Security#

Security documentation for the Seesaw protocol.

Scope: Threat analysis, protocol invariants, and the security section map. For the vulnerability reporting policy and bug bounty program, see ../SECURITY.md and ../BUG_BOUNTY.md.

In This Section#

Page	Diátaxis Role	Description
threat-model.md	Explanation	Why the protocol is designed the way it is — adversary model, attack surfaces, mitigations, and known limitations
invariants.md	Reference	Authoritative INV-* catalog — formal specs for every protocol guarantee, with production source locations
instruction-validation-matrix.md	Reference	Per-instruction account and argument validation requirements

Key Security Properties#

Property	Description	Enforcement
Solvency	Vault always covers payouts	Runtime checks
No Naked Shorts	Can only sell owned shares	Balance validation
Deterministic	Same inputs = same outputs	Pure functions
Immutable Snapshots	Oracle prices cannot change	One-time write
Idempotent Operations	Safe to retry	State checks

Trust Assumptions#

Component	Trust Level	Justification
Solana Runtime	Full	Foundation of execution
Pyth Oracle	High	External price source
SPL Token	Full	Battle-tested standard
Protocol Code	Verify	Open source, unaudited
Crank Operators	None	Permissionless, incentivized
Users	None	Assume adversarial

Audit Status#

No human third-party security audit has been performed.

The protocol has not been reviewed by an independent auditing firm. Security measures in place:

Measure	Description
Unit & Integration Tests	Unit and integration test suites covering critical instructions
Property-Based Tests	Invariant verification via randomized inputs
Fuzz Testing	36 cargo-fuzz targets covering critical modules
Mutation Testing	cargo-mutants verification of test quality
Runtime Invariant Checks	Solvency, no-crossed-book, conservation enforced on-chain
Checked Arithmetic	All operations use checked math to prevent overflows

Reporting Vulnerabilities#

See ../SECURITY.md for the responsible disclosure policy and ../BUG_BOUNTY.md for the bug bounty program, reward structure, and submission guidelines.

In This Section#

Page	Diátaxis Role	Description
threat-model.md	Explanation	Why the protocol is designed the way it is — adversary model, attack surfaces, mitigations, and known limitations
invariants.md	Reference	Authoritative INV-* catalog — formal specs for every protocol guarantee, with production source locations
instruction-validation-matrix.md	Reference	Per-instruction account and argument validation requirements

Property

Description

Enforcement

Solvency

Vault always covers payouts

Runtime checks

No Naked Shorts

Can only sell owned shares

Balance validation

Deterministic

Same inputs = same outputs

Pure functions

Immutable Snapshots

Oracle prices cannot change

One-time write

Idempotent Operations

Safe to retry

State checks

Component

Trust Level

Justification

Solana Runtime

Full

Foundation of execution

Pyth Oracle

High

External price source

SPL Token

Full

Battle-tested standard

Protocol Code

Verify

Open source, unaudited

Crank Operators

None

Permissionless, incentivized

Users

None

Assume adversarial

Audit Status#

No human third-party security audit has been performed.

The protocol has not been reviewed by an independent auditing firm. Security measures in place:

Measure	Description
Unit & Integration Tests	Unit and integration test suites covering critical instructions
Property-Based Tests	Invariant verification via randomized inputs
Fuzz Testing	36 cargo-fuzz targets covering critical modules
Mutation Testing	cargo-mutants verification of test quality
Runtime Invariant Checks	Solvency, no-crossed-book, conservation enforced on-chain
Checked Arithmetic	All operations use checked math to prevent overflows