Skip to main content

Security

If you find any vulnerabilities in Lido on Solana, please report them through Immunefi’s platform. Immunefi will handle bug bounty communications.

Bug bounty

Lido on Solana runs a bug bounty program with Immunefi with bounties up to $2,000,000. Please see the page over at Immunfi for the details about what is in scope.

Audits

The Lido on Solana source code has been audited by the following parties:

DateVersionProgramAuditorReport
February 2022v1.2.0AnkerNeodymeDownload PDF
August 2021v0.5.0SolidoNeodymeDownload PDF
July 2021v0.1.0SolidoBramah SystemsDownload PDF

Open source and reproducible

The source code for all of our on-chain programs is publicly available, and the programs can be built reproducibly. This means that anybody can look at the source code to see what the program does, and anybody can verify that the program deployed on-chain was really built from the source code we publish. See the reproducibility page for the technical details of how to reproduce the programs.

Upgrade authority

The upgrade authority of both the Solido program and our deployment of the Serum multisig program, is set to the multisig’s program-derived address. This means that our on-chain programs can only be upgraded with approval from 4 of the 7 members. See the administration page for more details about the multisig, and see the deployments page for the addresses of our deployments and the multisig members.