Skip to content

chore: add Accretion audit report #38

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dev-jodee merged 1 commit into from
Apr 7, 2026
Merged

chore: add Accretion audit report #38

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,6 @@
[![Built with Pinocchio](https://img.shields.io/badge/Built%20with-Pinocchio-purple)](https://github.com/solana-program/pinocchio)
[![Solana](https://img.shields.io/badge/Solana-Devnet-green)](https://solana.com)

> **SECURITY NOTICE**: This program has not been audited. Use at your own risk. Not recommended for production use with real funds without a thorough security review.

## Program ID

```
Expand Down Expand Up @@ -122,6 +120,12 @@ just fmt
- **[Codama](https://github.com/codama-idl)** - IDL-driven client generation
- **[LiteSVM](https://github.com/LiteSVM/litesvm)** - Fast local testing

## Security Audit

`escrow` has been audited by [Accretion](https://accretion.xyz). View the [audit report](audits/2026-accretion-solana-foundation-escrow-audit-A26SFR3.pdf).

Audit status, audited-through commit, and the current unaudited delta are tracked in [audits/AUDIT_STATUS.md](audits/AUDIT_STATUS.md).

---

Built and maintained by the [Solana Foundation](https://solana.org/).
Expand Down
Binary file added audits/2026-accretion-solana-foundation-escrow-audit-A26SFR3.pdf
View file
Open in desktop
Binary file not shown.
40 changes: 40 additions & 0 deletions audits/AUDIT_STATUS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Audit Status

Last updated: 2026-04-07

## Current Baseline

- Auditor: Accretion
- Report: `audits/2026-accretion-solana-foundation-escrow-audit-A26SFR3.pdf`
- Audited-through commit: `36187ad52c7c03d11b13b6f1da9461f2f757cee2`
- Compare unaudited delta: https://github.com/solana-program/escrow/compare/36187ad52c7c03d11b13b6f1da9461f2f757cee2...main

Audit scope is commit-based. Commits after the audited-through SHA are considered unaudited until a new audit or mitigation review updates this file.

## Branch and Release Model

- `main` is the integration branch and may contain audited and unaudited commits.
- Stable production releases are immutable tags/releases (for example `v1.0.0`).
- Audited baselines are tracked by commit SHA plus immutable tags/releases, not by long-lived release branches.

## Verification Commands

```bash
# Count commits after the audited baseline
git rev-list --count 36187ad52c7c03d11b13b6f1da9461f2f757cee2..main

# Inspect commit list since audited baseline
git log --oneline 36187ad52c7c03d11b13b6f1da9461f2f757cee2..main

# Inspect file-level diff since audited baseline
git diff --name-status 36187ad52c7c03d11b13b6f1da9461f2f757cee2..main
```

## Maintenance Rules

When a new audit is completed:

1. Add the new report to `audits/`.
2. Update `Audited-through commit` and `Compare unaudited delta`.
3. Tag audited release commit(s) (for example `vX.Y.Z`).
4. Update README and release notes links if needed.
Loading