audit-pipeline sign verify <file> <file>.sig --pubkey jelleo.ed25519.pub
20260506-194649-5059332 ·
started 2026-05-06T19:46:49+00:00 ·
engine 5059332 ·
wrapper 04b854e571
| Severity | Hypothesis | Title | Verdict | Status | PoC |
|---|---|---|---|---|---|
| Critical | SH11-self-matched-pair-cannot-walk-K |
A self-matched pair (attacker keypairs A long / B short opened via `TradeNoCpi` at baseline price) cannot subsequently w | UNKNOWN / UNKNOWN | rejected | — |
| Critical | SH2-withdraw-collateral-helper-choice |
`WithdrawCollateral` invokes `ensure_market_accrued_to_now_for_account_limited_op` (the strict helper) and not `ensure_m | UNKNOWN / LOW | rejected | — |
| Critical | SH4-k-walk-via-funding-rejected |
A multi-day warp under static Pyth oracle but non-zero funding rate (driven by `mark_ewma` divergence from attacker-cont | UNKNOWN / UNKNOWN | rejected | — |
| High | SH10-cpi-matcher-state-writes-isolated |
`TradeCpi`'s matcher CPI cannot write to engine state (specifically `mark_ewma_e6`, `last_effective_price_e6`, or any ac | UNKNOWN / UNKNOWN | rejected | — |
| High | SH8-trade-cpi-band-check-tightness |
`TradeCpi`'s band check at `src/percolator.rs:6633-6655` enforces that `exec_price` is within ±100 bps of the Pyth oracl | UNKNOWN / UNKNOWN | rejected | — |
| Tier | Definition |
|---|---|
| Critical | Direct loss of user funds or full protocol takeover with no meaningful preconditions. Reachable from a permissionless instruction by any signer. Must be patched immediately. |
| High | Significant loss of user funds or protocol invariant violation under realistic preconditions (specific market state, signer with limited but obtainable role). Patch should ship in next release. |
| Medium | Hardening issue, partial loss possible, or invariant violation requiring privileged signer or improbable state. Worth fixing in normal cadence. |
| Low | Minor issue with no plausible path to fund loss. Code-quality or defense-in-depth concern. |
| Info | Informational. No security impact. Documentation or style suggestion. |
This cycle was produced by Jelleo's continuous, hypothesis-driven Solana audit loop.
Every finding originates as a falsifiable invariant claim from a per-protocol
hypothesis library, dispatched to multi-agent recon (Layer 1), promoted on
contested verdicts via adversarial debate (Layer 1.5), and confirmed empirically
via a cargo test proof-of-concept (Layer 2) before transitioning to
confirmed. Confirmed findings auto-fire structural sibling derivation
and cross-protocol propagation hooks, then move through a restricted lifecycle
(new → triaged → confirmed → disclosed → fixed → verified).
Every cycle is signed Ed25519 against the platform key — see the cover-page receipt.
Full spec: docs/methodology/ (eleven sections, §01–§10) · Live reference: jelleo.com/methodology.html · Inaugural disclosure: aeyakovenko/percolator-prog#39 (F7, 2026-04)