audit-pipeline sign verify <file> <file>.sig --pubkey jelleo.ed25519.pub
20260506-194213-5059332 ·
started 2026-05-06T19:42:13+00:00 ·
engine 5059332 ·
wrapper 04b854e571
| Severity | Hypothesis | Title | Verdict | Status | PoC |
|---|---|---|---|---|---|
| Critical | CI5-cross-market-isolation |
State changes in market A cannot affect accounts or vault in market B. Markets are fully isolated. | UNKNOWN / HIGH | rejected | — |
| Critical | L2-liquidation-only-on-mm-breach |
A liquidation can only successfully execute when the target account's MM is genuinely breached at the moment of executio | FALSE / HIGH | rejected | — |
| Critical | P1-pnl-zero-sum |
Across all accounts in a market, sum(positive PnL) - sum(negative PnL) equals zero up to fees and funding payments. No P | UNKNOWN / UNKNOWN | rejected | — |
| Critical | P5-funding-payment-zero-sum |
Funding payments are zero-sum across long and short positions. Total paid by longs equals total received by shorts (or v | UNKNOWN / UNKNOWN | rejected | — |
| High | CI6-batch-instruction-atomicity |
A batched instruction (e.g., place-and-cancel, deposit-and-fill) either succeeds atomically or rolls back fully. No part | UNKNOWN / UNKNOWN | rejected | — |
| High | IX1-ix-data-validation |
Every instruction validates the length and shape of `instruction_data` before reading typed fields. No out-of-bounds rea | UNKNOWN / UNKNOWN | rejected | — |
| High | IX2-account-list-length-check |
Every instruction enforces the expected number of accounts in the `accounts` array before indexing. | UNKNOWN / UNKNOWN | rejected | — |
| High | IX7-readonly-vs-writable-correctness |
Every account in an instruction's accounts array is marked writable iff the program will mutate it, preventing transacti | UNKNOWN / UNKNOWN | rejected | — |
| High | IX8-replay-protection |
No instruction can be replayed within the same market state to double-credit a user (e.g., via signer-replay or stale-st | UNKNOWN / UNKNOWN | rejected | — |
| High | L1-liquidation-discount-bounded |
Liquidation bonus paid to a liquidator cannot exceed the configured LIQUIDATION_INCENTIVE_PCT of seized collateral, even | FALSE / HIGH | rejected | — |
| High | L3-keeper-crank-cursor-budget |
The keeper crank's price-move consumption budget is not reset until every account in the swept window has actually been | FALSE / HIGH | rejected | — |
| High | O1-position-q-bound |
Every account's |position_q| is bounded by MAX_POSITION_ABS_Q across every reachable state, including immediately after | FALSE / HIGH | rejected | — |
| High | O3-position-authority-binding |
An account's `position_q` and `claimable_pnl` can only be mutated when the account's bound authority signs (or via permi | UNKNOWN / UNKNOWN | rejected | — |
| High | O5-mm-trigger-correctness |
Maintenance-margin (MM) breach correctly triggers liquidation eligibility, and once flagged, the account cannot grow pos | UNKNOWN / UNKNOWN | rejected | — |
| High | O8-cross-margin-equity |
Cross-margin equity calculation is correct under partial liquidation, partial fills, and combined PnL realizations withi | UNKNOWN / UNKNOWN | rejected | — |
| High | P3-pnl-matured-bound |
`pnl_matured_pos_tot ≤ pnl_pos_tot` at all times. Matured claims are a subset of total claims. | UNKNOWN / UNKNOWN | rejected | — |
| High | P4-funding-rate-mark-bias |
The funding rate captured by every instruction is computed BEFORE any mark_ewma_e6 / last_effective_price_e6 mutation in | FALSE / HIGH | rejected | — |
| High | S2-resolved-mode-mature-claim |
Once a market enters Resolved mode, no further accrual of claimable_pnl is possible against the residual; only existing | UNKNOWN / UNKNOWN | rejected | — |
| High | V3-vault-monotonic-on-deposit |
User-initiated deposits monotonically increase vault balance by exactly the deposited amount, with no off-by-one credit | FALSE / HIGH | rejected | — |
| High | V6-insurance-floor |
Insurance fund balance is monotonically non-decreasing across user-only activity (deposits, withdraws, fills) and only d | UNKNOWN / UNKNOWN | rejected | — |
| High | A6-account-discriminator-check |
Every parsed account verifies its discriminator (account-type tag) before reading typed fields, preventing type confusio | FALSE / HIGH | rejected | — |
| High | AR1-mul-div-floor-no-overflow |
Every callsite of mul_div_floor_u128 either uses bounded inputs that provably cannot overflow, or invokes the wide_mul_d | FALSE / HIGH | rejected | — |
| Medium | CI10-resolution-final |
Once a market is resolved and all matured claims are paid, the market account can be safely closed with no residual debt | UNKNOWN / UNKNOWN | rejected | — |
| Medium | IX3-rent-exemption-check |
Every account allocated by the program is rent-exempt, with sysvar rent verified at allocation time. | FALSE / HIGH | rejected | — |
| Medium | O7-position-zero-clears-basis |
When position_q reaches exactly 0, basis-related fields are zeroed atomically; subsequent fills don't inherit stale basi | UNKNOWN / HIGH | rejected | — |
| Medium | P8-self-trade-cash-flow |
A self-trade (same authority on both sides of a fill) is cash-flow neutral up to fees + IM transitions. No fund extracti | UNKNOWN / MED | rejected | — |
| Medium | A8-multisig-threshold |
If a multisig is used, threshold is enforced atomically and cannot be partially bypassed by replaying signatures. | FALSE / HIGH | rejected | — |
| Medium | A9-pause-gate-coverage |
When the protocol is paused, every state-mutating instruction checks the pause flag and rejects. No instruction has a pa | FALSE / HIGH | rejected | — |
| Medium | AC8-account-zeroing-on-close |
When an account is closed (via reclaim or full settlement), all its persistent fields are zeroed before the slot is mark | UNKNOWN / UNKNOWN | rejected | — |
| Medium | AR3-funding-rate-bounds |
Computed funding rate is bounded by configured |max_funding_rate| across all reachable mark/index states. | UNKNOWN / UNKNOWN | rejected | — |
| Medium | AR7-saturating-arithmetic-correctness |
Where the codebase uses saturating arithmetic, the saturation point is the documented protocol cap, not a primitive type | FALSE / MED | rejected | — |
| Low | IX10-error-codes-distinct |
Every distinct failure mode returns a distinct error code, so off-chain monitoring can disambiguate without log parsing. | FALSE / HIGH | rejected | — |
| Low | R3-finality-gate |
Settlement-class operations only consider state from finalized slots, never from confirmed-but-unfinalized state. | FALSE / HIGH | rejected | — |
| Low | R4-leader-rotation-safety |
Leader rotation between two adjacent slots cannot expose a transient state where invariants fail. | FALSE / HIGH | rejected | — |
| Low | R5-rpc-staleness-tolerance |
Off-chain components reading state via RPC tolerate up to N slots of staleness without acting on stale information. | UNKNOWN / UNKNOWN | rejected | — |
| Tier | Definition |
|---|---|
| Critical | Direct loss of user funds or full protocol takeover with no meaningful preconditions. Reachable from a permissionless instruction by any signer. Must be patched immediately. |
| High | Significant loss of user funds or protocol invariant violation under realistic preconditions (specific market state, signer with limited but obtainable role). Patch should ship in next release. |
| Medium | Hardening issue, partial loss possible, or invariant violation requiring privileged signer or improbable state. Worth fixing in normal cadence. |
| Low | Minor issue with no plausible path to fund loss. Code-quality or defense-in-depth concern. |
| Info | Informational. No security impact. Documentation or style suggestion. |
This cycle was produced by Jelleo's continuous, hypothesis-driven Solana audit loop.
Every finding originates as a falsifiable invariant claim from a per-protocol
hypothesis library, dispatched to multi-agent recon (Layer 1), promoted on
contested verdicts via adversarial debate (Layer 1.5), and confirmed empirically
via a cargo test proof-of-concept (Layer 2) before transitioning to
confirmed. Confirmed findings auto-fire structural sibling derivation
and cross-protocol propagation hooks, then move through a restricted lifecycle
(new → triaged → confirmed → disclosed → fixed → verified).
Every cycle is signed Ed25519 against the platform key — see the cover-page receipt.
Full spec: docs/methodology/ (eleven sections, §01–§10) · Live reference: jelleo.com/methodology.html · Inaugural disclosure: aeyakovenko/percolator-prog#39 (F7, 2026-04)