Security Assessment of Marinade Finance on Solana

Marinade is the “easiest way to stake Solana” and is a liquid staking protocol built on Solana where people can stake, use automated staking strategies, and receive tokens they can use to work within DeFi systems or swap back and unstake. The programs are written primarily in Rust.

For this blog, we will discuss the work executed during our security assessment for the Marinade team in 2021.

For a more in-depth overview of Marinade and its roadmap, please see Marinade’s documentation page here.

To begin, Marinade talked with us through their repository, as well as design and medium blog as displayed:

Our assessment focused on code committed as of October 15, 2021 and focused on the following objectives:

  1. To help the Client to better understand its security posture on the external perimeter and identify risks in its deployed chain & contract infrastructure.
  2. To provide a professional opinion on the maturity, adequacy, and efficiency of the security measures that are in place.
  3. To identify potential issues, including loss of funds scenarios, and include improvement recommendations based on the result of our tests.

There is a focused methodology that we follow in reviewing solutions such as Marinade. Not only do we review a threat assessment of possible exploits of the system, but we conduct a review of the code, appropriate usage of the SPL, fund loss scenarios, and program authentication scenarios and components. In all situations, the Marinade solution met our requirements for an effectively implemented product, including resolving any findings we uncovered.

In the security report, we identified (1) MEDIUM, (1) LOW, and (1) INFORMATIONAL finding.

After finalizing the assessment, we verified these few initial weaknesses in the code-base, but did not find any critical fund-loss weaknesses or staking issues and the team quickly resolved any findings in the code to our satisfaction prior to deployment.

It was a pleasure working with the Marinade and are looking forward to working with them again in the future.

The full Kudelski Security report is located here:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s