audit-pipeline sign verify <file> <file>.sig --pubkey jelleo.ed25519.pub
20260507-004922-5059332 ·
started 2026-05-07T00:49:22+00:00 ·
engine 5059332 ·
wrapper 04b854e571
| Severity | Hypothesis | Title | Verdict | Status | PoC |
|---|---|---|---|---|---|
| Critical | W1-public-api-reaches-absorb-protocol-loss |
The helper absorb_protocol_loss at percolator.rs:4845 debits insurance without correspondingly debiting vault (V1 confir | UNKNOWN / UNKNOWN | rejected | — |
| Critical | W2-resolve-flat-negative-via-touch-public |
resolve_flat_negative_with_context at percolator.rs:7123 calls absorb_protocol_loss(loss) when an account has position_b | UNKNOWN / UNKNOWN | rejected | — |
| Critical | W3-resolved-mode-reconciliation-insurance-drain |
In Resolved-mode reconciliation, force_close_resolved_with_fee_not_atomic and reconcile_resolved_not_atomic eventually c | UNKNOWN / UNKNOWN | rejected | — |
| Critical | W6-conservation-postcondition-coverage |
assert_public_postconditions is called at the end of every public mutating function. Verify whether this postcondition i | UNKNOWN / UNKNOWN | rejected | — |
| High | W5-set-pnl-with-reserve-after-absorb |
resolve_flat_negative_with_context at line 7148 calls set_pnl_with_reserve(idx, 0, NoPositiveIncreaseAllowed, None) AFTE | UNKNOWN / UNKNOWN | rejected | — |
| Tier | Definition |
|---|---|
| Critical | Direct loss of user funds or full protocol takeover with no meaningful preconditions. Reachable from a permissionless instruction by any signer. Must be patched immediately. |
| High | Significant loss of user funds or protocol invariant violation under realistic preconditions (specific market state, signer with limited but obtainable role). Patch should ship in next release. |
| Medium | Hardening issue, partial loss possible, or invariant violation requiring privileged signer or improbable state. Worth fixing in normal cadence. |
| Low | Minor issue with no plausible path to fund loss. Code-quality or defense-in-depth concern. |
| Info | Informational. No security impact. Documentation or style suggestion. |
This cycle was produced by Jelleo's continuous, hypothesis-driven Solana audit loop.
Every finding originates as a falsifiable invariant claim from a per-protocol
hypothesis library, dispatched to multi-agent recon (Layer 1), promoted on
contested verdicts via adversarial debate (Layer 1.5), and confirmed empirically
via a cargo test proof-of-concept (Layer 2) before transitioning to
confirmed. Confirmed findings auto-fire structural sibling derivation
and cross-protocol propagation hooks, then move through a restricted lifecycle
(new → triaged → confirmed → disclosed → fixed → verified).
Every cycle is signed Ed25519 against the platform key — see the cover-page receipt.
Full spec: docs/methodology/ (eleven sections, §01–§10) · Live reference: jelleo.com/methodology.html · Inaugural disclosure: aeyakovenko/percolator-prog#39 (F7, 2026-04)