SPECTRE
Research
Master report2026-05-09

SPECTRE Solana — Master Audit Report

Issuer: Pinpoint Technologies Issue Date: 2026-05-09 Document Status: Living. Supersedes the topline numbers in v1.0 of SPECTRE-Solana-Ecosystem-Security-Report-2026-05.md. Every per-protocol file referenced here is the authoritative single-source for that audit.

How to read this report. Every number below has an explicit denominator. Closure counts (e.g. "3 / 3 closed") refer to the High-severity findings explicitly tracked in AUDIT-CROSSREF.md and closed by an experimental detector. Recall counts (e.g. "12 / 26") measure how many findings in a given external audit corpus the rule pack would surface end-to-end. Detectors marked experimental are registered under register_experimental() and are not included in the default strict scan profile yet.

0. Summary

This document consolidates every SPECTRE static-analysis pass conducted to date on the Solana ecosystem, plus the per-protocol audits, FP triage work, comparison studies, and rule-mining methodology that underwrite them. Every section links to the canonical artefact for that work — this file is an index + topline, not a substitute for the detailed reports.

Number Value Source
Protocol crates scanned (latest pass) 55 corpus/spectre-corpus-scan-2026-05-09.md
Architectural findings (latest pass) 3,356 same
Distinct rules fired 10 same
Top-10 findings concentration 2,667 (≈79% of corpus) same
V12 High-severity findings tracked + closed by experimental detectors 3 / 3 (F-54628 → PKT-001, F-54642 → PKT-002, F-54651 → LIAB-001; experimental profile, not yet in strict) AUDIT-CROSSREF.md
V12 internal-bench recall (full rule pack, all severities) 12 / 26 (~46%) methodology/spectre-rule-mining-backlog-2026-05.md
Kamino suite unmitigated true positives 0 / 5 programs per-protocol/kamino-suite-audit-2026-05.md
Kamino architectural FPs eliminated by suppressors 14 per-protocol/kamino-fp-triage-2026-05.md
Active rule pack size 71 architectural detectors + 3 signed-packet detectors (74 total: 14 strict, 60 experimental; the 2026-05-12 sprint added INV-004, RACE-001 / 002 / 003 / 004, ARI-050, STATE-001) methodology/spectre-rule-mining-backlog-2026-05.md

1. Latest corpus pass (2026-05-09)

Scope: 60 target protocols (governance / multisig / DAO / admin / timelock / insurance + tier-1 DeFi extensions). 55 successfully cloned and scanned; 5 stale-URL clone failures (separate data-quality issue).

Profile: balanced, --min-confidence 0.78.

Top 10 by finding count — together account for 2,667 findings (79% of the corpus):

# Protocol Category Findings Top rule
1 Jito Restaking Restaking 873 QUAL-003 ×850
2 Tensor Marketplace NFT 424 QUAL-003 ×405
3 Metaplex Bubblegum cNFT 413 QUAL-003 ×403
4 Mango v4 Perps 199 QUAL-003 ×189
5 Orca Whirlpools AMM 195 QUAL-003 ×155
6 Kamino Lending Lending 151 QUAL-003 ×145
7 MarginFi v2 Lending 126 QUAL-003 ×119
8 Marinade Anchor LST 115 QUAL-003 ×57
9 Jito Stake Pool LST 90 QUAL-003 ×74
10 Kamino Scope Oracle 81 QUAL-003 ×80

Findings by rule (top 10):

Rule Count Description (one-liner)
QUAL-003 2,938 Code-quality smell (high-volume hygiene rule)
ACC-013 174 Account-type / discriminator validation gap
DEPVULN-001 61 Vulnerable dependency declared in Cargo.toml
CPI-030 50 CPI to untrusted program without provenance check
GOV-001 41 Privileged governance instruction without timelock
AUTH-001 30 Missing signer / authority constraint
COV-001 30 Test coverage gap on public instruction
AUTH-100 20 PDA seed authority binding
CONFIG-010 10 Mutable config accepted on permissionless path
EVT-001 2 Privileged handler emits via emit_cpi! only

Reproduction: python3 code/cli/crates/pinpoint-rules-solana/benches/solana/runner/corpus_scan.py (set PINPOINT_LOCAL_SCAN=1 if running outside the harness; binary must be built with --features internal for JSON output).

2. Per-protocol audits

2.1 Kamino suite

Single-organization audit pass over the five Kamino protocols (klend, kvault, kfarms, limo, scope). Outcome: 0 unmitigated true positives; all surface-level findings either by-design or suppressed by surgical rule patches landed during the audit.

2.2 Vouch

Single-protocol audit of the Vouch attestation program. per-protocol/vouch-audit-2026-05.md

2.3 Prod-readiness benchmark (Drift v2 / Raydium / OpenBook v2 / Mango v4)

Four-protocol comparison run with the May 2026 prod-readiness rule pack (full profile, --min-confidence 0.0). Lead with the honest "complementary, not competitive" framing: the new Token-2022 detectors fire on the protocols that have opted into T22, and the proactive-pass variants surface latent T22 hazards on the rest. per-protocol/prod-readiness-scans-2026-05/SUMMARY.md

3. Methodology

3.1 Rule-mining backlog

Tracks every SPECTRE detector against the V12 (Zellic) and OtterSec finding corpus that motivated it. Static-rule recall on the V12 internal-bench corpus (all severities): 12 / 26 (~46%) after the 2026-05 rule-mining pass. Three new detectors (PKT-001, PKT-002, LIAB-001) closed three High-severity V12 findings (F-54628, F-54642, F-54651). All three currently ship under register_experimental() and are not yet in the default strict profile.

methodology/spectre-rule-mining-backlog-2026-05.md

3.2 Audit-firm-gap closure rules (2026-05-11 + 2026-05-12)

The spectre-solana-deepen-and-close-gap-2026-05 epic shipped two new detectors derived from published audit-firm findings (Certora 1.17.0 M-07 and OtterSec ADV-02) together with three linker-substrate capabilities that previously blocked them. The follow-on spectre-solana-config-invariants-2026-05 epic (2026-05-12) shipped INV-004 closing the Certora 1.13.0 L-02 / 1.17.0 M-03 / 1.17.0 M-06 class:

  • INV-001 invariant-escape detector. Compares the handler-predicate-set (HPSE) of every mutator of a guarded struct field. Flags any mutator whose predicate set is a strict subset of a sibling mutator's predicate set on the same struct type. Targets the Certora 1.17.0 M-07 class ("clone_reserve_config bypasses is_immutable"). Ships under register_experimental(). Unit-test TP on synthetic fixture; pending engine-integration work before the CLI scan emits the finding end-to-end. Zero FPs on the native subset (Serum / Phoenix / Solend / Mango v3).
  • ACC-030 cross-instruction account-binding consistency. HPSE-driven sibling comparison: for every account symbol that appears in two or more handlers' Accounts structs, flag any handler whose constraint set is strictly weaker than another's on the same symbol. Anchor-only via is_anchor_program gate. Targets the OtterSec ADV-02 class (shared-vault mint validation gap). Ships under register_experimental(). Unit-test TPs on synthetic fixture; precision tuning underway against the expanded bench corpus before strict promotion. Zero FPs on the native subset.
  • INV-004 config-mutation reachability with downstream-effect awareness (2026-05-12). Joins writers (FMI) ∘ admin gate (CRE) ∘ dependent-state-presence emptiness (DSPE) ∘ effect-target config-coupling reader (ETCC) and emits when a config mutator can execute while dependent open state is non-empty (the pre-existing-state invalidation pattern). Anchor-only via is_anchor_program gate. Targets the Certora 1.13.0 L-02 / 1.17.0 M-03 / 1.17.0 M-06 class (config update invalidates pre-existing state: debt_term_seconds, liquidation penalty params, near-maturity reserve term-config). Three corpus fixtures wrapped as Anchor workspaces (debt-term-seconds-style positive, liquidation-penalty-style positive, properly-gated negative). Measured corpus-wide: 2 TP / 0 FP / 0 FN → F1 = 1.000. Native FP smoke test: 0 on Serum / Phoenix / Solend / Mango v3. Ships under register_experimental(); strict-tier promotion ready pending wider real-protocol corpus. Three new shared linker primitives back the rule (ETCC, DSPE, CFC) and are now first-class citizens in pinpoint-linker-solana for future rules.

The linker substrate gained three capabilities to support these and future cross-program rules:

  • Conditional reachability (CRE) on every CrossProgramEdge in LinkedGraph (100% coverage on a 4-program governance slice).
  • Multi-hop CPI path enumeration in LinkedGraph::enumerate_paths, so rules can reason about chains longer than a single CPI hop.
  • Cross-CPI data-flow (CDF) tracker in pinpoint-linker-solana/src/data_flow.rs, propagating taint / account-binding facts across program boundaries.

A diff-aware scan mode was also shipped:

  • spectre scan --vs <git-ref> (CLI flag plus diff_findings and worktree-based baseline scan in the CLI). Reframes the rule output to "findings new since the baseline ref" so SPECTRE's cadence matches an audit firm's per-release diff review.

The rule inventory grew from 45 to 47 with the deepen-and-close-gap epic, then to 48 with the config-invariants follow-on, and to 74 after the direct-dispatch race / arithmetic / state-management sprints on 2026-05-12 (14 strict, 60 experimental). Bench-corpus precision / recall for the new rules and regression checks on the strict pack are recorded in code/cli/crates/pinpoint-rules-solana/benches/solana/runner/results/scorecard.md (the canonical scorecard, updated per-sprint).

The 2026-05-12 direct-dispatch sprints (no SPOQ ceremony, single-rule each) shipped six additional experimental-tier detectors:

  • RACE-001 stale-account-after-CPI. Single-handler TOCTOU: an Anchor Account<'info, T> is read after a CPI call without an intervening .reload(). F1 = 1.000 corpus-wide.
  • RACE-002 cross-handler TOCTOU on order / position economic fields. Closes the Certora 1.13.0 M-02 class. F1 = 1.000 corpus-wide.
  • RACE-003 asymmetric create / cleanup permission DoS. Closes the OtterSec ADV-04 / ADV-05 class (Solend withdraw-queue tombstone spam, Kamino klend partial-rollover lingering state). F1 = 1.000 corpus-wide.
  • RACE-004 cross-handler write-write conflict without sequence / nonce / version coordination (lost-update race). Three RMW signatures: compound-assign, checked / saturating / wrapping arithmetic on the same field, snapshot-then-write. The matcher gates on anchor_backed_rmw_fields so dispatcher false positives and raw-AccountInfo stub patterns do not fire. F1 = 1.000 corpus-wide after the precision-tune sprint (6 FPs → 0).
  • ARI-050 unchecked arithmetic on security-sensitive balance / debt / equity writes with a user-controlled operand. First narrow detector in category 11 (arithmetic / precision). F1 = 1.000 on fixtures.
  • STATE-001 rent-exemption gap on account realloc / grow. Dual- shape matcher: bare AccountInfo::realloc(...) body call and the Anchor realloc = macro attribute (disambiguated from the realloc::payer safety attr via the constraint extractor's keyed map, not substrings). Suppresses on Rent::get / minimum_balance / system_program::transfer / lamports.borrow_mut in the same handler. F1 = 1.000 on fixtures, 0 corpus FPs. First cat-6 state- management detector beyond close-account lifecycle.

4. V12 finding closure cross-reference

Authoritative table mapping V12 (Zellic) internal-bench findings to the SPECTRE detector that closes them, with evidence pointers to the integration-smoke report that confirms each fire.

AUDIT-CROSSREF.md

Currently closed:

Finding Severity Detector Closed by epic
F-54628 High PKT-001 spectre-solana-signed-packet-rules-2026-06
F-54642 High PKT-002 spectre-solana-signed-packet-rules-2026-06
F-54651 High LIAB-001 spectre-solana-signed-packet-rules-2026-06

5. Disclosure-grade v1.0 report

The original v1.0 disclosure-grade ecosystem report — the long-form narrative deliverable shipped to protocol teams and the Solana Foundation — remains at the top level for reference:

SPECTRE-Solana-Ecosystem-Security-Report-2026-05.md

The topline numbers in that report (24 protocols, 2,581 findings, May-7 corpus) are superseded by §1 above (55 protocols, 3,356 findings, May-9 corpus). The narrative, methodology, and per-protocol sections in v1.0 remain accurate — the May-9 pass is an additive expansion, not a methodological revision.

6. Versioning

Version Date Change
Master Report 2026-05-09 Initial — supersedes v1.0 topline; restructures the audits/ directory into corpus/, per-protocol/, methodology/.
v1.0 Ecosystem Report 2026-05-08 Disclosure-grade narrative, 24-protocol corpus. Retained at the top level.