audit-pipeline sign verify <file> <file>.sig --pubkey jelleo.ed25519.pub
20260428-193800 ·
started 2026-04-28T19:38:00+00:00 ·
engine a946e5508f ·
wrapper 4c22024dd3
| Severity | Hypothesis | Title | Verdict | Status | PoC |
|---|---|---|---|---|---|
| Info | H1-residual-conservation |
The post-haircut residual cash on a market (vault - cash_locked_in_orderbook - claimable_pnl - insurance_counter) is con | UNKNOWN / UNKNOWN | rejected | — |
| Info | H10-init-state-invariants |
The post-init state of a market (vault, c_tot, insurance_fund.balance, pnl_pos_tot, pnl_matured_pos_tot, all OI counters | UNKNOWN / UNKNOWN | rejected | — |
| Info | H2-haircut-direction |
The haircut (positive-PnL claim cap) only ever shrinks claimable PnL, never increases the residual cash that other claim | UNKNOWN / UNKNOWN | rejected | — |
| Info | H3-self-trade-cash-flow |
A self-trade (same authority on both sides of a fill) is cash-flow neutral up to fees + IM transitions. | UNKNOWN / UNKNOWN | rejected | — |
| Info | H4-vault-balance-conservation |
For every market state transition, the change in vault balance equals the sum of (cash deposited into orderbook + claima | UNKNOWN / UNKNOWN | rejected | — |
| Info | H5-permissionless-trigger-surface |
Every public/permissionless instruction that reaches use_insurance_buffer requires either an admin signer OR cannot drai | UNKNOWN / UNKNOWN | rejected | — |
| Info | H8-keeper-crank-cursor-consumption |
The keeper crank's price-move consumption budget is not reset until every account in the swept window has actually been | UNKNOWN / HIGH | rejected | — |
| Info | H9-resolved-mode-mature-claim |
Once a market enters Resolved mode, no further accrual of claimable_pnl is possible against the residual; only existing | UNKNOWN / HIGH | rejected | — |
| Tier | Definition |
|---|---|
| Critical | Direct loss of user funds or full protocol takeover with no meaningful preconditions. Reachable from a permissionless instruction by any signer. Must be patched immediately. |
| High | Significant loss of user funds or protocol invariant violation under realistic preconditions (specific market state, signer with limited but obtainable role). Patch should ship in next release. |
| Medium | Hardening issue, partial loss possible, or invariant violation requiring privileged signer or improbable state. Worth fixing in normal cadence. |
| Low | Minor issue with no plausible path to fund loss. Code-quality or defense-in-depth concern. |
| Info | Informational. No security impact. Documentation or style suggestion. |
This cycle was produced by Jelleo's continuous, hypothesis-driven Solana audit loop.
Every finding originates as a falsifiable invariant claim from a per-protocol
hypothesis library, dispatched to multi-agent recon (Layer 1), promoted on
contested verdicts via adversarial debate (Layer 1.5), and confirmed empirically
via a cargo test proof-of-concept (Layer 2) before transitioning to
confirmed. Confirmed findings auto-fire structural sibling derivation
and cross-protocol propagation hooks, then move through a restricted lifecycle
(new → triaged → confirmed → disclosed → fixed → verified).
Every cycle is signed Ed25519 against the platform key — see the cover-page receipt.
Full spec: docs/methodology/ (eleven sections, §01–§10) · Live reference: jelleo.com/methodology.html · Inaugural disclosure: aeyakovenko/percolator-prog#39 (F7, 2026-04)