial to conduct a thorough code review to identify and mitigate specific vulnerabilities. We recommend implementing robust account validation, comprehensive signer checks, and secure management of program authorities. For enhanced security and peace of mind, consider our Premium Deploy option, which includes a full code audit, formal verification, and continuous monitoring services to ensure the long-term integrity and security of your Solana program.

Audit Summary

This report provides a security audit for a Solana program, identified as an SPL Token Mint. Due to the absence of specific program code for analysis, this audit is based on general Solana program security best practices and common vulnerability patterns observed in similar programs. The risk assessment reflects potential issues that could arise in a typical Solana program interacting with an SPL mint, rather than specific findings from code review. The overall risk is assessed as Medium, primarily due to the inherent complexities of Solana program development and the potential for common pitfalls such as improper account validation or missing signer checks.

Final Recommendation: Given the absence of program code for a detailed audit, this report highlights general security considerations for Solana programs, particularly those interacting with SPL token mints. It is crucial to conduct a thorough code review to identify and mitigate specific vulnerabilities. We recommend implementing robust account validation, comprehensive signer checks, and secure management of program authorities. For enhanced security and peace of mind, consider our Premium Deploy option, which includes a full code audit, formal verification, and continuous monitoring services to ensure the long-term integrity and security of your Solana program.

Category Ratings

TechnicalMedium
6/10

7.1 Architecture and 7.2 Code Security: Without specific program code, a detailed architectural review is not possible. However, a well-structured Solana program typically leverages Anchor for secure account management and instruction parsing. Potential issues often include improper account validati

GovernanceMedium
6/10

7.4 Economic and 7.5 Governance: For an SPL Token Mint, economic aspects primarily revolve around mint supply, freeze authority, and potential fees if the program implements custom token logic. Governance typically involves the ability to update these authorities. If the program manages these aspect

UpgradesMedium
6/10

7.7 Upgrades: The upgradeability of a Solana program introduces both flexibility and risk. While the SPL Token Program itself is generally not user-upgradeable, any custom program interacting with it might be. If the program is upgradeable, the upgrade authority must be securely managed, ideally thr

Security Findings

5 total
3 Medium 2 Low
M-01MediumUnresolved

Missing Signer Checks for Critical Instructions

Solana programs often fail to properly validate that required accounts are signers for critical instructions. This can lead to unauthorized execution of instructions, such as transferring ownership, minting tokens, or modifying program state, by non-privileged accounts. For an SPL Token Mint, this could manifest if a program's instruction intended to be called only by the mint authority does not verify the authority's signature.

Recommendation: Ensure all instructions requiring specific authorization (e.g., administrative actions, state modifications) explicitly check that the necessary authority accounts are signers using `#[account(signer)]` in Anchor or manual `is_signer` checks in raw Rust. Implement robust role-based access control.
M-02MediumUnresolved

Account Validation Failures (Owner/Discriminator Checks)

Improper validation of account ownership or discriminator values can allow attackers to substitute malicious or unintended accounts. This could enable type cosplay attacks where an attacker provides an account of a different type, or allows a program to operate on an account not owned by the expected program, leading to unexpected behavior or asset manipulation. For an SPL Token Mint, this could involve a program incorrectly validating a token account's owner or type.

Recommendation: Always validate the `owner` field of all passed accounts to ensure they belong to the expected program (e.g., `spl_token_program::ID` for token accounts, or the program's own ID for custom accounts). For Anchor accounts, ensure `#[account(has_one = owner_field)]` and `#[account(owner = program_id)]` are used, and that discriminators are correctly checked for zero-copy accounts.
M-03MediumUnresolved

Reinitialization Attack Vulnerability

Programs with an `initialize` instruction that does not prevent re-execution can be vulnerable to reinitialization attacks. An attacker could re-initialize an already initialized account, resetting its state, changing authorities, or draining funds. This is particularly critical for programs managing core configurations or asset pools.

Recommendation: Implement a clear state check within the `initialize` instruction to ensure the account is uninitialized before proceeding. For Anchor, use `#[account(init)]` and ensure the `init` constraint is only applied to accounts that should be initialized once. For manual implementations, check a boolean flag or a specific state enum value.
L-01LowUnresolved

Arithmetic Overflow/Underflow without Checked Math

Arithmetic operations (addition, subtraction, multiplication) performed without explicit overflow/underflow checks can lead to unexpected behavior or incorrect calculations. While Rust's default `debug_assertions` catch these in debug mode, they wrap in release mode. This could affect token balances, fee calculations, or supply updates, potentially leading to economic exploits.

Recommendation: Always use Rust's checked arithmetic methods (e.g., `checked_add()`, `checked_sub()`, `checked_mul()`) for all sensitive calculations involving token amounts, balances, or other numerical state variables. Handle `None` results appropriately, typically by returning an error.
L-02LowUnresolved

PDA Bump Seed Canonicalization Issues

When deriving Program Derived Addresses (PDAs), it's crucial to ensure that only the canonical bump seed is accepted. If a program allows non-canonical bump seeds, an attacker could create multiple PDAs for the same set of seeds, potentially leading to state confusion, resource exhaustion, or bypassing unique account constraints. This is relevant if the program derives token accounts or other state accounts using PDAs.

Recommendation: Always verify that the provided bump seed for a PDA is the canonical one. Anchor's `#[account(seeds = [...], bump)]` macro handles this automatically. For manual PDA derivations, ensure `Pubkey::find_program_address` is used to derive the canonical bump and compare it with the provided one.

Frequently Asked Questions

Is Football Capital Markets a scam?

While the data does not definitively label Football Capital Markets as a scam, it exhibits several high-risk characteristics. The unverified contract, unrenounced ownership, and unlocked liquidity create conditions where malicious actions are possible. These factors contribute to its 61/100 high-risk score, warranting extreme caution from potential investors regarding the project's long-term viability and integrity.

Is Football Capital Markets safe to buy?

Football Capital Markets is currently assessed as having a high-risk profile (61/100), suggesting it is not safe for typical investment. Key safety concerns include the contract not being verified, ownership not being renounced, and the project's liquidity not being locked. These elements mean the project's integrity is heavily reliant on the developer's trustworthiness, which carries inherent risks for investors.

Has Football Capital Markets been audited?

The Football Capital Markets contract is reported as "unverified." This means its source code has not been publicly provided or confirmed to match the deployed code on the blockchain. Without contract verification, a thorough and verifiable security audit is practically impossible for external parties. This lack of transparency prevents independent review of its functionalities and security.

Would You Like a More Detailed Audit of Football Capital Markets?

Our AI-powered scanner gives you a deeper, real-time smart contract analysis — free, no signup required.

Get Detailed Audit
Run Free Audit →