audit-pipeline sign verify <file> <file>.sig --pubkey jelleo.ed25519.pub
20260506-234757-04b854e ·
started 2026-05-06T23:47:57+00:00 ·
engine 04b854e ·
wrapper 04b854e571
| Severity | Hypothesis | Title | Verdict | Status | PoC |
|---|---|---|---|---|---|
| Critical | A1-permissionless-no-drain |
Every public/permissionless instruction either requires a privileged signer OR provably cannot reduce vault below cash_l | UNKNOWN / UNKNOWN | rejected | — |
| Critical | A2-admin-instructions-signer-check |
Every admin-only instruction (pause, set-fee, set-cap, etc.) verifies the admin signer via Solana's signer flag, NOT jus | FALSE / HIGH | rejected | — |
| Critical | L4-keeper-authorization-surface |
Every public/permissionless instruction that reaches use_insurance_buffer requires either an admin signer OR cannot drai | UNKNOWN / UNKNOWN | rejected | — |
| Critical | P1-pnl-zero-sum |
Across all accounts in a market, sum(positive PnL) - sum(negative PnL) equals zero up to fees and funding payments. No P | UNKNOWN / MED | rejected | — |
| Critical | V1-vault-residual-conservation |
The post-haircut residual cash (vault - cash_locked_in_orderbook - claimable_pnl - insurance_counter) is conserved acros | UNKNOWN / UNKNOWN | rejected | — |
| Critical | V2-vault-balance-equation |
For every market state transition, the change in vault balance equals the sum of (cash deposited into orderbook + claima | UNKNOWN / UNKNOWN | rejected | — |
| Critical | V5-haircut-direction |
The haircut (positive-PnL claim cap) only ever shrinks claimable PnL, never increases the residual cash that other claim | UNKNOWN / UNKNOWN | rejected | — |
| Critical | V7-insurance-counter-vault-coupling |
Every code path that mutates `insurance_fund.balance` is paired with an equal-magnitude mutation of `vault` in the same | UNKNOWN / UNKNOWN | rejected | — |
| High | A5-pda-derivation-canonicality |
Every PDA used as a vault or authority is derived with canonical seeds and the result is checked against the passed-in a | UNKNOWN / UNKNOWN | rejected | — |
| High | A7-wrapper-instruction-signer-routing |
The BPF wrapper's instruction dispatch correctly routes signer privileges from the outermost transaction to the inner en | FALSE / MED | rejected | — |
| High | AC4-free-only-on-zero-position |
free_slot / reclaim_empty_account refuses to free an account whose position_q != 0 or whose claimable_pnl != 0, preventi | UNKNOWN / UNKNOWN | rejected | — |
| High | AC6-slot-reuse-no-aliasing |
A reused slot index cannot alias to two live accounts simultaneously. Materialize_at on an already-live slot is rejected | FALSE / HIGH | rejected | — |
| High | AC7-account-bound-authority |
An account's bound authority is set at materialize time and cannot be silently changed without explicit ownership-transf | UNKNOWN / UNKNOWN | rejected | — |
| High | AR1-mul-div-floor-no-overflow |
Every callsite of mul_div_floor_u128 either uses bounded inputs that provably cannot overflow, or invokes the wide_mul_d | UNKNOWN / UNKNOWN | rejected | — |
| High | AR2-pnl-delta-i128-bound |
pnl_delta computed via abs_basis × ΔK / (a_basis × POS_SCALE) is provably bounded by 2^126 across any K-walk reachable t | UNKNOWN / UNKNOWN | rejected | — |
| High | AR4-catchup-no-overflow |
The accrue_market_to_chunked catch-up math cannot overflow when replaying a long staleness window, even with adversarial | UNKNOWN / UNKNOWN | rejected | — |
| High | CI4-self-trade-net-zero |
Self-trade (same authority on both sides) net-changes vault by exactly zero up to fees. No fund extraction via self-trad | UNKNOWN / UNKNOWN | rejected | — |
| High | CI6-batch-instruction-atomicity |
A batched instruction (e.g., place-and-cancel, deposit-and-fill) either succeeds atomically or rolls back fully. No part | UNKNOWN / UNKNOWN | rejected | — |
| High | CI7-wrapper-instruction-equivalence |
Calling an engine function via the BPF wrapper produces equivalent state changes to calling the engine function directly | UNKNOWN / UNKNOWN | rejected | — |
| High | CI8-flash-fill-impossible |
A "flash fill" — open + close + withdraw within a single instruction — cannot extract more than the user's pre-instructi | UNKNOWN / UNKNOWN | rejected | — |
| High | IX7-readonly-vs-writable-correctness |
Every account in an instruction's accounts array is marked writable iff the program will mutate it, preventing transacti | UNKNOWN / UNKNOWN | rejected | — |
| High | IX8-replay-protection |
No instruction can be replayed within the same market state to double-credit a user (e.g., via signer-replay or stale-st | UNKNOWN / UNKNOWN | rejected | — |
| High | L3-keeper-crank-cursor-budget |
The keeper crank's price-move consumption budget is not reset until every account in the swept window has actually been | FALSE / HIGH | rejected | — |
| High | L5-liquidation-no-fee-enrichment |
Liquidation does not transfer collateral to the liquidator beyond the configured incentive percentage + protocol-defined | FALSE / HIGH | rejected | — |
| High | L6-force-closure-conditions |
Force closure of a position can only occur under exactly the conditions enumerated in spec.md (MM breach, market-pause, | UNKNOWN / UNKNOWN | rejected | — |
| High | O1-position-q-bound |
Every account's |position_q| is bounded by MAX_POSITION_ABS_Q across every reachable state, including immediately after | UNKNOWN / UNKNOWN | rejected | — |
| High | O3-position-authority-binding |
An account's `position_q` and `claimable_pnl` can only be mutated when the account's bound authority signs (or via permi | UNKNOWN / UNKNOWN | rejected | — |
| High | O5-mm-trigger-correctness |
Maintenance-margin (MM) breach correctly triggers liquidation eligibility, and once flagged, the account cannot grow pos | UNKNOWN / UNKNOWN | rejected | — |
| High | O8-cross-margin-equity |
Cross-margin equity calculation is correct under partial liquidation, partial fills, and combined PnL realizations withi | UNKNOWN / UNKNOWN | rejected | — |
| High | P7-pnl-on-side-flip |
When an account flips side (long → short or vice versa), the realized PnL on the closing portion is correctly debited/cr | UNKNOWN / UNKNOWN | rejected | — |
| High | S2-resolved-mode-mature-claim |
Once a market enters Resolved mode, no further accrual of claimable_pnl is possible against the residual; only existing | UNKNOWN / UNKNOWN | rejected | — |
| High | S3-settle-after-close |
`settle_after_close` correctly distributes final residual to each account proportional to its claim, respecting the hair | UNKNOWN / UNKNOWN | rejected | — |
| High | S4-touch-account-live-pairing |
Every public instruction that advances the engine's market clock (accrue_market_to / accrue_market_to_chunked) is paired | UNKNOWN / UNKNOWN | rejected | — |
| High | V4-vault-cap-respect |
Vault balance is provably bounded by MAX_VAULT_TVL across every reachable state. No accounting helper can push vault pas | FALSE / HIGH | rejected | — |
| High | V6-insurance-floor |
Insurance fund balance is monotonically non-decreasing across user-only activity (deposits, withdraws, fills) and only d | UNKNOWN / MED | rejected | — |
| High | V8-cash-locked-conservation |
`cash_locked_in_orderbook` equals the sum of all unfilled order sizes times their respective limit prices, for every mar | FALSE / HIGH | rejected | — |
| Medium | A8-multisig-threshold |
If a multisig is used, threshold is enforced atomically and cannot be partially bypassed by replaying signatures. | UNKNOWN / UNKNOWN | rejected | — |
| Medium | A9-pause-gate-coverage |
When the protocol is paused, every state-mutating instruction checks the pause flag and rejects. No instruction has a pa | UNKNOWN / UNKNOWN | rejected | — |
| Medium | AR3-funding-rate-bounds |
Computed funding rate is bounded by configured |max_funding_rate| across all reachable mark/index states. | UNKNOWN / UNKNOWN | rejected | — |
| Medium | AR5-fee-calc-overflow |
Fee calculation (size × fee_rate / FEE_SCALE) cannot overflow under MAX_POSITION_ABS_Q × MAX_PRICE bounds. | UNKNOWN / UNKNOWN | rejected | — |
| Medium | AR6-square-root-bounds |
Any sqrt-based computation (e.g., for vega-style adjustments) is bounded and never produces NaN-equivalents on integer a | FALSE / HIGH | rejected | — |
| Medium | IX3-rent-exemption-check |
Every account allocated by the program is rent-exempt, with sysvar rent verified at allocation time. | FALSE / HIGH | rejected | — |
| Medium | IX4-clock-sysvar-required |
Every instruction that consumes a timestamp uses the Solana clock sysvar (not a user-supplied value). | FALSE / HIGH | rejected | — |
| Medium | O10-orderbook-side-balance |
Total bid-side cash locked equals sum of (size × price) for all open bids; analogous for asks. Cannot be drained by help | UNKNOWN / UNKNOWN | rejected | — |
| Medium | O7-position-zero-clears-basis |
When position_q reaches exactly 0, basis-related fields are zeroed atomically; subsequent fills don't inherit stale basi | UNKNOWN / UNKNOWN | rejected | — |
| Medium | O9-position-bedge-correct |
The "bedge" (basis-edge) accounting on partial closes correctly apportions realized PnL between the closed and remaining | UNKNOWN / UNKNOWN | rejected | — |
| Medium | S5-market-mode-transitions |
Market mode transitions (Active → Halted → Resolved) are one-way and irreversible without admin signer. | FALSE / HIGH | rejected | — |
| Medium | S6-time-monotonic |
Market clock time is monotonically non-decreasing. No instruction can rewind the clock. | UNKNOWN / UNKNOWN | rejected | — |
| Medium | S9-cancel-correctness |
Cancel-order instructions correctly unlock cash_locked back into vault and zero the order's slot. | UNKNOWN / UNKNOWN | rejected | — |
| Low | IX10-error-codes-distinct |
Every distinct failure mode returns a distinct error code, so off-chain monitoring can disambiguate without log parsing. | FALSE / MED | rejected | — |
| Low | IX9-compute-budget-respect |
Every instruction completes within the configured compute budget; no instruction is denial-of-service-able by adversaria | UNKNOWN / UNKNOWN | rejected | — |
| Low | R3-finality-gate |
Settlement-class operations only consider state from finalized slots, never from confirmed-but-unfinalized state. | FALSE / HIGH | rejected | — |
| Tier | Definition |
|---|---|
| Critical | Direct loss of user funds or full protocol takeover with no meaningful preconditions. Reachable from a permissionless instruction by any signer. Must be patched immediately. |
| High | Significant loss of user funds or protocol invariant violation under realistic preconditions (specific market state, signer with limited but obtainable role). Patch should ship in next release. |
| Medium | Hardening issue, partial loss possible, or invariant violation requiring privileged signer or improbable state. Worth fixing in normal cadence. |
| Low | Minor issue with no plausible path to fund loss. Code-quality or defense-in-depth concern. |
| Info | Informational. No security impact. Documentation or style suggestion. |
This cycle was produced by Jelleo's continuous, hypothesis-driven Solana audit loop.
Every finding originates as a falsifiable invariant claim from a per-protocol
hypothesis library, dispatched to multi-agent recon (Layer 1), promoted on
contested verdicts via adversarial debate (Layer 1.5), and confirmed empirically
via a cargo test proof-of-concept (Layer 2) before transitioning to
confirmed. Confirmed findings auto-fire structural sibling derivation
and cross-protocol propagation hooks, then move through a restricted lifecycle
(new → triaged → confirmed → disclosed → fixed → verified).
Every cycle is signed Ed25519 against the platform key — see the cover-page receipt.
Full spec: docs/methodology/ (eleven sections, §01–§10) · Live reference: jelleo.com/methodology.html · Inaugural disclosure: aeyakovenko/percolator-prog#39 (F7, 2026-04)