Do not report security vulnerabilities through public GitHub Issues.
Instead, report them via:
- Email: Send to the project maintainer (see repository settings for contact)
- GitHub: Use the private vulnerability reporting feature if enabled
Please include:
- Description of the vulnerability
- Affected component (on-chain program, worker backend, frontend)
- Steps to reproduce or proof of concept
- Potential impact (fund loss, data exposure, access control bypass)
- Suggested fix (if available)
We aim to acknowledge reports within 48 hours and provide a substantive response within 7 days.
| Component | Type | Severity |
|---|---|---|
bethere-escrow/ |
On-chain Solana program (Quasar) | Critical, High, Medium |
worker/src/solana_escrow.rs |
TX builders (deposit, refund, claim) | Critical, High, Medium |
worker/src/handlers/deposit.rs |
Deposit confirmation, webhook handling | Critical, High |
worker/src/auth.rs |
JWT authentication, session management | Critical, High |
worker/src/middleware.rs |
Auth guards, security headers | High, Medium |
| Worker secrets handling | env.secret(), debug redaction |
High |
- Social engineering attacks
- Denial of service (Cloudflare Workers handles DDoS mitigation)
- Third-party service vulnerabilities (Google OAuth, Helius RPC)
- Devnet-only issues (test tokens, faucet abuse)
- Issues requiring
DEV_MODE=1to exploit
The BeThere escrow has undergone an internal security audit with 15 findings (12 fixed, 3 confirmed safe). See docs/security_audit.md for full details.
The DELETE /api/events/{id}/delete endpoint with ?force=true allows SuperAdmin to hard-delete events in Draft or Archived status, bypassing the SEC-004 escrow guard. This is intended only for devnet cleanup and is gated at the handler level to SuperAdmin role only. When force mode is used, an explicit warning is logged server-side. In normal mode (no force param), only Archived events with closed escrows can be hard-deleted.
| ID | Severity | Title | Status |
|---|---|---|---|
| SEC-001 | π΄ Critical | Check-in gate enables complete fund theft | β Fixed (Phase 3) |
| SEC-002 | π High | Escrow fields mutable after on-chain init | β Fixed (Phase 1) |
| SEC-012 | π High | Refund deadline race with claim_forfeited | β Fixed (Phase 5) |
| ID | Title | Status |
|---|---|---|
| SEC-003 | No maximum deposit cap | β Fixed (Phase 1) |
| SEC-004 | Archive doesn't deactivate on-chain escrow | β Fixed (Phase 1) |
| SEC-005 | Explorer links hardcoded to devnet | β Fixed (Phase 2) |
| SEC-009 | transfer() not transfer_checked() (Token-2022) |
β Fixed (Phase 3) |
| SEC-010 | AttendeeDeposit PDAs never closed (rent leak) | β Fixed (Phase 4) |
| SEC-011 | No event_end guard on mark_checked_in |
β Fixed (Phase 3) |
| SEC-013 | Vault griefing via external USDC airdrop | β Fixed (Phase 5) |
| SEC-014 | No wallet network detection (wrong cluster TX) | β Fixed (Phase 6) |
| ID | Title | Status |
|---|---|---|
| SEC-007 | Worker cannot manipulate funds (non-custodial) | β Confirmed Safe |
| SEC-008 | On-chain escrow fields immutable after creation | β Confirmed Safe |
| SEC-015 | Stranded lamports on token accounts (never recovered) | β Confirmed Safe |
- Internal audit:
docs/security_audit.mdβ full findings, Solana Foundation checklist cross-reference, Kani formal verification - Protocol design:
docs/escrow_protocol.md - Solana Foundation: Security Checklist β 18 vulnerability categories + program/client checklists
- Cross-reference: Safe Solana Builder by Frank Castle (124β)
- Community: Solana Audit Arena β weekly security competitions
- Standards: NIST SP 800-53 AU controls (Audit Logging) β recommended for persistent transaction history
- Solana safety: Solana Safety Guide β secure program development practices
- Payments: Solana Foundation Payments & Commerce β payment UX/security checklist (6/6 compliant)
Cross-referenced against the Solana Foundation Security Checklist. Full mapping in docs/security_audit.md.
| Category | Status | Notes |
|---|---|---|
| Owner Checks | β Compliant | Quasar framework enforces owner == program_id via typed Account<> |
| Signer Checks | β Compliant | All mutating instructions require Signer + has_one(organizer/attendee) |
| Arbitrary CPI Prevention | β Compliant | Program<TokenProgram> enforces CPI target is SPL Token |
| Reinitialization Prevention | β Compliant | init constraint on PDA accounts; unique seeds prevent reuse |
| PDA Sharing Prevention | β Compliant | Seeds include organizer+event_id (escrow) and event+attendee (deposit) |
| Type Cosplay Prevention | β Compliant | Discriminators 1 (EventEscrow) and 2 (AttendeeDeposit) |
| Duplicate Mutable Accounts | β Compliant | require_distinct helper checks all 8 instruction handlers for duplicate addresses |
| Revival / Close Attacks | β Compliant | close(dest=organizer) in Quasar; vault closed atomically with escrow |
| Data Matching | β Compliant | has_one(organizer) and address = Seeds(...) constraints on all accounts |
| Checked Math | β Compliant | All arithmetic uses checked_add/checked_sub (SEC-009 audit) |
| Token-2022 Compatibility | β Compliant | transfer_checked() with mint + decimals (SEC-009 fix) |
| Rent Reclamation | β Compliant | close_deposit instruction + GC path (SEC-010 fix) |
| Formal Verification | β Verified | 13 Kani harnesses, 729 checks, all pass |
| Payment UX/Security | β Compliant | Custom Solana Pay flow (not Commerce Kit) β 6/6 checks pass. Deposits go to PDA escrow, not merchant wallet |
No formal bug bounty program is currently active. This may change after the mainnet deployment. Security researchers who submit valid findings will be credited in the security audit document.
- Coordinated disclosure: We ask that vulnerabilities be kept confidential until a fix is deployed.
- Timeline: We aim to deploy fixes for Critical/High findings within 30 days of confirmation.
- Credit: Researchers who report valid vulnerabilities will be credited (with permission) in audit documentation.