> For the complete documentation index, see [llms.txt](https://shinkalabs.gitbook.io/hub/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://shinkalabs.gitbook.io/hub/andromeda/on-chain-programs/audit.md). # Audit summary All eight Quasar policy programs were security-audited internally in May 2026. A third-party audit is planned before any mainnet deployment. ## Scope of the internal review The review focused on the classes of bug that matter most for programs that hold signing authority: * **Front-running of policy accounts.** The fix in place: a policy PDA is seeded with a hash that includes the init authority, so the address cannot be predicted and grabbed by a third party before the legitimate deploy. See [RulesPolicy](/hub/andromeda/on-chain-programs/rules-policy.md). * **Time source.** All time-dependent logic (daily limits, cooldowns, expiries, time windows) reads the Solana clock only; no client-supplied timestamps are trusted. * **Replay protection.** Each kind of action has its own monotonic on-chain nonce (admin changes, primary recovery, quorum sessions), and challenges bind the nonce, so an action is single-use. * **Type confusion.** Account and instruction data are validated against expected layouts; a payload shaped like the wrong type is rejected. * **Oracle owner check.** The `oracle-conditional` program verifies the price account is owned by the Pyth program, so a spoofed price account does not pass. ## What was confirmed * Signatures are verified by Solana runtime precompiles in-transaction; no off-chain attestor is in the trust path. See [Precompile validation](/hub/andromeda/on-chain-programs/precompiles.md) and [Zero attestor](/hub/andromeda/concepts/zero-attestor.md). * The 34-byte member slot is canonical and fixed-width, so membership and dedup comparisons are unambiguous. See [RulesPolicy](/hub/andromeda/on-chain-programs/rules-policy.md). * The fourteen challenge constructions in the Rust program match the TypeScript that builds them, byte for byte. See [Domain-separated challenges](/hub/andromeda/on-chain-programs/challenges.md). * Roster and threshold changes can be staged as pending and applied separately, so a misconfiguration is reversible before it takes effect. ## What is still pending * A third-party audit before mainnet. * Everything else in [Status & disclaimers](/hub/andromeda/status.md) applies: devnet only, mock signer on the Ika side, pre-alpha networks, no production guarantees. If you find an issue, see [Responsible disclosure](/hub/andromeda/security/disclosure.md). --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://shinkalabs.gitbook.io/hub/andromeda/on-chain-programs/audit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.