defirisk.co
rubric v1.7.0

Jupiter

Multi-product Solana DeFi super-app. Primary surface: DEX aggregator routing swaps across all Solana liquidity (Raydium, Orca, Meteora, etc.). Secondary: Jupiter Perps (JLP-backed perpetuals exchange using Edge/Chainlink/Pyth oracle aggregation, up to 250x leverage). Tertiary: Jupiter Lend (lending market, launched 2025), JupSOL (liquid staked SOL), Jupiter Studio (token launchpad). Governance via JUP token + Realms DAO (voluntarily paused June 2025). Core programs are closed-source binaries on Solana.

Sector dex
TVL $1.7B
Reviewed May 12, 2026
Factors 184
Categories 13
Risk score 30.6
DeploymentsSolana · $1.7B
01

Risk profile at a glance

1 red · 4 yellow · 7 green
25 24 17 13 15 22 16 10 13 12 8 5 4
02

Categories & evidence

184 factors · 13 categories
Code & audits Yellow 37 25 of 25
RD-F-009 red Formal verification coverage No formal verification (Certora, Kani, Halmos, or equivalent) identified for Jupiter programs. Audit index lists only traditional code review engagements — no FV reports. Solana/Rust/BPF FV tooling is less mature than EVM but not absent (Kani supports Rust). Protocol has not declared critical invariants subject to FV. No FV evident in any public source. RD-F-183 red Bug bounty scope gap on highest-TVL contracts Active bug bounty program exists on ooosec.com/programs/jupiter. Maximum payout is $20,000 — 0.001% of $1.717B TVL. The highest-TVL contracts (Jupiter Aggregator v6 JUP6LkbZbjS1jKKwapdHNy74zcZ3tLUZoi5QNyVTaV4, Jupiter Perps PERPHjGBqRHArX4DySjwM6UJHiR3sWAatqfdBS2qQJu) are the core programs under this TVL. Even if technically in-scope, the $20K cap effectively operates as a scope gap — a sophisticated attacker could earn far more exploiting a vulnerability than a researcher could earn disclosing it. This is the exact pattern RD-F-183 measures: bounty scope gap removes economic incentive for whitehat disclosure on the highest-TVL surface. RD-F-001 yellow Audit scope mismatch 17 audit engagements across 5 firms cover all major sub-protocols; most recent audit October–November 2025. However, the primary aggregator v6 (JUP6LkbZbjS1jKKwapdHNy74zcZ3tLUZoi5QNyVTaV4) is a closed-source binary — commit SHA from audit report cannot be independently matched against deployed bytecode. Audit PDFs return 404 on all direct URL attempts. Scope-match verification structurally impossible for closed-source binary substrate. RD-F-005 yellow Audit firm tier No EVM Tier-1 firm (Trail of Bits, OZ, ConsenSys Diligence, Certora, Sigma Prime, Spearbit, Zellic) audited Jupiter. Solana-specialist firms: OtterSec (leading Solana firm, $36.8B TVL secured, Wormhole and Solana Foundation client — Tier-2/near-Tier-1 in Solana ecosystem), Sec3 (Solana-native, automated scanner), Offside Labs (Solana-specialist, limited public web presence, extensive Jupiter engagement), MixBytes (Tier-2 established multi-chain), Zenith (boutique). Yellow per methodology: Tier-2 only, no EVM Tier-1. RD-F-006 yellow Audit-to-deploy gap Aggregator v6 April 2024 audit aligned with v6 deployment timeframe per profile. October 2025 Offside Labs was a re-audit of an already-live program (post-deployment). Jupiter Lend launched mid-2025 with first audits starting July 2025 (Zenith, Offside Labs) and August 2025 (OtterSec) — some concurrent audit/launch timing. Cannot determine exact deploy-audit gap for all sub-protocols without confirmed deploy timestamps. Yellow — partial evidence of timely auditing. RD-F-007 yellow Bug bounty presence & max payout Active bug bounty program on ooosec.com/programs/jupiter (Raccoons Security). Max payout: $20,000 for critical vulnerabilities. Program launched approximately March–April 2026 (~1 month old at assessment). Total paid: $35,300 across 10 resolved reports. Average response time: 2d 6h. $20K cap is below the green threshold (≥$500K) and below the yellow floor ($50K). Grading yellow because the program is active and very recently launched; may increase payout. Program exists so not red. RD-F-003 gray Resolved-without-proof findings Audit PDFs return HTTP 404 on all attempted direct URLs (hub.jup.ag and developers.jup.ag paths). Cannot enumerate per-finding resolution status. Closed-source binary also prevents on-chain fix verification. Gray per methodology rule: audit PDF not publicly accessible as of assessment date. RD-F-010 gray Static-analyzer high-severity count Slither/Mythril/Semgrep require Etherscan-verified Solidity source. Jupiter programs are Rust/BPF on Solana — no Etherscan-verified source and no Solidity source. Additionally closed-source binary. Structural gray per non-EVM template: static-analysis factors requiring EVM tooling are not assessable for Solana programs. RD-F-011 n/a SELFDESTRUCT reachable from non-admin path SELFDESTRUCT is an EVM opcode with no direct equivalent in Solana BPF programs. Structural N/A for Solana substrate. RD-F-012 n/a delegatecall with user-controlled target delegatecall is an EVM opcode not present in Solana BPF programs. Solana uses CPI (Cross-Program Invocation) with different semantics. Structural N/A. RD-F-013 gray Arbitrary call with user-controlled target The EVM .call(target, data) pattern is not present on Solana, but analogous CPI-based arbitrary invocation risk exists. Closed-source binary prevents source inspection to verify CPI safety. Gray — conceptual risk exists but factor as defined is EVM-specific and source is unavailable. RD-F-014 gray Reentrancy guard on external-calling functions Solana BPF programs use a different account model without ETH send callbacks making traditional EVM reentrancy guards inapplicable. Reentrancy via CPI cycles is auditable but requires source access. Closed-source binary prevents verification. OtterSec and Offside Labs audits would have covered this — but audit findings are inaccessible (PDF 404). Gray. RD-F-015 n/a ERC-777/1155/721 hook without reentrancy guard ERC-777/ERC-1155/ERC-721 hook callbacks are Ethereum token standard mechanisms. Solana uses the SPL token program which lacks these callback hooks. Structural N/A. RD-F-016 gray Divide-before-multiply pattern Slither divide-before-multiply detector requires Solidity source. Closed-source Rust/BPF binary. Gray. RD-F-017 gray Mixed-decimals math without explicit scaling Mixed-decimals math inspection requires Solidity source review via Slither/manual. Closed-source Rust/BPF binary. Gray. RD-F-018 gray Signed/unsigned arithmetic confusion Signed/unsigned arithmetic confusion check requires static analysis on source. Rust has stricter type safety than Solidity but the risk still exists. Closed-source binary prevents verification. Gray. RD-F-019 n/a ecrecover zero-address return unchecked ecrecover is an EVM precompile using secp256k1. Solana programs use Ed25519 signatures via the system program — ecrecover does not apply. Structural N/A. RD-F-020 n/a EIP-712 domain separator missing chainId EIP-712 typed structured data signing is an Ethereum-specific standard. Solana uses native transaction signing with different serialization (Borsh). Structural N/A. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned UUPS proxy pattern with _authorizeUpgrade() is an EVM/OpenZeppelin-specific proxy pattern. Solana uses BPF upgradeable loader with upgrade authority model — fundamentally different architecture. Structural N/A. RD-F-022 gray Public initialize() without initializer modifier OpenZeppelin initializer modifier is EVM/Solidity-specific. Solana Anchor programs use different initialization patterns (account discriminators, init constraints). The underlying risk (unprotected re-initialization) exists conceptually on Solana but the specific detector mechanism does not apply. Additionally, closed-source binary prevents source inspection. Gray — structurally different substrate and source unavailable. RD-F-023 gray Constructor calls _disableInitializers() _disableInitializers() is an OpenZeppelin Solidity pattern for proxy implementations. Not applicable to Solana Anchor programs. Gray (structurally different substrate). RD-F-024 gray Code complexity vs audit coverage Slither complexity metrics and LOC/audit-day ratio computation require Etherscan-verified Solidity source and EVM tooling. Closed-source Rust/BPF binary precludes computation. Qualitatively, 17 engagements across all major sub-protocols suggests adequate coverage by breadth, but the methodology requires computed metrics. Gray.
RD-F-002 green Audit recency Most recent audit engagements: Offside Labs aggregator v6 second engagement October 2025; OtterSec Lend second engagement November 12–20, 2025. Days from most recent engagement to assessment date (2026-04-29) approximately 160 days — within 365-day green threshold. Multiple sub-protocols received fresh coverage in H2 2025.
RD-F-004 green Audit count 5 distinct audit firms: Offside Labs, OtterSec, Sec3, MixBytes, Zenith. 17 total engagements covering Aggregator v3, Aggregator v6 (×2), Perpetuals (×3), Limit Order v2, Lock (×2), DAO, Lend (×7). Threshold is ≥2 distinct firms for green. Exceeds threshold by a large margin.
RD-F-008 green Ignored bounty disclosure No evidence of a disclosed vulnerability being reported and ignored pre-exploit. Both known incidents (X account hack Feb 2025, airdrop claim exploit Jan 2024) are operational/frontend events, not smart contract exploits. Data cache confirms no rekt.news incidents. Bug bounty program only ~1 month old — insufficient history for an 'ignored disclosure' pattern.
Governance & admin Yellow 42 24 of 24
RD-F-032 red Timelock duration on upgrades No EVM-style TimelockController documented. Realms DAO (when active) had no confirmed on-chain time-delay between proposal passing and execution beyond the voting period itself. During governance pause, no formal on-chain timelock on team decisions. Program upgrades go through Squads multisig signature threshold only — no time delay. Profile explicitly records has_timelock: false. RD-F-033 red Timelock on sensitive actions No documented timelock for any sensitive action category (mint/pause/rescue/setOracle/upgrade). JUP mint authority is burned (eliminates that risk). All other admin operations: Squads multisig threshold is the only control — no time delay. Realms governance had no post-vote execution timelock. During pause, team makes decisions with no on-chain delay. RD-F-040 red Emergency-veto multisig present No documented emergency-veto or guardian multisig for Jupiter governance. During governance pause, founding team has de facto veto power but this is not an on-chain mechanism. No cancel/veto role on program upgrades documented. The Squads multisig threshold is the only check on program changes. RD-F-047 red Governance token concentration (Gini) Team holds 20% of JUP supply (2B of 10B). One team member wallet cast >4.5% of votes in the most recent governance vote. Community complaints about voting power concentration led directly to governance pause. Top-10 voting wallets in whaling proposal held >22.5% of total voting weight. Gini coefficient not formally computed but evidently high. This concentration led to the governance failure and subsequent pause. RD-F-025 yellow Admin key custody type Jupiter uses multisig custody: Squads-based for program upgrade authority; 4-of-7 multisig for JUP token vaults (Team Cold, Community Cold, Team Hot, Community Hot). No pure EOA admin documented. During governance pause since June 2025, founding team exercises de facto protocol authority without on-chain constraint. Admin key custody type is multisig but effective control during pause is centralized to founding team. RD-F-026 yellow Upgrade multisig signer configuration (M/N) JUP token vaults: 4/7 multisig (documented). Signers include Jupiter team, independent ecosystem signers (Mert/Helius, Stepan/Squads, Nico/Neodyme), and professional custodians. Program upgrade authority multisig: Squads usage confirmed but specific multisig address, threshold, and signer count not publicly disclosed. Cannot confirm M/N for the program upgrade authority. RD-F-027 yellow Single admin EOA Program upgrade authority held via Squads multisig (not a single EOA). JUP token admin is 4-of-7 multisig with named external signers. However: (1) governance voluntarily paused since June 2025, reverting effective protocol control to founding team (Meow/Ming Ng, Siong Ong) with no on-chain constraint; (2) exact program upgrade authority multisig address not publicly confirmed. No single admin EOA holds formal authority, but de facto centralization during pause is material. RD-F-028 yellow Low-threshold multisig vs TVL JUP token vaults: 4-of-7 multisig with external ecosystem signers. For $1.717B TVL, peer norm is ~5-of-8. 4-of-7 is one below peer norm — yellow rather than red. Independent signers (Mert/Helius, Stepan/Squads, Nico/Neodyme) provide some external check. Program upgrade authority multisig threshold not confirmed. If program upgrade authority is 3-of-5 or lower, this would escalate. RD-F-029 yellow Multisig signers co-hosted Three publicly named independent ecosystem signers (Mert/Helius, Stepan/Squads, Nico/Neodyme) are from different organizations — not co-hosted. The remaining ~4 signers are Jupiter team members who are likely co-hosted internally. Co-hosting risk exists for the majority of signers but is mitigated by the independent minority. RD-F-036 yellow Flash-loanable voting weight JUP governance uses staked JUP with 30-day unstaking period, creating a meaningful lock against flash-loan voting attacks. Governance is voluntarily paused since June 2025, so attack surface is dormant. Pre-pause, the staking lock substantially mitigated flash-loan governance attacks. Scored yellow because: (1) staking checkpoint behavior at proposal creation vs continuous cannot be confirmed from closed-source Realms implementation; (2) governance pause itself is a governance failure mode. RD-F-038 yellow Proposal execution delay < 24h Realms-based voting period appears to be several days based on observed proposals. No confirmed programmatic time-delay between proposal passing and execution. The voting period itself is not a timelock in the regulatory sense (no enforced delay post-vote before execution). Cannot confirm ≥48h enforced execution delay. Governance currently paused. RD-F-046 yellow Contract unverified on Etherscan/Sourcify Jupiter Aggregator v6 is a closed-source binary with no public Solana program source. An Anchor IDL is published (visible via Solana Explorer), providing interface-level ABI. Solana does not have Etherscan/Sourcify equivalents. Jupiter Lend open-sourced February 2026. Perps program still closed-source. 17 audits across 5 firms provide some verification substitute. Scored yellow rather than red based on: IDL availability, audit coverage, and non-EVM substrate calibration. A strict reading (closed binary = unverified) would be red. RD-F-030 gray Hot-wallet signer flag Multisig signer addresses not publicly disclosed. Cannot assess hot-wallet behavioral patterns. Structural data gap — no on-chain address list is available to run heuristic analysis. RD-F-031 gray Signer rotation recency No public record of signer-set changes for program upgrade authority multisig. Token vault multisig composition not publicly updated since January 2024 launch. Cannot assess signer rotation recency. RD-F-034 gray Guardian/pause-keeper distinct from upgrader No documented pause/guardian role for the aggregator or perps programs (closed-source binary). Jupiter Lend has LendingAdmin account with auths and authority fields but no separate guardian vs upgrader role distinction confirmed. Cannot assess without program source or documentation. RD-F-035 gray Role separation: upgrade ≠ fee ≠ oracle Cannot assess — aggregator and perps programs are closed-source. Role separation (upgrade/fee/oracle) not documented publicly for any Jupiter program. Jupiter Lend has distinct admin roles but full separation analysis requires source review beyond what is publicly available. RD-F-039 n/a delegatecall/call in proposal execution without allowlist Solana programs do not use EVM delegatecall opcode. Solana Cross-Program Invocations (CPIs) are structurally different — they do not allow arbitrary target execution in the EVM delegatecall sense. Jupiter DAO proposals on Realms were off-chain governance signals, not on-chain executor contracts with arbitrary calldata payloads. This factor's specific threat model does not apply to Solana-native governance architecture. RD-F-041 gray Rescue/emergencyWithdraw without timelock Aggregator and perps programs are closed-source binaries — cannot enumerate admin-callable functions. No rescue/emergencyWithdraw function documented in public sources. Jupiter Lend has admin-controlled operations (LendingAdmin account) but no explicit rescue/sweep function identified in reviewed code. Structural gray for closed-source programs; cannot confirm presence or absence of rescue function. RD-F-044 gray Admin wallet interacts with flagged addresses Admin addresses (program upgrade authority, Squads multisig members) are not publicly disclosed at the address level. Cannot run cluster feed analysis against unknown addresses. Structural data gap. RD-F-045 gray Constructor args match governance proposal Not directly applicable — Solana Anchor programs use account initialization patterns rather than EVM constructor args. Binary program upgrades do not have corresponding governance proposals with constructor arg matching. Non-EVM substrate — structural gray.
RD-F-037 green Quorum achievable via single-entity flash loan JUP governance requires staked (locked) JUP with 30-day unstaking period. Flash loan cannot achieve governance quorum: attacker cannot acquire JUP, stake it, and vote within a single atomic transaction. Quorum was set at 30% of total staked JUP. With ~672M JUP staked, quorum is ~200M tokens which cannot be flash-loan staked. Governance is currently paused (dormant risk).
RD-F-042 green Admin has mint() with unlimited max JUP governance token mint authority permanently burned — confirmed via Jupiter forum post with burn transaction ID. 10B total supply minted in one event; 3B subsequently burned via governance vote. No admin can mint additional JUP tokens. JLP token is program-controlled AMM pool mechanics, not admin-mintable. F042 (admin-callable unlimited mint) does not apply.
RD-F-043 green Admin = deployer EOA after 7 days Jupiter has been live 42+ months (October 2021). JUP token (January 2024) launched with 4-of-7 multisig custody from day one including independent ecosystem signers. Program control demonstrably moved to Squads-based multisig. Deployer EOA is not the current admin. Factor asks about 7-day post-deploy state — this is far beyond any transfer period.
RD-F-167 green Deprecated contract paused but pause reversible by live admin No deprecated contracts holding user funds identified. The jupiter-cpi repo (archived November 2025) was a read-only CPI interface shim with no user funds or admin powers over protocol state. No legacy contracts with admin pause mechanisms identified.
Oracle & external dependencies Green 15 17 of 17
RD-F-050 yellow Dependency graph (protocols depended upon) Dependency graph materially complete for major components. Aggregator depends on Raydium, Orca, Meteora, and 30+ other Solana DEX programs. Perps depends on Edge/Chaos Labs, Chainlink Data Streams, Pyth Network. Lend depends on Pyth, Chainlink, Redstone, SPL Stake Pool programs, Sanctum. JupSOL depends on SPL Stake Pool Program and Sanctum validator set. Yellow because the full long-tail enumeration of aggregator DEX routing dependencies (30+ programs) was not individually assessed, and Lend program oracle dependency verification is partial (program not found on Solscan at assessment time). RD-F-052 yellow Breakage analysis per dependency Breakage analysis inferred from documented fallback logic, not from a formal Jupiter-published breakage document. Perps: single oracle failure → degraded but functional; 2-of-3 failure → position operations freeze (JLP holders bear open-position exposure). Lend: per-market freeze on staleness/confidence breach; other markets unaffected. Aggregator: single DEX failure → routes around (30+ venues). JupSOL: Sanctum failure impairs unstaking flow. Yellow because no formal breakage analysis is published by Jupiter, and Perps breakage under 2-of-3 oracle failure carries material JLP risk that lacks a published mitigation. RD-F-057 yellow Circuit breaker on price deviation Perps: Implicit circuit breaker — Edge price must be within a threshold of both Chainlink and Pyth to be used; if outside threshold, fallback to Chainlink+Pyth comparison; if 2-of-3 fail, no price update (hard stop). The specific deviation threshold value is not publicly disclosed (closed-source program). Lend: Pyth confidence interval acts as a documented circuit breaker — operations halt if confidence >2% (user ops) or >4% (liquidations). Yellow because Perps deviation threshold is not publicly verifiable. RD-F-058 yellow Max-deviation threshold (bps) Lend: Pyth confidence interval thresholds confirmed at 200 bps (2%) for user operations and 400 bps (4%) for liquidations — both within acceptable range. Perps: the Edge-to-Chainlink/Pyth deviation threshold is not publicly disclosed (closed-source program). Assessed yellow because Perps threshold is unverifiable, creating uncertainty about whether the circuit breaker is set at an appropriate level. RD-F-062 yellow External keeper/relayer not redundant Jupiter Perps relies on a dedicated keeper to push oracle price updates during trade execution and on a regular schedule. The keeper architecture (single vs. redundant keepers, permissionless vs. team-operated, failover mechanisms) is not publicly documented. If the keeper fails, oracle price updates halt during the outage window, which could leave positions unable to be opened/closed/liquidated. Assessed yellow — single keeper risk cannot be ruled out from public sources. Aggregator and Lend do not have an identified external keeper dependency for oracle updates. RD-F-180 yellow Immutable oracle address [★ — F180 promoted to critical by T-14 2026-04-22. YELLOW, not red.] Jupiter Perps is a closed-source BPF upgradeable program. Oracle account Pubkeys (dovesOracle / dovesAgOracle per custody asset) are stored in on-chain Custody account structs, not as EVM immutable constants. The program has demonstrated oracle account migration capability: the dovesOracle field was superseded by the dovesAgOracle field in a prior program upgrade, confirming that oracle accounts ARE replaceable via program upgrade. However: (a) the upgrade authority for the Perps program (PERPHjGBqRHArX4DySjwM6UJHiR3sWAatqfdBS2qQJu) is not publicly disclosed; (b) oracle replacement requires a full binary upgrade (not a targeted setOracle admin call), creating high operational friction; (c) no timelock on oracle changes has been identified; (d) the program is closed-source, preventing independent verification. PD-023 generalized F180 to non-EVM substrates: 'oracle source address or equivalent is not programmatically re RD-F-054 n/a TWAP window duration Jupiter does not use DEX TWAP-based oracles for any sub-protocol. Perps and Lend use push oracles (Edge/Chainlink/Pyth/Redstone). Aggregator uses live DEX pool reserves per transaction (not a TWAP oracle pattern). F054 TWAP window duration is not applicable. RD-F-055 n/a Oracle pool depth (USD) No DEX TWAP oracle used in any sub-protocol. Oracle pool depth (USD) metric is not applicable to push oracle providers (Edge/Chainlink/Pyth/Redstone) or to the aggregator's per-transaction pool reserve reads. RD-F-056 n/a Single-pool oracle (no medianization) No single-pool DEX oracle used. Perps uses 3-oracle aggregation (medianization-equivalent). Lend uses multi-provider per asset. Aggregator uses no oracle. Single-pool oracle concern is not applicable. RD-F-060 gray Chainlink aggregator min/max bound misconfig Gray — cannot verify without on-chain RPC reads. Chainlink on Solana via Data Streams (Perps) and Chainlink Data Feeds (Lend) do not necessarily expose the same minAnswer/maxAnswer circuit-breaker bounds as EVM Chainlink AggregatorV3 contracts. Chainlink Data Streams are low-latency push feeds with a different architecture than AggregatorV3. Cannot verify min/max bound configuration from public documentation or WebFetch without direct Solana RPC calls. Data cache does not contain this information.
RD-F-048 green Oracle providers used Jupiter Perps uses three established oracle providers: Edge by Chaos Labs (primary, launched Sep 2024), Chainlink Data Streams (secondary, integrated May 2025), and Pyth Network (tertiary). Jupiter Lend uses Pyth (primary for most assets), Chainlink (primary for WBTC/EURC), Redstone, and on-chain Solana staking pool rates. Jupiter Aggregator uses no external oracle — it reads live DEX pool reserves per transaction. All providers used across sub-protocols are established, documented oracle systems.
RD-F-049 green Oracle role per asset Perps: Edge = Primary for all 5 assets (SOL/ETH/BTC/USDC/USDT); Chainlink Data Streams = Secondary/verifier; Pyth = Tertiary/verifier. If Edge not stale and within threshold of Chainlink+Pyth, Edge is used. If Edge fails, Chainlink+Pyth comparison determines price. Lend: Pyth = primary for SOL/ETH/BTC/JLP; Chainlink = primary for WBTC/EURC; Redstone = additional feeds. Each asset has at least primary + one verification source. Aggregator: no oracle roles — uses live DEX reserves per transaction.
RD-F-051 green Fallback behavior on oracle failure Perps: Documented three-oracle fallback — Edge stale/out-of-threshold → Chainlink vs Pyth comparison; if 2-of-3 fail → no price update (positions freeze). This is a documented secondary-oracle fallback, not last-known-price. Lend: staleness thresholds enforced (600s standard / 7200s liquidations); confidence interval checks on Pyth; if threshold exceeded → operations halted for that market (pause behavior). Aggregator: no oracle fallback needed (uses live pool reserves per tx).
RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL — GREEN] No sub-protocol uses raw spot DEX pool price as an oracle. Aggregator uses live DEX pool reserves per transaction (read-time pool state, not a price oracle pattern — no TWAP needed because no asset collateralization occurs). Perps uses Edge (off-chain aggregated price with ZK-proof delivery), Chainlink Data Streams, and Pyth — all push oracles, none are single-pool spot prices. Lend uses Pyth, Chainlink, Redstone — all established push oracles. F053 critical flag does not fire.
RD-F-059 green Oracle staleness check present Lend: staleness checks explicitly documented — 600 seconds for standard operations (supply/borrow/repay/withdraw), 7200 seconds for liquidations. Pyth and Redstone use Unix timestamp freshness; Chainlink uses slot-based freshness (~400ms/slot). Perps: staleness check present (Edge staleness triggers fallback to Chainlink+Pyth comparison). Exact Perps staleness window not publicly disclosed but mechanism is confirmed operational. 600s standard (10 min) is within acceptable range for Lend volatile assets on Solana.
RD-F-061 green LP token balanceOf used for pricing No LP token balanceOf used for pricing in any sub-protocol. Jupiter Lend uses Pyth/Chainlink/Redstone push oracles and on-chain staking pool exchange rates — not LP token balance reads. JLP token pricing in Lend uses Pyth. Perps uses Edge/Chainlink/Pyth push oracles. Aggregator uses live DEX pool reserves per-transaction for routing decisions (not for collateral pricing). No balanceOf-based pricing pattern identified.
RD-F-181 green Permissionless-pool lending oracle Jupiter Lend does not accept spot prices from permissionlessly-created DEX pools. Oracle providers are limited to curated, established providers: Pyth Network, Chainlink Data Feeds, Redstone, JupLend native exchange rates, and on-chain Solana staking program rates (StakePool/MsolPool/SinglePool). The Offside Labs Oracle and Flashloan audit (October 13-19, 2025) specifically reviewed the oracle configuration, consistent with a controlled oracle acceptance framework. The Code4rena audit brief (Feb-Mar 2026) confirms oracle sources include 'Pyth, Chainlink, and Solana-native pools' — with 'Solana-native pools' referring to staking programs (not permissionlessly-created AMM pools). F181 is not applicable to the Aggregator (DEX aggregator, not lending) or Perps (uses only push oracle providers). Green for Lend.
Economic risk Green 19 13 of 13
RD-F-064 yellow TVL concentration (top-10 wallet share) Web search evidence indicates >80% of JLP supply is held by the top-10 wallets. Extreme concentration. Drift exploit (April 1, 2026) demonstrated: a single wallet held 41.7M JLP (~17.6% of supply), confirming whale-scale holdings. Coordinated exit risk during JLP drawdown scenario is material. Jupiter Lend depositor concentration data not independently verified. RD-F-065 yellow Liquidity depth per major asset JLP secondary DEX liquidity: JLP/SOL on Orca ~$1.45M/24h volume. JLP redemption is primarily via protocol mint/burn at NAV, not secondary DEX. JLP pool AUM cap ($700M documented as of August 2024; current cap unconfirmed) and ±20% weight deviation buffer constrain large withdrawals. Protocol-internal liquidity (SOL/ETH/BTC/USDC/USDT) is adequate for normal operations. For Jupiter Lend: liquidation via swap-based incremental liquidations against Solana DEX liquidity (SOL/USDC markets are deep). 2%/5% slippage depth not quantifiable without on-chain reads. RD-F-068 yellow Collateralization under stress Jupiter Lend: 90% LTV / 95% liquidation threshold is aggressive. JLP used as collateral at 90% LTV means a 10.5%+ JLP price decline triggers liquidation. JLP NAV can fall during sustained trader-profitable markets. Shared liquidity layer across vaults (not fully isolated, per Jupiter exec acknowledgment in 2025) means vault stress can propagate. Gauntlet engaged for parameter optimization. No stress event has occurred yet but design carries elevated risk under correlated drawdowns. RD-F-069 yellow Algorithmic / under-collateralized stablecoin JupUSD (launched January 2026): currently reserve-backed (90% USDtb/BUIDL + 10% USDC). Not an algorithmic stablecoin in the Terra/Luna sense. However: (1) Jupiter announced plans to shift a portion of reserves to USDe (Ethena delta-neutral synthetic dollar), introducing structured product / derivatives counterparty risk; (2) a $750M conversion of USDC within JLP pool to JupUSD is planned, which would embed JupUSD structural risk into the JLP pool. Neither migration is confirmed executed as of April 2026. Current design is conservative; prospective evolution is a yellow vector. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) [★ CRITICAL] NOT APPLICABLE — Jupiter is not a Compound V2 fork. Jupiter Lend is built on Fluid's custom Solana architecture (first non-EVM Fluid deployment). Jupiter Aggregator is a DEX aggregation protocol. Jupiter Perps is a JLP-backed perpetuals exchange. None of these share the cToken-style market accounting model that enables the empty-market donation attack. The ★ critical factor does not trigger. RD-F-071 n/a Seed-deposit requirement for new market listing Jupiter Lend uses a permissioned/whitelist asset listing model (not a market-listing protocol with seed deposit requirement). Jupiter Perps has a fixed pool of 5 assets (SOL, ETH, BTC, USDC, USDT) — no market listing. Jupiter Aggregator lists no markets. Seed-deposit requirement concept is specific to Compound-fork market listing mechanics, which are not present here. RD-F-072 n/a Market-listing governance threshold Jupiter Aggregator does not list markets — it routes across all Solana DEX pools automatically (not applicable). Jupiter Perps has a fixed 5-asset pool (SOL, ETH, WBTC, USDC, USDT) with no new market listing mechanism. Jupiter Lend uses permissioned/whitelisted assets managed by Fluid/Jupiter — high-threshold listing (positive), but the factor asks about governance threshold for new market listing, which is a lending-protocol-specific concept not directly applicable here. RD-F-073 n/a Oracle-manipulation-proof borrow cap Jupiter Lend: per-asset borrow caps not publicly disclosed as of assessment date; Fluid architecture uses 'dynamic limits' but specifics are not enumerable from public sources. Jupiter Perps: $2.5M per-position cap and pool AUM cap (maxAumUsd) documented — these implicitly limit oracle manipulation payoff. Factor definition (borrow cap <= oracle pool depth × manipulation-resistance multiplier) is designed for lending protocols with per-asset borrow caps — not directly applicable to Perps or Aggregator. Lending product caps partially applicable but undisclosed. Treating as not_applicable pending public disclosure of per-asset borrow caps. RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) ERC-4626 is an EVM standard. Jupiter Lend is built on Fluid's Solana-native architecture using SPL token programs. The ERC-4626 virtual-share offset (OpenZeppelin >= 4.9) is structurally inapplicable to any Solana-native protocol. Data cache confirms non_evm_substrate: true. RD-F-075 n/a First-depositor / share-inflation guard First-depositor share-inflation guard is a concept specific to EVM share-based vaults (ERC-4626, Compound cTokens). Jupiter Lend is Solana-native (Fluid architecture, SPL tokens). The attack vector exists conceptually for any share-based accounting system, but the factor definition and scoring criteria are EVM-specific. Jupiter Lend received 7 audit engagements covering vault mechanics (OtterSec, Offside Labs, MixBytes, Zenith) — the audits represent primary assurance on share accounting correctness. No specific first-depositor guard mechanism documented publicly for the Solana implementation. Not_applicable per EVM-specificity of factor; audit coverage noted as positive.
RD-F-063 green TVL (current + 30d trend) TVL $1.717B (2026-04-29), 100% Solana. 30-day change -7.19% (cache) / -29.0% (live API). 12-month peak $3.44B (August 2025). Protocol is large and liquid; declining from peak but not in distress.
RD-F-066 green Utilization rate (lending protocols) Jupiter Lend utilization rate: 35.49% ($609M borrowed / $1.717B supplied). Healthy, non-stressed rate. SOL most borrowed ($171.5M), USDC $335.5M. Well within normal operating range.
RD-F-067 green Historical bad-debt events No documented bad debt events on Jupiter Lend (launched 2025) or JLP pool. Drift exploit (April 2026) involved theft of JLP from Drift custody, not a Jupiter bad-debt event. Jupiter confirmed JLP pool fully backed post-Drift. Traders have been net profitable in aggregate in some periods (e.g., $6.85M cumulative gain in a 3-month window) but this has not constituted a socialized-loss event — JLP holders absorb trader P&L as part of the design, not as bad debt.
Operational history Green 12 15 of 15
RD-F-089 red Insurance coverage active No active insurance coverage identified on Nexus Mutual, Sherlock, Unslashed, or equivalent. Nexus Mutual does not list Jupiter as a covered protocol. Sherlock does not list Jupiter. No insurance coverage announcement found in Jupiter docs or governance forum. Red = no active coverage on a $1.717B TVL protocol. RD-F-084 yellow TVL stability (CoV over 90d) TVL current $1.717B, -7.19% in 30 days per data-cache. 12-month peak was $3.44B (August 2025) — approximately 50% drawdown from peak to current over ~8 months. Trend is declining. Precise 90-day CoV not computable without full daily time-series, but available signals indicate moderate volatility consistent with yellow (declining trend >20% from peak, though current TVL remains well above $100M threshold). Market-wide DeFi downturn likely contributing factor. RD-F-081 gray Post-exploit response score N/A — no prior protocol-level exploits. Factor definition specifies gray when 'no prior exploits (N/A)'. Two operational/frontend incidents exist but are not code exploits; the factor is scoped to post-exploit response on protocol incidents. RD-F-082 gray Post-mortem published within 30 days N/A — no prior protocol-level exploits. Factor definition specifies gray when 'no prior incidents'. Note: no formal technical post-mortem was published for either operational incident (X hack, airdrop). RD-F-083 gray Auditor re-engaged after last exploit N/A — no prior protocol-level exploits. Factor definition specifies gray when 'no prior exploits (N/A)'. Jupiter has ongoing proactive audit program (17 engagements, 5 firms) assessed under Cat 1. RD-F-085 gray Incident response time (minutes) N/A — no prior protocol-level exploits. Factor requires 'minutes from first exploit transaction to first official team statement'; no exploit transaction exists for either operational incident. For the X hack, Jupiter Mobile issued rapid user warnings and co-founder Meow provided attribution, but this was a social incident not a protocol exploit.
RD-F-076 green Protocol age (days) Jupiter aggregator live since October 2021. Days from 2021-10-01 to 2026-04-29 = ~1,671 days (~54 months). Well above 365-day green threshold.
RD-F-077 green Prior exploit count Zero protocol-level smart contract exploits on record. rekt.news DB empty for Jupiter. Proprietary hacksdatabase (batches 1–23) contains no Jupiter entry — confirmed via grep. Data-cache rekt.incidents = []. Two operational/frontend incidents (X hack 2025-02, airdrop eligibility 2024-01) are not code exploits.
RD-F-078 green Chronic-exploit flag (≥3 incidents) Chronic flag = false. Protocol-level exploit count = 0. Threshold for chronic flag is ≥3 incidents. CHRONIC badge does NOT fire.
RD-F-079 green Same-root-cause repeat exploit No same-root-cause repeat exploit. Zero protocol-level exploits in history; repeat-root-cause is false by construction.
RD-F-080 green Days since last exploit No exploits on record. Factor maps 'no incidents' to green (equivalent to >365 days since last exploit).
RD-F-086 green Pause activations (trailing 12 months) No on-chain pause events identified for Jupiter's programs in the trailing 12 months. Jupiter Aggregator v6 on Solana does not have a standard EVM-style pause mechanism. The DAO governance pause (June 2025) is a governance-process event (voting suspended by Foundation), not a smart contract pause activation. Green = 0 pause events.
RD-F-087 green Pause > 7 consecutive days No protocol-level pause event in last 12 months. Green by construction — no pause = no >7-day pause.
RD-F-088 green Re-deployed to new addresses in last year No full protocol redeployment to a new address set in the last 12 months. Jupiter Aggregator v6 remains the live production program. Jupiter Lend was a new product launch in 2025, not a redeployment of existing contracts. Green = no redeployment event.
RD-F-166 green Deprecated contracts still holding value No contracts officially announced as deprecated by Jupiter Foundation that still hold >$100K. Jupiter Aggregator v6 is the current live program. The archived `jup-ag/jupiter-cpi` GitHub repo was a CPI interface (code only), not a value-holding contract. Earlier aggregator versions (v1–v5) are legacy but not formally deprecated via announcement. Green = no deprecated contracts holding material value.
Real-time signals Green 7 22 of 22
RD-F-105 yellow DNS/CDN/frontend hash drift DNS/frontend drift signal applicable — jup.ag active frontend. Confirmed Feb 2025 official X account compromise (attacker promoted $MEOW fake memecoin; ~$20M user losses from scam tokens; account recovered within hours). Multiple active impersonator domains documented (jup-v2.com, jupgifts.com, jup.ag-rewards.lat etc.). No confirmed hash drift on primary jup.ag DNS/CDN at assessment date. Signal elevated to yellow: (1) confirmed precedent of official channel compromise Feb 2025, (2) dense phishing ecosystem validates adversarial capability, (3) jup.ag-rewards.lat flagged 2 security vendors 2026-04-25. RD-F-090 gray Mixer withdrawal → protocol interaction Mixer→protocol signal requires Solana-native clustering feed (Tornado Cash is EVM-only; Solana mixers Elusiv/Wave have limited public TI coverage). No public attribution of mixer-funded wallets interacting with Jupiter core contracts. Chainalysis/TRM Solana cluster data not publicly accessible. Signal requires partner feed; public-proxy observation yields no evidence. RD-F-091 n/a Partial-drain test transactions v1-deferred per T-09 §3.3. Jan 2024 airdrop claim incident used 9,000+ Sybil wallets but against the claim contract not core protocol. No partial-drain test transaction pattern on core swap/perps programs documented. RD-F-092 n/a Unusual mempool pattern from deployer wallet v1-deferred per T-09 §3.3. Additionally Solana has no public mempool in EVM sense — transactions submitted directly to validators. No standard monitoring tool produces deployer-wallet mempool baseline on Solana. Structurally gray regardless of deferral. RD-F-093 n/a Abnormal gas-price willingness from attacker wallet v1-deferred per T-09 §3.3. Solana uses priority fee structure distinct from EVM gas — concept maps loosely but monitoring infrastructure for ≥5× EMA priority fee detection on Solana does not exist in standard tooling. RD-F-094 n/a New contract with similar bytecode to exploit template v1-deferred per T-09 §3.3. Jupiter Aggregator v6 is a closed-source Solana BPF binary — no public reference bytecode for similarity analysis. No public Solana program bytecode similarity scanning infrastructure exists. RD-F-095 n/a Known-exploit function-selector replay v1-deferred per T-09 §3.3. Solana programs use Anchor instruction discriminators not EVM function selectors. No public exploit-template DB for Solana Anchor programs. Signal is structurally inapplicable to Solana substrate in current form. RD-F-096 n/a New ERC-20 approval to unverified contract from whale EVM-specific factor (ERC-20 approve/allowance delegation model). Jupiter is Solana-native; Solana uses SPL token accounts with a different delegation model. Structurally not applicable. RD-F-097 n/a Sybil surge of identical-pattern transactions v1-deferred per T-09 §3.3. Historical Sybil event (Jan 2024 airdrop claim, 9,000+ wallets, ~$1M) was against airdrop claim contract, not core protocol programs. No active Sybil surge on core swap/perps contracts detected. v1-deferred prevents current scoring. RD-F-100 gray Flash loan >$10M targeting protocol tokens Flash loan signal partially applicable — Jupiter Lend has flash loan functionality (confirmed by Oct 2025 Offside Labs oracle-and-flashloan audit). Solana flash loan monitoring infrastructure differs from EVM (no Aave/Balancer as source; program-specific flash loans). Standard monitoring not configured for Solana. v1 phase 2 status. No confirmed flash-loan targeting event. RD-F-101 gray Large governance proposal queued Governance proposal signal applicable in principle to Realms-based DAO (vote.jup.ag). However DAO voting voluntarily paused since June 2025 per Jupiter Foundation announcement. No proposals can be queued during pause. Signal effectively inactive in current governance state. Expected resumption 2026. RD-F-102 gray Admin/upgrade transaction in mempool Admin/upgrade tx signal adapted for Solana: BPF upgradeable loader controls program upgrades. Solana has no public mempool in EVM sense — upgrade transactions submitted directly to validators. No standard Solana mempool stream for signal monitoring. Upgrade authority address not publicly confirmed. v1 phase 2 status. No upgrade events publicly reported at assessment date. RD-F-103 n/a Bridge signer-set change proposed/executed Jupiter has no bridge surface. Data cache layerzero.present: false; profile has_bridge_surface: false. No bridge signer set exists. Signal structurally not applicable. RD-F-106 n/a Cross-chain bridge unverified mint pattern No bridge surface. Jupiter does not operate any cross-chain bridge. Signal structurally not applicable. RD-F-107 n/a Admin EOA signing from new geography/device v1-deferred per T-09 §3.3. Factor requires off-chain signing telemetry with team opt-in. No public signing-geography data available for Jupiter team wallets. Will be gray for virtually all protocols in v1. RD-F-108 n/a GitHub force-push to sensitive branch v1-deferred per T-09 §3.3. Primary program source (aggregator v6) is closed-source — most critical code is not in a public GitHub branch. jupiter-cpi repo was archived Nov 2025. No force-push incidents on jup-ag public repos publicly reported. Signal has limited value for this protocol given closed-source primary. RD-F-109 n/a Social-media impersonation scam spike v1-deferred per T-09 §3.3. Feb 2025 X account compromise is the exact trigger class for this signal — attacker with 500k+ follower handle promoted fake $MEOW memecoin causing ~$20M user losses. Not formally assessed because signal is v1-deferred. Persistent impersonation ecosystem (multiple scam sites, scam-coordinator networks around JUP airdrop) keeps this signal elevated as a Cat 11 threat. RD-F-110 n/a Unusual pending/executed proposal ratio v1-deferred per T-09 §3.3. Additionally governance is paused since June 2025 — no proposals in queue; ratio is 0/0 (undefined). Signal inapplicable in current state.
RD-F-098 green TVL anomaly — % drop in <1h TVL anomaly signal applicable. Current TVL $1.717B (DeFiLlama API, data cache 2026-04-29). 30d change: −7.19% (gradual trend, not 1h crash). TVL_now / TVL_30d_baseline ≈ 0.93 — well above 0.70 threshold. Signal NOT firing. No drain event detected. DeFiLlama tracks Jupiter in real-time; signal is wirable at v1 launch.
RD-F-099 green Oracle price deviation >X% from secondary Oracle deviation signal applicable to Jupiter Perps (3-oracle: Edge primary, Chainlink + Pyth secondary). Deviation between Edge and Chainlink/Pyth is monitored internally by Jupiter's own fallback logic. No public oracle deviation incident reported for Jupiter Perps as of 2026-04-29. Signal not firing. Not applicable to DEX aggregator sub-protocol (no external oracles). v1 phase 2 — monitoring infrastructure not yet wired.
RD-F-104 green Stablecoin depeg >2% on shared-LP venue Stablecoin depeg signal applicable to Jupiter Lend (stablecoin collateral exposure). No major stablecoin depeg >2% on USDC/USDT as of 2026-04-29. Signal NOT firing. Jupiter Lend total borrowed $609M (data cache), stablecoin fraction not separately quantified but structurally material.
RD-F-182 green Security-Council threshold reduction (RT) Security-Council threshold reduction signal. Jupiter does not have a named Security Council. Admin controls are 4-of-7 Team Cold Multisig and 4-of-7 Community Cold Multisig. DAO governance pause (June 2025) is an institutional/voluntary decision — not an on-chain cryptographic threshold reduction event. No publicly documented multisig threshold change for Jupiter program upgrade authority. Drift Protocol comparator (SC 3/5→2/5 + timelock removal, 6 days pre-$285M exploit) pattern NOT detected for Jupiter. Signal not firing.
Dev identity & insider risk Green 18 16 of 16
RD-F-111 yellow Team doxx status Meow: pseudonymous with consistent multi-year handle and strong track record (wBTC co-founder, Kyber/Instadapp/Blockfolio advisor, Breakpoint 2023 speaker). Siong Ong: real-name partially doxxed (LinkedIn, siong.com, Breakpoint 2024 keynote). Third co-founder: completely anonymous — no public handle or identity. Overall category: consistent-pseudonym-with-track-record for principals, with one anonymity gap. RD-F-112 yellow Team public accountability surface Meow: strong accountability surface — wBTC co-founder (on-chain attributable), Handshake contributor, advisor at Kyber/Instadapp/Blockfolio, Breakpoint 2023 speaker, multiple podcasts (Blockworks Lightspeed, Unchained, VALR). Siong Ong: LinkedIn profile, personal site siong.com, Breakpoint 2024 keynote (on-stage). Third co-founder: zero public accountability trail. Average accountability depth across principals: yellow (strong for two; zero for one). RD-F-113 yellow Team other-protocol involvement history Meow: wBTC co-founder (successful, operational); Handshake contributor (successful); Kyber/Instadapp/Blockfolio advisor (legitimate protocols). Also co-founder of Meteora — involved in LIBRA controversy (February 2025). Ben Chow (Meteora co-founder, NOT a Jupiter officer) resigned amid LIBRA insider trading allegations. Meow commissioned Fenwick & West independent investigation; no misconduct finding disclosed as of 2026-04-29. No confirmed rug history for any Jupiter principal. RD-F-114 yellow Deployer address prior on-chain history Jupiter programs are Solana BPF upgradeable; upgrade authority is a Squads multisig (specific address not publicly disclosed), not an individual EOA deployer. Prior on-chain history of individual multisig members is not publicly enumerable. The Drift hack post-mortem explicitly notes Jupiter has a 12-hour timelock on admin actions as a positive comparator. Categorized as yellow (partial evidence: no documented adverse prior history, but deployer identity gap due to multisig structure and non-EVM substrate). RD-F-121 yellow Contributor OSINT depth score Meow: ~4/5 OSINT depth (wBTC on-chain trail, Crunchbase, IQ.wiki, multiple podcast/conference appearances). Siong Ong: ~3/5 (LinkedIn, personal site, Breakpoint speaker). Third co-founder: ~1/5 (no discernible public trail). Average across three principals: ~2.7/5 → yellow territory. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion The June 2025 DAO governance pause and ASR structure change were made unilaterally by the Jupiter Foundation without a DAO vote. Community participants explicitly noted the decision was 'made behind closed doors, instead of through a DAO vote' (discuss.jup.ag). However, this is a governance-process centralization event, NOT a smart-contract ACL change. No covert on-chain program upgrade authority change is documented. Jupiter's protocol programs have a 12-hour timelock on admin actions (Drift hack post-mortem reference). The $140M CWG allocation (March 2025) followed proper DAO vote + prior forum discussion. YELLOW: governance process concern below the threshold of covert on-chain ACL change (the insider-implant signal class). RD-F-116 gray Contributor tenure at admin-permissioned PR Jupiter's primary aggregator program source is a closed-source binary. GitHub org jup-ag contains only documentation repos and the archived jupiter-cpi (CPI interface, archived November 2025). No admin-permissioned PR from public GitHub can be assessed. Structural gray due to closed-source binary on non-EVM substrate. RD-F-117 gray ENS/NameStone identity bound to deployer Jupiter is on Solana — EVM-specific ENS is not applicable. Solana Name Service (SNS/Bonfida) is the Solana analog but no public documentation of Meow or Siong binding a Solana domain to the upgrade authority wallet. Structural gray for ENS-specific assessment on non-EVM protocol. RD-F-119 gray Commit timezone consistent with stated geography Jupiter's primary programs are closed-source binaries with no public git commit history to analyze for timezone distribution. The public jup-ag repos (docs, archived jupiter-cpi) are documentation-only and not representative of core team commit patterns. Structural gray — source not analyzable for commit timezone. RD-F-122 gray Contributor paid to DPRK-cluster wallet No public on-chain payment streams to Jupiter contributors are identified. Team compensation is via off-chain payroll or the team cold multisig (JUP token vesting). The 4-of-7 team multisig address is not publicly disclosed, preventing 3-hop analysis for contributor wallet → DPRK cluster paths. Cannot be meaningfully assessed at OSINT tier for off-chain payroll companies per process-learnings guidance. RD-F-184 gray Real-capital social-engineering persona No evidence that any external 'team contributor' or 'external integrator' persona has built credibility via ≥$1M capital deposits specifically targeting Jupiter. The Drift hack UNC4736 operation used >$1M deposits into Drift's ecosystem vault — this is a Drift-specific DPRK operation, not a Jupiter one. No reports of suspicious new contributor wallets with large deposits targeting Jupiter's governance or programs. Gray: no confirmed F184-pattern persona detected; cannot confirm absence by design (M-only OSINT factor; reference pattern is Drift/UNC4736 for comparator).
RD-F-115 green Prior rug/exit-scam affiliation No confirmed rug or exit-scam affiliation for any Jupiter principal. JUP token post-launch price drop sparked temporary rug allegations (Cryptopolitan) but no confirmed rug — the price decline was market-driven, not a team exit. LIBRA/Meteora: Ben Chow (Meteora CEO, not a Jupiter officer) resigned; Meow denied misconduct and commissioned Fenwick & West investigation; no adverse finding publicly disclosed. Hacksdatabase search for 'jupiter' returns only drift-protocol-rekt.md (JLP as victim asset in Drift hack, not Jupiter rug). Green.
RD-F-118 green Handle reuse across failed/rugged projects Meow handle (@weremeow / 'Meow') used consistently across wBTC co-founding, Handshake, and Jupiter — all legitimate successful protocols, no abandoned failed projects. Siong Ong (@sssionggg) shows no prior failed project associations. No handle reuse across rugged/failed projects documented.
RD-F-120 green Video-off/voice-consistency flag Meow appeared in live-streaming events (Catstanbul 2025, live-streamed on X, January 2025) and multiple podcast audio appearances. Siong Ong presented on-stage at Breakpoint 2024 (physically present, named in official program). No video-off pattern or voice inconsistency flagged in any public source. Low-confidence green (low-priority P2 factor with inherently subjective assessment).
RD-F-124 green Deployer wallet mixer-funded within 30 days Jupiter is deployed on Solana (non-EVM). Tornado Cash and Railgun are EVM-specific mixers with no direct Solana equivalent. Program upgrade authority is held by a Squads multisig, not an individual EOA. No evidence of mixer interaction for any privileged Jupiter wallet in public reporting or CTI sources. The 30-day window cannot be formally verified without Solscan access (403 during assessment) or Squads multisig member wallet histories (not disclosed), but multi-source negative search returned no mixer-funding evidence.
RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No evidence linking Jupiter founding team, deployer wallets, or program upgrade authority to a DPRK/Lazarus cluster. The Drift Protocol hack (2026-04-01) involved DPRK operatives (UNC4736) stealing JLP tokens from Drift's vaults — this is attacker-used-Jupiter-as-drain-venue, NOT Jupiter team DPRK linkage. OFAC SDN list does not include Meow, Siong Ong, or known Jupiter team members. Multi-source CTI search returned no Jupiter→DPRK proximity finding. The Upbit JUP token theft was also attacker using JUP as stolen asset, not a team linkage.
Fork / dependency lineage Yellow 33 10 of 10
RD-F-135 yellow Shared-library version with known-vuln status Open-source jup-ag/distributor uses Anchor 0.28.0 and Solana 1.16.25 — both significantly behind current versions (Anchor 1.0.0 released April 2026, Solana 2.x available). No specific critical CVE/GHSA targeting Anchor 0.28.0 identified in searches. Core program library versions are opaque (closed-source). Yellow: older pinned versions in inspectable open repos, no identified active critical CVE, but core program library recency unknown. RD-F-126 n/a Is-a-fork-of Jupiter is an original implementation — not a fork of any upstream protocol. The DEX aggregator was built from scratch on Solana (October 2021). Jupiter Perps uses JLP pool model with design inspiration from GMX's GLP, but is confirmed as an original Rust/Anchor implementation, not a codebase fork. Research and protocol history documentation confirm no Solana-native DEX aggregator predecessor existed to fork from. RD-F-127 n/a Upstream patch not merged Not a fork; no upstream protocol to track patches from. N/A by construction. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) Not a fork; no upstream vulnerability disclosures to inherit. N/A. RD-F-129 n/a Code divergence from upstream (%) Not a fork; no upstream codebase to measure divergence against. N/A. RD-F-130 n/a Fork depth (generations from original audit) Not a fork; fork depth = 0 (this is an original protocol, not a fork of anything). N/A. RD-F-131 n/a Fork retains upstream audit coverage Not a fork; no upstream audit coverage to inherit or retain. Jupiter has its own independent audit history (17 engagements). N/A for this factor's purpose. RD-F-132 n/a Fork has different economic parameters than upstream Not a fork; no upstream audited economic parameters to compare against. N/A. RD-F-133 gray Dependency manifest uses unpinned versions Primary programs are closed-source binaries — Cargo.toml/package.json not publicly accessible. Open-source sub-repos: jup-ag/distributor pins Anchor 0.28.0, solana 1.16.25, rust 1.68.0 (pinned exact versions — positive); jup-ag/jup-lock uses Anchor build system (version not fully visible). Core program dependency pinning cannot be verified. Gray per methodology: dependency manifest not accessible for core programs. RD-F-134 gray Dependency had malicious-release incident (last 90d) No GitHub Security Advisory flagging a malicious release in Jupiter's dependency chain identified in the last 90 days (trailing 2026-04-29). However, complete dependency manifest is not accessible for closed-source core programs — cannot run cargo audit or npm audit on the full dependency tree. Gray per methodology: dependency list not fully accessible.
Post-deploy hygiene & change mgmt Red 57 13 of 13
RD-F-136 red Deployed bytecode matches signed release tag Cannot verify — aggregator and perps programs are closed-source binaries. jup-ag/metis-binary shows binary releases but no signed git tags linking binary to source commit hash. Jupiter Lend (open-source) has a Code4rena competition snapshot at a fixed commit, which is more verifiable. Cannot confirm for the core closed-source programs that deployed bytecode matches any signed release. RD-F-137 red Upgrade frequency (per 90 days) jup-ag/metis-binary shows 9 binary releases from December 2024 to April 2025 (5 months) — approximately 7 releases in any trailing 90-day window. This represents very high upgrade frequency. Jupiter Lend was also actively developed with 7+ audit engagements across 2025. High frequency creates heightened drift risk. RD-F-139 red Post-audit code changes without re-audit CRITICAL: Jupiter Aggregator v6 is a closed-source binary. The metis-binary repo shows 9+ releases in 5 months (Dec 2024–Apr 2025) after the April 2024 Offside Labs audit. October 2025 Offside Labs re-audit covers the state at that time, but: (1) whether metis-binary releases correspond to on-chain program upgrades cannot be confirmed; (2) post-October 2025 binary updates are likely given the release cadence; (3) source unavailability makes it structurally impossible to verify that the deployed binary corresponds to any audited state at any time. By construction, a closed-source binary with frequent updates cannot have all updates independently verified against audit coverage. RD-F-138 yellow Hot-patch deploys without timelock (last 30 days) Frequent binary releases of the aggregator (metis-binary) occur without any documented timelock process. Squads multisig signature threshold is the only control — zero additional time delay. This is the Solana-native equivalent of hot-patch deploys without timelock. However, the multisig threshold (≥4 signers required) is a meaningful control even without a timelock delay. RD-F-145 yellow Deployed bytecode reproducibility Aggregator and perps programs: not reproducible by third parties — closed-source binary. Jupiter Lend (open-source): Code4rena repo specifies rustc 1.81.0 + Solana CLI 2.3.0, making reproducible build theoretically possible from published source. However no independent build verification is documented. Mixed: open-source Lend is yellow (spec provided but not verified); closed-source aggregator/perps are non-reproducible. RD-F-146 yellow New contract deploys in last 30 days Closed-source aggregator program had 9+ binary releases in 5 months post-April 2024 audit per code-security-analyst handoff. Multi-product surface (Aggregator + Perps + Lend + JupSOL + Studio) with high deployment rate; Lend launched Feb 2026 (Code4rena audit), JupUSD planned. Active development pace creates persistent post-audit surface drift unless re-audit cadence matches. RD-F-140 gray Fix-merged-but-not-deployed gap Cannot assess — closed-source aggregator and perps programs. No public source repository to compare repo state to deployed binary. Structural data gap. RD-F-141 gray Test-mode parameters in deploy Cannot assess — closed-source aggregator and perps programs. Jupiter Lend (open-source) code reviewed in Code4rena repo shows no explicit test-mode flags in the reviewed admin contexts. Cannot confirm for closed-source programs. RD-F-142 n/a Storage-layout collision risk across upgrades EVM proxy storage layout collision pattern does not apply to Solana programs. Solana program upgrades replace the entire BPF binary — account layout changes are managed at the Anchor IDL deserialization level, not via storage slots. The EVM-specific storage layout collision risk mechanism does not exist in the Solana substrate. RD-F-143 gray Reinitializable implementation (no _disableInitializers) Solana programs do not use the EVM proxy+implementation pattern or OZ _disableInitializers(). Anchor programs use account discriminators that prevent re-initialization by construction (init constraint). Jupiter Lend's InitLendingAdmin and InitLending contexts use Anchor's standard init constraint. EVM proxy takeover pattern does not exist in the Solana BPF model. Gray due to substrate mismatch — analogous Solana risk not apparent but cannot be fully verified for closed-source core programs. RD-F-144 n/a CREATE2 factory permits same-address redeploy Solana does not use CREATE2 (EVM-specific opcode). Solana programs are deployed via BPF Upgradeable Loader and cannot be redeployed to the same address with different bytecode without the upgrade authority executing an explicit upgrade. Not applicable to Solana substrate. RD-F-185 n/a Bridge rate-limiter / chain-pause as positive mitigant Jupiter is not a bridge. No bridge surface identified per profile (has_bridge_surface: false). The Solana network has had historical validator-coordinated pauses, but these are network-level events, not protocol-level rate-limiters implemented by Jupiter. Jupiter has not implemented a protocol-level withdrawal rate-limiter or emergency chain-pause capability. Factor applies to bridges only per taxonomy definition.
RD-F-168 green Stale-approval exposure on deprecated router The jupiter-cpi repo (CPI interface shim) was archived November 2025. Jupiter aggregator does not require persistent ERC-20-style unlimited approvals — each Solana swap requires user-signed transaction approval per transaction. Stale approval risk is materially lower than EVM approve-once patterns. No deprecated contracts holding meaningful user approval surface identified.
Cross-chain & bridge Gray 0 12 of 12
RD-F-147 n/a Protocol has bridge surface Jupiter is Solana-only. No bridge surface operated by Jupiter. Profile §7: has_bridge_surface=false, is_a_bridge=false. Data cache: cross_chain=false, layerzero_bridge=false. JUP token bridging to EVM via Wormhole/Portal is third-party operated — outside Jupiter's protocol scope. Cat 10 is N/A for all 12 factors. RD-F-148 n/a Bridge validator count (M) No bridge surface. Gates on F147 (no bridge). Cat 10 N/A for Jupiter. RD-F-149 n/a Bridge validator threshold (k-of-M) No bridge surface. No bridge validator threshold to assess. RD-F-150 n/a Bridge validator co-hosting No bridge surface. No bridge validator co-hosting to assess. RD-F-151 n/a Bridge ecrecover checks result ≠ address(0) [★ CRITICAL — N/A] Jupiter is Solana-native. No EVM ecrecover pattern used by any Jupiter-operated component. No bridge operated by Jupiter uses ecrecover for message validation. F151 Wormhole-class ecrecover zero-address check is not applicable. RD-F-152 n/a Bridge binds message to srcChainId No bridge surface. No cross-chain message struct to assess. RD-F-153 n/a Bridge tracks nonce-consumed mapping No bridge surface. No nonce-consumed replay mapping to assess. RD-F-154 n/a Default bytes32(0) acceptable as valid root [★ CRITICAL — N/A] No Jupiter-operated bridge uses Merkle root-based message verification. No default-value (bytes32(0)) Merkle root acceptance pattern exists in Jupiter. Nomad $190M bug class is not applicable. Jupiter is Solana-only with no bridge operation. RD-F-155 n/a Bridge validator-set rotation recency No bridge surface. No bridge validator set rotation to assess. RD-F-156 n/a Bridge uses same key custody for >30% validators No bridge surface. No bridge validator custody concentration to assess. RD-F-157 n/a Bridge TVL per validator ratio No bridge surface. No bridge TVL per validator ratio to compute. RD-F-179 n/a LayerZero OFT DVN config (count, threshold, diversity) layerzero.present=false per data cache (00-data-cache.json). Jupiter does not operate a LayerZero OFT adapter. JUP token may be bridgeable via Wormhole/Portal (third-party operated), but those bridges are not Jupiter-operated and are outside scope. F179 LayerZero DVN configuration is not applicable.
Threat intelligence & recon Yellow 44 8 of 8
RD-F-161 red Protocol-impersonator domain registered (typosquat) Multiple confirmed active protocol-impersonator domains documented: jup-v2.com, jup-airdrop.onspace.app, jupgifts.com, jup.ag-rewards.lat (flagged 2 security vendors 2026-04-25), jup-ag.gd, jupbox.net, ijup.ag, jup-drop.live, jup-solution.world, jupag.uk. Active wallet-draining phishing operations confirmed (Jupiter JUP Rewards Scam, Jupiter Airdrop Scam). jup.ag-rewards.lat confirmed within 90-day window (flagged 2026-04-25 = 4 days before assessment). Feb 2025 X account compromise amplified adversarial capability demonstrated. Red finding: multiple registrations within 90d window with active phishing victims confirmed. RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols Class-level statistic from hack DB. Jupiter Perps is structurally similar to Drift Protocol (Solana-native perpetuals DEX). Drift Protocol Apr 2026 DPRK exploit: 6-month reconnaissance/persona-building phase before $285M exploit. This establishes 78–180 days as a plausible recon timeline for DPRK-class actors targeting Solana perps protocols. Jupiter Perps is a high-value target in the same asset class. DEX aggregator sub-protocol has lower DPRK target profile than perps. Yellow due to Drift comparator proximity. RD-F-158 gray Known-threat-actor cluster has touched protocol Known threat-actor wallet signal applicable — DPRK/Lazarus active on Solana (Drift Protocol Apr 2026 DPRK exploit; Bybit 2025 Solana laundering). No public attribution of DPRK/Lazarus wallets interacting with Jupiter core contracts within last 30 days. Chainalysis/TRM Solana private cluster data not accessible. Public OSINT search returned no Jupiter-DPRK intersection. Requires partner TI feed for definitive assessment. RD-F-159 n/a Attacker wallet pre-strike probe (low-gas failing txs) v1-deferred per T-09 §3.3. Solana has no public mempool stream for monitoring low-gas failing probe transactions. Factor requires Solana-native monitoring adapter not available in standard tooling. RD-F-162 n/a Known-exploit-template selector deployed by any address v1-deferred per T-09 §3.3. No public Solana exploit-template database maintained. Signal requires exploit-template DB which does not exist for Solana Anchor programs. RD-F-164 gray Leaked credential on paste/sentry site No public evidence of Jupiter infrastructure credentials on paste sites, Sentry, or credential dumps found via WebSearch. Gap: paste-site monitoring requires dedicated feed (DomainTools or equivalent) not available at T-10 static assessment tier. Production pipeline should add paste-site scan. RD-F-165 gray Protocol social channel has scam-coordinator flag No curator-maintained scam-coordinator watchlist available at this assessment tier. Jupiter Discord (discord.gg/jup) is active. Social engineering targeting validated by Feb 2025 X account compromise — adversarial interest in Jupiter's social channels is confirmed. No specific scam-coordinator flagged for the Discord server in public sources.
RD-F-160 green GitHub malicious-dependency incident touching protocol deps No GitHub security advisory (GHSA) flagged for jup-ag repositories as of 2026-04-29. Primary program is closed-source — external dependency graph not publicly inspectable. Public repos (docs, tools) have minimal security-critical dependencies. No malicious-dependency incident touching Jupiter deps in public advisories.
Tooling / compiler / AI Green 0 5 of 5
RD-F-170 n/a Solc version used (known-bug versions flagged) Jupiter programs are compiled with Rust/BPF toolchain (rustc), not Solidity compiler (solc). The solc known-bug list is irrelevant. No Vyper either. Structural N/A for Solana Rust programs. Per non-EVM template: Cat 12 Solidity-specific factors are N/A for Solana/Anchor/Rust programs. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation No audited upstream protocol to compare bytecode against (Jupiter is original). EVM bytecode diff tools do not apply to Solana BPF programs. Closed-source binary additionally prevents bytecode derivation from source. Double N/A: no fork + no accessible source + non-EVM substrate. RD-F-172 gray Repo shows AI-tool co-authorship in critical files Primary programs are closed-source — commit history not publicly accessible. Open-source sub-repos (distributor, jup-lock, jupiter-cpi) visible on GitHub but commit-by-commit AI co-authorship inspection is limited from repo overview pages. No 'Co-authored-by: GitHub Copilot' trailers identified in any accessible commit metadata. Gray: core program history inaccessible; peripheral repo inspection limited. RD-F-174 n/a Dependency tree uses EOL Solidity version Solidity EOL version check is not applicable (programs are Rust/BPF, not Solidity). Rust uses a rolling release MSRV model without hard EOL designations comparable to Solidity versioning. The open-source distributor uses Rust 1.68.0 which is not declared EOL. Structural N/A for Solidity EOL assessment.
RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure from Jupiter team (blog, Twitter/X, docs) disclosing use of AI-generated Rust/Anchor code in security-critical program paths. Searches for Jupiter AI-generated code disclosures returned no relevant results. Green by confirmed absence of disclosed AI-generated security-critical code, with medium confidence.
Response & disclosure hygiene Green 17 4 of 4
RD-F-175 yellow Disclosure channel exists Disclosure channel exists — ooosec.com bug bounty program (https://ooosec.com/programs/jupiter) active with 10 resolved reports, $35,300 total paid. Program launched approximately March–April 2026 (~1 month old at assessment). Yellow because: program is very new with limited evidence of sustained monitoring; no SIRT email / secondary security contact; ooosec.com is a non-mainstream platform vs. Immunefi or HackerOne. Not red because the channel demonstrably exists and has been used (10 resolved reports). RD-F-176 yellow Disclosure SLA public The ooosec.com program page lists a response commitment of ~2 days 6 hours and triage of ~1 day 12 hours, functioning as informal SLA. No formally published acknowledgment-time SLA in a public policy document. 00-profile.md records a '24 hours committed response.' Yellow = SLA exists at platform level but not independently published or documented with adherence evidence.
RD-F-177 green Prior known-ignored disclosure No evidence of any prior vulnerability disclosure that was reported to Jupiter and not actioned before an exploit. Neither operational incident (X hack, airdrop) involved a pre-disclosed vulnerability. rekt.news and hacksdatabase empty for Jupiter protocol incidents. No post-mortem references received-but-not-actioned disclosure.
RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory issued against Jupiter or its programs. GitHub Advisory Database search for jup-ag organization returns no advisories. NVD CVE search for 'Jupiter DEX' / 'Jupiter Solana' returns no relevant results (only JupiterOne — a different company). Green = no advisory issued.
rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol jupiter