Security#
Security documentation for the Seesaw protocol.
Overview#
Seesaw is designed with security as a core principle:
- Permissionless: No trusted parties required
- Trustless: Protocol enforces all rules on-chain
- Unaudited: No formal third-party audit completed
- Open Source: Publicly verifiable
In This Section#
- Threat Model - Attack surfaces and mitigations
- Invariants - Protocol guarantees
Key Security Properties#
| Property | Description | Enforcement |
|---|---|---|
| Solvency | Vault always covers payouts | Runtime checks |
| No Naked Shorts | Can only sell owned shares | Balance validation |
| Deterministic | Same inputs = same outputs | Pure functions |
| Immutable Snapshots | Oracle prices cannot change | One-time write |
| Idempotent Operations | Safe to retry | State checks |
Trust Assumptions#
| Component | Trust Level | Justification |
|---|---|---|
| Solana Runtime | Full | Foundation of execution |
| Pyth Oracle | High | 90+ decentralized providers |
| SPL Token | Full | Battle-tested standard |
| Protocol Code | Verify | Open source, unaudited |
| Crank Operators | None | Permissionless, incentivized |
| Users | None | Assume adversarial |
Security Measures#
Arithmetic Safety#
rust
// All arithmetic uses checked operations
let result = a.checked_add(b).ok_or(Error::Overflow)?;
let product = x.checked_mul(y).ok_or(Error::Overflow)?;
Account Validation#
rust
// Validate ownership, type, and PDA derivation
validate_owner(account, &program_id)?;
validate_discriminator::<MarketAccount>(account)?;
validate_pda(account, seeds, bump, &program_id)?;
State Machine#
rust
// Enforce valid state transitions
require!(
can_transition(current_state, instruction),
Error::InvalidStateTransition
);
Reporting Vulnerabilities#
Responsible Disclosure#
If you discover a vulnerability:
- DO NOT exploit or publicize
- Report via security@seesaw.markets
- Include detailed reproduction steps
- Allow 90 days for fix
Bug Bounty#
| Severity | Reward |
|---|---|
| Critical | Up to $100,000 |
| High | Up to $25,000 |
| Medium | Up to $5,000 |
| Low | Up to $1,000 |
Scope#
In Scope:
- Core protocol smart contract
- Oracle integration
- Order book logic
- Settlement logic
Out of Scope:
- Frontend applications
- Third-party integrations
- Already known issues
License#
The on-chain program (src/, tests/, fuzz/) is licensed under the Business Source License 1.1 (BUSL-1.1). It will convert to Apache License 2.0 on March 1, 2030. Web, mobile, indexer, and shared packages are licensed under MIT.
Audit Status#
No formal third-party security audit has been performed.
The protocol has not been reviewed by an independent auditing firm. The following internal security measures are in place:
| Measure | Description |
|---|---|
| Unit & Integration Tests | Comprehensive test suite covering all instructions |
| Property-Based Tests | Invariant verification via randomized inputs |
| Fuzz Testing | 6 cargo-fuzz targets covering critical modules |
| Mutation Testing | cargo-mutants verification of test quality |
| Runtime Invariant Checks | Solvency, no-crossed-book, conservation enforced on-chain |
| Checked Arithmetic | All operations use checked math to prevent overflows |
See Threat Model for known risks and mitigations.
Next Steps#
- Review Threat Model
- Understand Invariants