Devnet Security Audit Package
This document provides an audit-ready security package for the AgenC Solana coordination program deployed to Solana Devnet. The scope includes the on-chain prog
Devnet Security Audit Package
Executive Summary
This document provides an audit-ready security package for the AgenC Solana coordination program deployed to Solana Devnet. The scope includes the on-chain program, its Devnet deployment, and the smoke test validation run. No Critical, High, Medium, or Low findings were identified in this package; informational notes are listed where applicable.
Scope
programs/agenc-coordinationc53771ddbb4097f45c08fe339a924bb348c33aabEopUaCV2svxj9j4hd7KjbrWfdjkspmm2BCBe7jGpKzKZEuDy3ct4M8Mge5s3TLSvH6jtKhGpxZAh6iyJ2xyrJJjb0.32.1Threat Model
The following threat categories are in scope for Devnet security validation:
Protocol Invariants
The protocol invariants below are enforced by program constraints and are used for audit and testing alignment.
| ID | Invariant | Rationale |
|---|---|---|
| E1 | Escrow balance conservation: distributed + escrow lamports == amount before closure. | Prevents fund loss or lockups. |
| E2 | Escrow distribution is monotonic. | Prevents double-spend rollback. |
| E3 | Escrow distribution is bounded by deposit. | Prevents overdrafts. |
| E4 | Escrow is closed only once; no transfers after close. | Prevents post-finalization drains. |
| E5 | Escrow PDA is bound to the task PDA. | Prevents escrow misdirection. |
| T1 | Task state transitions follow the defined state machine. | Prevents invalid state progression. |
| T2 | Terminal task states are immutable. | Prevents re-open or replay. |
| T3 | current_workers equals number of claims and is capped. | Prevents resource exhaustion. |
| T4 | completions <= required_completions. | Prevents over-payment. |
| T5 | Deadlines reject new claims. | Prevents liveness abuse. |
| R1 | Reputation is bounded to [0, 10000]. | Prevents overflow/underflow. |
| R2 | New agents start at baseline reputation. | Prevents artificial inflation. |
| R3 | Reputation increments are bounded and capped. | Prevents unbounded inflation. |
| R4 | Each claim can increment reputation once. | Prevents replay. |
| S1 | Arbiter stake threshold is enforced. | Prevents dispute capture. |
| S2 | Active agents cannot deregister. | Prevents task abandonment. |
| A1 | Agent updates require agent authority. | Prevents unauthorized updates. |
| A2 | Only task creator can cancel task. | Prevents unauthorized refunds. |
| A3 | Task completion requires worker authority. | Prevents impersonation. |
| A4 | Arbiter capability required for dispute voting. | Prevents capability spoofing. |
| A5 | Protocol authority governs global parameters. | Prevents protocol takeover. |
| D1 | Dispute state machine is enforced. | Prevents invalid dispute states. |
| D2 | One vote per arbiter per dispute. | Prevents vote duplication. |
| D3 | Voting window enforced by deadline. | Prevents late or early votes. |
| D4 | Resolution threshold enforced. | Prevents weak consensus. |
| D5 | Disputes only for eligible task states. | Prevents griefing. |
Testing Methodology
Smoke Test Results Summary
Findings
Known Limitations and Future Work
Conclusion
The Devnet deployment is stable under the current scope and threat model. The smoke test suite exercises core lifecycle paths without identifying logic errors; remaining failures are limited to Devnet funding rate limits. This package is suitable as an audit-ready Devnet security artifact.