{"id":102,"date":"2021-11-05T17:00:01","date_gmt":"2021-11-05T16:00:01","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=102"},"modified":"2022-04-04T09:59:58","modified_gmt":"2022-04-04T08:59:58","slug":"ackee-blockchain-audited-marinade-finance","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/ackee-blockchain-audited-marinade-finance\/","title":{"rendered":"Ackee Blockchain audited Marinade.Finance"},"content":{"rendered":"<h4>About Marinade.Finance<\/h4>\n<p><a class=\"au lf\" href=\"https:\/\/marinade.finance\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">Marinade.Finance<\/a> is <strong>a<\/strong><strong class=\"kj ja\">\u00a0non-custodial liquid staking protocol\u00a0<\/strong>built on Solana. Users stake their SOL tokens with Marinade and receive mSOL (\u201cmarinated SOL\u201d) tokens in return that can be used in decentralized finance (DeFi). mSOL is the most widely integrated collateralized version of SOL. The price of mSOL goes up relative to SOL each epoch, with rewards being accrued into user&#8217;s stake account.<\/p>\n<p><span data-slate-fragment=\"JTdCJTIyb2JqZWN0JTIyJTNBJTIyZG9jdW1lbnQlMjIlMkMlMjJkYXRhJTIyJTNBJTdCJTdEJTJDJTIybm9kZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJibG9jayUyMiUyQyUyMnR5cGUlMjIlM0ElMjJwYXJhZ3JhcGglMjIlMkMlMjJpc1ZvaWQlMjIlM0FmYWxzZSUyQyUyMmRhdGElMjIlM0ElN0IlN0QlMkMlMjJub2RlcyUyMiUzQSU1QiU3QiUyMm9iamVjdCUyMiUzQSUyMnRleHQlMjIlMkMlMjJsZWF2ZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJsZWFmJTIyJTJDJTIydGV4dCUyMiUzQSUyMiUyMHRoYXQlMjB0aGV5JTIwY2FuJTIwdXNlJTIwaW4lMjBEZUZpJTIwb3IlMjB1bnN0YWtlJTIwYXQlMjBhbnklMjB0aW1lJTIwdG8lMjBzd2FwJTIwYmFjayUyMHRvJTIwU09MLiUyMiUyQyUyMm1hcmtzJTIyJTNBJTVCJTVEJTJDJTIyc2VsZWN0aW9ucyUyMiUzQSU1QiU1RCU3RCU1RCUyQyUyMmtleSUyMiUzQSUyMmZjMmE1N2E0NDQyNTRmZjlhZWE0ZjViN2MwNTc0MGE2JTIyJTdEJTVEJTJDJTIya2V5JTIyJTNBJTIyODM2OTEzNDRiM2U2NDUzNWExNmMwZTZkZmIyMDRhMzclMjIlN0QlNUQlMkMlMjJrZXklMjIlM0ElMjJlYTM0NGQ2YTMyOTM0ZmQ3OWMzOGE5ZTQxMmNiMGYzMSUyMiU3RA==\">To learn more about Marinade.Finance, read <strong>the official documentation <a href=\"https:\/\/docs.marinade.finance\/\">here<\/a><\/strong><\/span><span data-slate-fragment=\"JTdCJTIyb2JqZWN0JTIyJTNBJTIyZG9jdW1lbnQlMjIlMkMlMjJkYXRhJTIyJTNBJTdCJTdEJTJDJTIybm9kZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJibG9jayUyMiUyQyUyMnR5cGUlMjIlM0ElMjJwYXJhZ3JhcGglMjIlMkMlMjJpc1ZvaWQlMjIlM0FmYWxzZSUyQyUyMmRhdGElMjIlM0ElN0IlN0QlMkMlMjJub2RlcyUyMiUzQSU1QiU3QiUyMm9iamVjdCUyMiUzQSUyMnRleHQlMjIlMkMlMjJsZWF2ZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJsZWFmJTIyJTJDJTIydGV4dCUyMiUzQSUyMiUyMHRoYXQlMjB0aGV5JTIwY2FuJTIwdXNlJTIwaW4lMjBEZUZpJTIwb3IlMjB1bnN0YWtlJTIwYXQlMjBhbnklMjB0aW1lJTIwdG8lMjBzd2FwJTIwYmFjayUyMHRvJTIwU09MLiUyMiUyQyUyMm1hcmtzJTIyJTNBJTVCJTVEJTJDJTIyc2VsZWN0aW9ucyUyMiUzQSU1QiU1RCU3RCU1RCUyQyUyMmtleSUyMiUzQSUyMmZjMmE1N2E0NDQyNTRmZjlhZWE0ZjViN2MwNTc0MGE2JTIyJTdEJTVEJTJDJTIya2V5JTIyJTNBJTIyODM2OTEzNDRiM2U2NDUzNWExNmMwZTZkZmIyMDRhMzclMjIlN0QlNUQlMkMlMjJrZXklMjIlM0ElMjJlYTM0NGQ2YTMyOTM0ZmQ3OWMzOGE5ZTQxMmNiMGYzMSUyMiU3RA==\">.<\/span><\/p>\n<h4>About the audit<\/h4>\n<p class=\"p1\"><strong>On September 1, 2021<\/strong>, the Ackee Blockchain security team completed an <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/audit\/\">audit<\/a> of <b>Marinade.Finance<\/b>. The files reviewed were: <em>\/programs\/marinade-finance<\/em>. The audit was performed with a total time donation of <strong>1 engineering month<\/strong>.<\/p>\n<p class=\"p1\">At the beginning of the\u00a0<span class=\"s1\">audit<\/span>, the\u00a0following\u00a0<b>main objectives\u00a0<\/b>were defined:<\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Check the overall code quality.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Make sure that nobody unauthorized can withdraw SOL or mSOL from the liquid pool.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Verify that only Marinade itself can mint tokens.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Check that only authorized entities can deploy the program to the Solana network.<\/span><\/li>\n<\/ul>\n<p class=\"p2\">The security review was performed by <strong>m<\/strong><b>anual code review <\/b>&#8211; checking the code line by line for common vulnerabilities or code duplication, and by <strong>l<\/strong><b>ocal deployment and hacking<\/b> &#8211; deploying the program locally, then trying to attack the system and break it.<\/p>\n<h4>Findings<\/h4>\n<p class=\"p1\">Using the tools mentioned above led to <strong>the following <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/findings\/\">findings<\/a><\/strong>:<\/p>\n<ul>\n<li>L1: Not using a stable toolchain<\/li>\n<li>L2: Not using a linter tool<\/li>\n<li>L3: Using the outdated dependencies<\/li>\n<li>L4: Repository contains deploy keys<\/li>\n<li>M1: Using deprecated libraries<span class=\"Apple-converted-space\" style=\"color: #000000; font-family: Times; font-size: large;\">\u00a0<\/span><\/li>\n<\/ul>\n<p><strong>4 low <\/strong>severity issues and <strong>1 medium<\/strong> severity issue were identified. None of these issues required immediate action.<\/p>\n<h4>Conclusion<\/h4>\n<p class=\"p1\">Based on the audit findings, <strong>Ackee Blockchain recommended<\/strong> focusing on the project&#8217;s lack of technical leadership with clear rules and guidelines for development, commit messages, log messages, coding style, comments and documentation, peer reviews between developers, and a clear roadmap for features and deployment. All of that should help future auditors or developers better understand the code.<\/p>\n<p>Marinade team was helpful and cooperative throughout the auditing process. <strong>All imperfections<\/strong> in the documentation and the commit culture<strong> were resolved quickly<\/strong>.<\/p>\n<p>We were delighted to audit<strong> Marinade.Finance <\/strong>and look forward to working with them again.<\/p>\n<p>&nbsp;<\/p>\n<p class=\"p1\"><strong>The full <span style=\"font-weight: 400;\"><b>Ackee B<\/b><\/span>lockchain audit report of Marinade.Finance with a more detailed description of all findings and recommendations can be found <a href=\"https:\/\/marinade.finance\/docs\/AckeeBlockchain.pdf\">here<\/a>.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>About Marinade.Finance Marinade.Finance is a\u00a0non-custodial liquid staking protocol\u00a0built on Solana. Users stake their SOL tokens with Marinade and receive mSOL (\u201cmarinated SOL\u201d) tokens in return that can be used in decentralized finance (DeFi). mSOL is the most widely integrated collateralized version of SOL. The price of mSOL goes up relative to SOL each epoch, with rewards being accrued into user&#8217;s stake account.&hellip;<\/p>\n","protected":false},"author":11,"featured_media":105,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,5],"tags":[21,139,23,6],"class_list":["post-102","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-solana","tag-audit","tag-marinade","tag-report","tag-solana"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2021\/11\/ABCH-Marinade-Finance-1x-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2021\/11\/ABCH-Marinade-Finance-1x-600x600.png","author_info":{"display_name":"Andrea Nov\u00e1kov\u00e1","author_link":"https:\/\/ackee.xyz\/blog\/author\/andrea-novakova\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/102","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=102"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/102\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/105"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=102"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}