Location: docs/threat-model.md:Open Security Issues / GH#1823
Description:
The repository documents that upgrade authority for the on-chain program is still controlled by a single keypair (EOA) rather than a Squads multisig. In Solana upgradeable programs, whoever controls the upgrade authority can deploy arbitrary new bytecode to the same program ID, effectively bypassing all prior audit assumptions.
Root Cause:
Operational governance was not migrated from a single signer to a threshold-controlled multisig before mainnet hardening.
Exploit Scenario:
- Attacker compromises the single upgrade authority key (key leak, malware, signing infra compromise, social engineering).
- Attacker deploys a malicious program upgrade to the production program ID.
- Malicious upgrade drains vaults/insurance, rewrites balances, disables checks, or bricks withdrawals.
Impact:
Catastrophic protocol compromise: total loss of user funds, market manipulation, and permanent trust failure.
Recommended Fix:
Immediately transfer upgrade authority to a hardened Squads multisig with strict signer threshold and out-of-band signer distribution. Add procedural controls:
- timelock + mandatory review window for upgrades,
- allowlisted deployment pipeline,
- emergency revoke/freeze plan,
- routine authority-state monitoring.
Location:
docs/threat-model.md:Open Security Issues / GH#1823Description:
The repository documents that upgrade authority for the on-chain program is still controlled by a single keypair (EOA) rather than a Squads multisig. In Solana upgradeable programs, whoever controls the upgrade authority can deploy arbitrary new bytecode to the same program ID, effectively bypassing all prior audit assumptions.
Root Cause:
Operational governance was not migrated from a single signer to a threshold-controlled multisig before mainnet hardening.
Exploit Scenario:
Impact:
Catastrophic protocol compromise: total loss of user funds, market manipulation, and permanent trust failure.
Recommended Fix:
Immediately transfer upgrade authority to a hardened Squads multisig with strict signer threshold and out-of-band signer distribution. Add procedural controls: