Security

Nodosol takes security seriously. This page summarises our posture, how to report vulnerabilities, and the contact channel under which we coordinate disclosure.

Contact

Email security@nodosol.com with the subject line [security] and a reproduction. PGP not yet published — coordination over email is acceptable for the current devnet phase.

Responsible disclosure

Email us before any public posting, social, or write-up. We aim to acknowledge within 48h and patch high-impact issues within 14 days.
Do not run destructive tests against accounts you don't own. On devnet, fund-loss tests against your own wallets are fine and welcome.
We do not currently run a paid bounty programme. Severe issues that materially protect user funds are eligible for a discretionary reward — discussed case-by-case at disclosure.
Once patched, we credit reporters in the README + CHANGELOG unless you ask to remain anonymous.

Audit status

Pre-engagement. We are in active outreach with OtterSec, Neodyme, and Zellic for a Q3 2026 engagement window. Scope: nine Anchor programs covering tipping, subscriptions, ticketed events, RWA tokenisation + marketplace, OTC escrow, and sealed-bid auctions. Mainnet deploy is gated on audit close.

On-chain authority model

Squads 2-of-3 multisig holds the upgrade authority on every Anchor program (devnet). The single dev keypair retains zero unilateral upgrade power. Mainnet will use a 3-of-5 with hardware signers.
Global pause kill-switch on seven fund-moving programs (tip_jar, subscription, events, event_tickets, marketplace, otc_deals, auctions). The Squads-controlled config authority can pause every fund flow with a single multisig proposal.
Per-program solana_security_txt embeds this page + the contact email directly in each program binary so explorers / scanners discover them automatically.

Off-chain hardening

Wallet-signed JWTs gate every authenticated Supabase write (HS256, 15-minute TTL); rotation runbook in SECURITY_RUNBOOK.md.
RLS-by-default on every Supabase table keyed off auth.jwt()->>'sub' matching wallet pubkey. Edge Functions use the service-role key only when the action requires bypass (e.g. audit logging).
security_events append-only log capturessig_verify_fail, rate_limit_hit, turnstile_fail, jwt_issued, email_unsubscribed. Visible to ops via the admin panel.
CSP + security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) ship on every route. CSP is currently in report-only mode with an enforcement flip planned after the public-traffic shake-out.
Cloudflare Turnstile protects group-chat writes (configurable; gracefully skips when env unset).

Program IDs

Devnet — mainnet IDs publish at audit close.

tip_jar — C2bM3p1Cco4bDj6gQe29k7UWcepxLCrVgiPPoidh549P
subscription — 8G2hbD1qJUcaVAEdfVxaHfbCgxyEzQdrpjhDMM9pSL4w
events — 4q4KxCcvY7vswq3tXgr448ghXWBtz4PzNfoddZu282Ax
event_tickets — FDUwvXRETURbe2JN2PJNCKt6RPAsSLeSi7A4pFMGmtrE
marketplace — 69ZFM7nHUTXcHp8TZpRtX4qr3ERK2VGxRdqXvNtbfJkZ
otc_deals — FmXBAWoSGanaFfP8p9gekgrFn7buEn1XUSFWebDr3Pwz
rwa_registry — 7BCWTrD7rcedAg3zpvtvNdManv39kzr3eHBjWyomCbdT
rwa_mint — HLCCfvp99Z1Rnix64mC6w6dYL9EkEjVmPCL7rr27evsU
auctions — 6c95kxTWCXacsAev4xnvNbKnLYWFGPpJT5zwT4SnWh5v

Out of scope

Issues affecting third-party wallets (Phantom, Backpack) — report upstream.
Rate-limiting / brute-force on RPC endpoints we don't operate.
Devnet-only economic exploits (no real value at risk).
Reports requiring physical access, social engineering of the team, or stolen secrets.