Skip to main content

Security

If you find any vulnerabilities in Lido for Solana, please report them through Immunefi’s platform. Immunefi will handle bug bounty communications.

Bug bounty#

Lido for Solana runs a bug bounty program with Immunefi with bounties up to $2,000,000. Please see the page over at Immunfi for the details about what is in scope.

Audits#

The Lido for Solana source code has been audited by the following parties:

DateVersionAuditorReport
August 2021v0.5.0NeodymeDownload PDF
July 2021v0.1.0Bramah SystemsDownload PDF

Open source and reproducible#

The source code for all of our on-chain programs is publicly available, and the programs can be built reproducibly. This means that anybody can look at the source code to see what the program does, and anybody can verify that the program deployed on-chain was really built from the source code we publish. See the reproducibility page for the technical details of how to reproduce the programs.

Upgrade authority#

The upgrade authority of both the Solido program and our deployment of the Serum multisig program, is set to the multisig’s program-derived address. This means that our on-chain programs can only be upgraded with approval from 4 of the 7 members. See the administration page for more details about the multisig, and see the deployments page for the addresses of our deployments and the multisig members.