Security
If you find any vulnerabilities in Lido on Solana, please report them through Immunefi’s platform. Immunefi will handle bug bounty communications.
Bug bounty
Lido on Solana runs a bug bounty program with Immunefi with bounties up to $2,000,000. Please see the page over at Immunfi for the details about what is in scope.
Audits
The Lido on Solana source code has been audited by the following parties:
| Date | Version | Program | Auditor | Report |
|---|---|---|---|---|
| February 2022 | v1.2.0 | Anker | Neodyme | Download PDF |
| August 2021 | v0.5.0 | Solido | Neodyme | Download PDF |
| July 2021 | v0.1.0 | Solido | Bramah Systems | Download PDF |
Open source and reproducible
The source code for all of our on-chain programs is publicly available, and the programs can be built reproducibly. This means that anybody can look at the source code to see what the program does, and anybody can verify that the program deployed on-chain was really built from the source code we publish. See the reproducibility page for the technical details of how to reproduce the programs.
Upgrade authority
The upgrade authority of both the Solido program and our deployment of the Serum multisig program, is set to the multisig’s program-derived address. This means that our on-chain programs can only be upgraded with approval from 4 of the 7 members. See the administration page for more details about the multisig, and see the deployments page for the addresses of our deployments and the multisig members.