defirisk.co
rubric v1.7.0

Sanctum

Solana LST infrastructure layer comprising three core products: (1) Infinity — a multi-LST AMM pool where users deposit SOL or any supported LST to receive the INF yield-bearing receipt token; prices are derived from on-chain stake-pool exchange rates, not external DEX oracles. (2) Router — an on-chain aggregator enabling LST-to-SOL and LST-to-LST swaps by cross-invoking SPL stake-pool deposit/withdraw instructions. (3) Unstake / Reserve — an instant-unstake program providing fee-based SOL liquidity without waiting for epoch unbonding. Also operates Gateway (transaction-delivery aggregator, V2 expansion 2025) and hosts single-validator LST infrastructure for partners including Binance (BNSOL), Bybit (bbSOL), and Jupiter (jupSOL). CLOUD is the governance token (launched July 2024). Originally launched as unstake.it in July 2022; rebranded to Sanctum; Infinity launched Q1 2024; Infinity V2 launched March 2026.

Sector non_evm_lst_liquidity
TVL $1.4B
Reviewed May 12, 2026
Factors 184
Categories 13
Risk score 30.4
DeploymentsSolana · $1.4B
01

Risk profile at a glance

1 red · 6 yellow · 5 green
25 24 17 13 15 22 16 10 13 12 8 5 4
02

Categories & evidence

184 factors · 13 categories
Code & audits Yellow 35 25 of 25
RD-F-001 red Audit scope mismatch verify.osec.io confirms hash mismatch for the Infinity/S Controller program: on-chain hash 25d3ade9... does not match executable hash 9bbcaada... at audited commit 4e35462. The program was upgraded to V2 (inf-1.5, commit c695912, March 2026) with no identified audit covering V2. Router program (stkitrT1...) has no verified build and no identified audit. Unstake program (unpXTU2...) is unlinked on verify.osec.io. RD-F-002 red Audit recency Most recent Infinity audits are from February 2024 (~815 days ago, exceeding the 730-day red threshold). Furthermore, the deployed program reflects V2 code (March 2026) which has no identified audit. Unstake audit is July 2023 (~1014 days). Router: no audit found. RD-F-007 red Bug bounty presence & max payout No public bug bounty program exists for Sanctum (sanctum.so / igneous-labs) as of 2026-05-04. CertiK Skynet explicitly confirms 'No third-party bounty program.' Data cache confirms bug_bounty.platform null. SECURITY.md absent. $1.37B TVL with zero bounty coverage. RD-F-009 red Formal verification coverage No formal verification (Certora, Kani, Halmos) found for any Sanctum program. The three Infinity audits are code-review audits only. No invariant specification files found in igneous-labs/S, inf-1.5, or sanctum-unstake-program repos. Soteria static analyzer referenced in unstake-program README is not a formal verifier. RD-F-003 yellow Resolved-without-proof findings Sanctum FAQ states all Infinity V1 issues were remediated. Audit PDFs are binary and finding-by-finding verification is not possible via WebFetch. No disclosed exploit or public contradiction of remediation claims. V2 codebase has no audit so post-audit drift is structurally unverifiable. RD-F-004 yellow Audit count Three distinct firms audited Infinity V1 (OtterSec, Neodyme, Sec3, all Feb 2024). One firm audited the Unstake program (Sec3, July 2023). Router: zero identified audits. For the current deployed Infinity state (V2, March 2026), effective audit count = 0. Historical audit count ≥ 2 for V1 only. RD-F-005 yellow Audit firm tier Neodyme (Tier-1 Solana), OtterSec (Tier-1 Solana), Sec3 (Tier-2 Solana) audited Infinity V1. All are reputable. However, green requires Tier-1 audit of currently deployed bytecode; V2 (March 2026) has no identified audit from any tier. RD-F-006 yellow Audit-to-deploy gap Infinity V1: audits ~Feb 2024 with Q1 2024 launch — gap approximately 0-60 days (green). Unstake: Sec3 audit July 2023 but program launched July 2022, making it a post-deployment audit (inverts measurement). Controller V2: March 2026 deployment with no preceding audit (gap undefined). Overall yellow given mixed signals. RD-F-024 yellow Code complexity vs audit coverage Three Tier-1/2 firms audited Infinity V1 (Feb 2024) — 7 sub-programs per .verified-build.json. Audit depth appears adequate for V1. However, inf-1.5 (348 commits, V2 March 2026) represents a substantial rework with no identified audit, making the current code-to-audit coverage ratio poor. The Unstake audit (Sec3 July 2023) appears proportionate for its scope. RD-F-010 gray Static-analyzer high-severity count Slither/Mythril/Semgrep are EVM tools and do not run on Solana BPF bytecode. No published cargo-audit or Clippy report is publicly available. Audit summaries claim full remediation for V1 but no tooling output is verifiable for the current V2 state or Router program. RD-F-011 n/a SELFDESTRUCT reachable from non-admin path SELFDESTRUCT is an EVM opcode. Solana BPF programs do not have an equivalent self-destruct mechanism. Not applicable to Sanctum's Solana programs. RD-F-012 n/a delegatecall with user-controlled target EVM delegatecall opcode does not exist in Solana BPF. Solana uses CPIs (Cross-Program Invocations) which invoke target programs in their own context, not the caller's. Not applicable to Sanctum's Solana programs. RD-F-015 n/a ERC-777/1155/721 hook without reentrancy guard ERC-777 and ERC-1155 are EVM token standards with callback hooks. Sanctum uses Solana SPL Token which has no callbacks. Not applicable. RD-F-019 n/a ecrecover zero-address return unchecked ecrecover is an EVM precompile. Solana uses Ed25519 signature verification via the ed25519_program system program, which is binary (valid/invalid) with no zero-address return. Not applicable to Sanctum's Solana programs. RD-F-020 n/a EIP-712 domain separator missing chainId EIP-712 is an EVM standard for structured data signing. Solana programs do not use EIP-712 domain separators. Not applicable to Sanctum's Solana programs. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned UUPS is an EVM proxy pattern. Solana uses BPF upgradeable loader for program upgrades. Upgrade authority for Infinity is the Sanctum Multisig. No in-program _authorizeUpgrade function exists. Not applicable. RD-F-023 n/a Constructor calls _disableInitializers() _disableInitializers() is an OZ pattern for EVM proxy implementations. Solana programs have no implementation contract concept. Anchor discriminator system provides structural equivalent protection. Not applicable. RD-F-183 gray Bug bounty scope gap on highest-TVL contracts No public bug bounty program exists for Sanctum. Per methodology, when no bounty program exists (RD-F-007 red), RD-F-183 is gray because the factor presupposes a bounty scope to assess gaps in. The absence of any bounty for a $1.37B TVL protocol is captured by RD-F-007.
RD-F-008 green Ignored bounty disclosure No known security exploits have targeted Sanctum on-chain programs. Data cache confirms 0 Rekt incidents and 0 DefiLlama hacks. No post-mortem references an ignored disclosure. Cannot confirm active monitoring of disclosures given no public disclosure channel, but no incident history to assess against.
RD-F-013 green Arbitrary call with user-controlled target Anchor framework enforces program ID validation on all CPI calls via Program<'info, T> account type. Anchor 0.28.0 (unstake-program Cargo.lock). No arbitrary-CPI finding in any published audit. No unmitigated arbitrary-CPI finding identified.
RD-F-014 green Reentrancy guard on external-calling functions Solana execution model enforces max CPI depth of 4 and account ownership rules preventing re-entry in inconsistent state. Anchor account system constrains re-entry. No reentrancy finding in any published audit.
RD-F-016 green Divide-before-multiply pattern Rust requires explicit checked_mul/checked_div operations; no implicit arithmetic promotion. No divide-before-multiply finding in any published Infinity or Unstake audit.
RD-F-017 green Mixed-decimals math without explicit scaling Sanctum Infinity and Router operate over LSTs that all use SOL-based exchange rates (9 decimals). The sol_val_calc programs normalize SOL valuations. No cross-decimal arithmetic risk by design. No mixed-decimals finding in any audit.
RD-F-018 green Signed/unsigned arithmetic confusion Rust type system enforces signed/unsigned separation at compile time; implicit casts generate Clippy warnings. No signed/unsigned confusion finding in any published audit.
RD-F-022 green Public initialize() without initializer modifier EVM initialize()+initializer modifier pattern is OpenZeppelin-specific. Anchor uses account discriminators and #[account(init)] constraints enforced at the Solana runtime level — an account can only be initialized once (runtime rejects re-initialization). This is a structural safety guarantee. No initialize() vulnerability class identified in any of the four published audits.
Governance & admin Yellow 25 24 of 24
RD-F-032 red Timelock duration on upgrades No independent on-chain timelock controller identified for program upgrades or sensitive actions. Squads V4 has an optional timelock feature but whether Sanctum enables it is unconfirmed. Futarchy governance has a ~7-day trading window but this is advisory and does not constrain multisig execution timing. No minimum delay between a governance decision and multisig execution is enforced on-chain. Profile §6 explicitly flags: 'Timelock (if any): Not identified in public documentation.' RD-F-033 red Timelock on sensitive actions No confirmed timelock on any action category: program upgrades (Squads multisig only), CLOUD supply changes (4-of-7 multisig), pool parameter changes (SPL stake pool manager = same multisig). Futarchy vote window provides de facto delay for community-governed decisions but does not constrain multisig execution. No TimelockController equivalent identified. RD-F-025 yellow Admin key custody type Program upgrade authority held by Squads multisig vault PDA for core programs (Infinity, Router, Unstake). CLOUD supply governed by two cold multisigs (4-of-7 each), each with 3 named external ecosystem signers. Hybrid model: Squads multisig + nascent futarchy governance via MetaDAO. No independent timelock controller identified. Green baseline (multisig exists) but downgraded to yellow due to absent timelock. RD-F-026 yellow Upgrade multisig signer configuration (M/N) CLOUD supply multisigs: 4-of-7 (Team Cold address DEnpgmzoAGKXjRCGoLTALm91XMAw88q6npDHPRAmMQj1; Community Cold address not enumerated). Program upgrade multisig: 5-of-8 Squads V3 per one source; 6-of-10 per another source (discrepancy noted). LST programs: 11-member ecosystem multisig (Jito, Jupiter, Laine, Mango, MRGN, Solblaze, SolanaFM, Sanctum + others). Exact upgrade-authority addresses for core programs not on-chain-confirmed from public evidence. RD-F-028 yellow Low-threshold multisig vs TVL CLOUD supply: 4-of-7 per $CLOUD Genesis blog. Program upgrade: 5-of-8 (one source) or 6-of-10 (Infinity V2 announcement). LST programs: 11-member majority. At $1.37B TVL, 4-of-7 is at the lower end of peer norms. 3 of 7 CLOUD signers are named external parties (Stepan/Squads, Robert/Neodyme, Soju/Jupiter) providing accountability. Exact program-upgrade multisig M/N for the programs directly securing TVL cannot be fully confirmed. RD-F-034 yellow Guardian/pause-keeper distinct from upgrader No dedicated guardian/pause-keeper role with a distinct address identified. The SPL stake pool manager role (held by Sanctum multisig) can pause/modify pools and is the same entity as the upgrade authority. Sanctum does mention emergency pause functionality in marketing materials but no separate guardian multisig with distinct address confirmed. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle On Solana, EVM-style role separation does not map cleanly. Program upgrade authority (Squads multisig) likely also controls fee parameters for Infinity/Router/Unstake. No oracle role exists (Sanctum does not use external oracles — F053 pre-marked green by profiler). Two-of-three role separation: upgrade and fee-admin appear co-located in same multisig; oracle role N/A. Partial separation only. RD-F-038 yellow Proposal execution delay < 24h Futarchy proposals involve a trading period (~7 days based on MetaDAO norms) before resolution. However, once resolved, on-chain execution requires a separate multisig action at the team's discretion. No on-chain enforcement of minimum delay between futarchy decision and multisig execution. Governance-to-execution gap exists — execution timing is not constrained. RD-F-040 yellow Emergency-veto multisig present No formal emergency-veto multisig or guardian role identified in public documentation. The CLOUD supply multisig provides a check on token issuance. Futarchy proposals can be opposed via trading (bearish bets), but this is market-based not a formal veto. No evidence of a smart-contract cancel or veto mechanism for governance decisions. RD-F-041 yellow Rescue/emergencyWithdraw without timelock No EVM-style rescue/emergencyWithdraw function exists on Solana. However: program upgrade authority (Squads multisig) can deploy a malicious upgrade with no independent timelock beyond multi-party signing; SPL stake pool manager role can immediately redirect parameters; no emergency withdrawal path with timelock confirmed. Primary risk is the absent timelock on upgrades (F032/F033). Functional rescue analog (upgrade-to-drain) exists but requires multisig coordination, reducing but not eliminating risk. RD-F-046 yellow Contract unverified on Etherscan/Sourcify On-chain programs are open source on GitHub (igneous-labs org) and support solana-verify reproducible builds. Original Infinity V1 (S program) was open-source at audit time. However: (a) Controller Program V2 (inf-1.5, March 2026) is the live Infinity V2 codebase — no audit PDF for this version found in sanctum-static/audits/ (contains only V1 PDFs); (b) Router program audit coverage unconfirmed; (c) on-chain verified state for V2 bytecode not confirmed via solana-verify output in public sources. RD-F-047 yellow Governance token concentration (Gini) CLOUD distribution: 25% team + 13% investors + 11% strategic reserve = ~49% insider/foundation controlled. 30% community reserve in multisig. 20% launched to public (10% airdrop + 10% LFG pool). Team and investor tokens vest 3 years with 1-year cliff. All 4 distribution multisigs are restricted from governance voting. CLOUD market cap ~$10.65M (price $0.02) — low relative to $1.37B TVL, meaning governance influence achievable at relatively low cost. No Gini coefficient available. RD-F-029 gray Multisig signers co-hosted Signer addresses for program upgrade multisig not publicly enumerated. Three named external signers are at independent organizations (Squads Protocol, Neodyme, Jupiter). Internal Sanctum team signers are unnamed. Co-hosting of infrastructure cannot be confirmed or denied from public data. RD-F-030 gray Hot-wallet signer flag Signer addresses for program upgrade multisig not publicly disclosed. Cannot assess on-chain signing behavior. Three named external signers are from credible organizations (Squads, Neodyme, Jupiter), suggesting non-hot-wallet patterns, but on-chain confirmation is impossible without addresses. RD-F-044 gray Admin wallet interacts with flagged addresses Program upgrade authority is a Squads multisig vault PDA (not a traditional EOA). Individual signer addresses not publicly disclosed. Cannot assess on-chain interactions with flagged addresses.
RD-F-027 green Single admin EOA No single EOA holds upgrade authority. Profile §3 confirms upgrade authority for Infinity is the Sanctum Multisig (Squads vault PDA). The four CLOUD supply distribution multisigs (Team Cold, Community Cold, Team Ops, Community Ops) are confirmed 4-of-7 per the official $CLOUD Genesis Mint and Accountability blog -- each multisig has 7 signers including 3 named Independent Ecosystem Signers (Stepan/Squads, Robert/Neodyme, Soju/Jupiter) and a 4-signer threshold. The program upgrade multisig threshold for Infinity/Router/Unstake is reported by third-party sources as 5-of-8 Squads V3 (SolanaCompass) or 6-of-10 (SolanaFloor's Infinity V2 announcement) -- the exact M/N for the upgrade authority is unresolved across public sources, but neither candidate is an EOA. Solana BPFLoaderUpgradeable model requires explicit upgrade authority assignment at deploy time; confirmed as multisig, not EOA.
RD-F-031 green Signer rotation recency No publicly documented signer-set change events found for Sanctum's Squads multisig. No threshold reduction events identified. CLOUD governance proposals on research.sanctum.so do not include multisig rotation proposals. No DPRK-precursor pattern (threshold reduction within 14d of other weakening events) identified.
RD-F-036 green Flash-loanable voting weight Sanctum governance uses MetaDAO futarchy (decision markets, not token snapshot voting). Flash-loan voting attack requires point-in-time balance snapshot — futarchy decisions are expressed via conditional trading volume ($10 minimum per proposal). CLOUD supply multisig holders are explicitly restricted from participating in DAO votes. Flash-loanable voting weight is structurally inapplicable to this governance architecture.
RD-F-037 green Quorum achievable via single-entity flash loan Futarchy governance has no quorum concept — proposals resolve via market price signal. A single entity cannot achieve quorum via flash loan in this architecture. CLOUD multisig holders (largest holders) are restricted from governance participation. Not achievable via flash loan.
RD-F-039 green delegatecall/call in proposal execution without allowlist Not applicable. Solana does not support delegatecall. Sanctum uses MetaDAO futarchy governance, not an EVM-style Governor/Timelock executor. Proposal execution in futarchy settles via conditional market outcomes — no arbitrary calldata execution. Even if a decision passes, it must be executed by the multisig which is constrained to normal Solana instruction types.
RD-F-042 green Admin has mint() with unlimited max CLOUD total supply is fixed at 1,000,000,000 tokens — no admin-callable mint function with unlimited max. INF (Infinity receipt token) minting is governed by the SPL stake pool program proportional to SOL deposits, not at admin discretion. The 4-of-7 multisig controls distribution of pre-minted tokens from cold storage, not new minting. No unlimited mint authority identified.
RD-F-043 green Admin = deployer EOA after 7 days Solana BPFLoaderUpgradeable requires upgrade authority to be set at deploy time. Profile §3 confirms upgrade authority for Infinity is Sanctum Multisig. No evidence of deployer EOA retaining admin roles post-deploy. The Solana model effectuates transfer to multisig at deploy time, not within a post-deploy 7-day window.
RD-F-045 green Constructor args match governance proposal Solana programs do not use constructor args in the EVM sense. CLOUD token distribution was publicly announced; the 4-multisig structure was documented in the genesis mint blog matching the announced tokenomics. No material discrepancy found between announced and deployed parameters.
RD-F-167 green Deprecated contract paused but pause reversible by live admin No deprecated Sanctum program contracts with material TVL identified. The unstake.it branding was retired but the Unstake program (unpXTU2Ndrc7WWNyEhQWe4udTzSibLPi25SXv2xbCHQ) is the same active on-chain program. The unstake.it domain was lost to a third party in July 2024, but the on-chain program was unaffected. Socean Stake Pool (2021 predecessor) is separate. No active deprecated contracts holding material value identified.
Oracle & external dependencies Yellow 20 17 of 17
RD-F-050 yellow Dependency graph (protocols depended upon) Multi-counterparty dependency is structurally novel. Sanctum's core dependency graph: (1) SPL Stake Pool program SPoo1Ku8WFXoNDMHPsrGSTSG1Y47rzgn41SLUNakuHy — canonical upstream program cross-invoked by Router and read by Infinity; audited OtterSec Jan 2023; upgrade authority = 11-member multisig. (2) Each partner LST's stake pool program (jitoSOL, mSOL, bSOL, jupSOL, BNSOL, bbSOL, and dozens more in Infinity basket) — each a distinct dependency; failure in any propagates proportionally into INF NAV. (3) Solana runtime / Agave consensus. (4) Gateway: RPCs, Jito bundles, Triton (delivery infra, non-TVL-affecting). Yellow because Infinity aggregates the risk of every LST it holds — a failure in any one partner LST pool propagates into INF NAV proportionally. RD-F-051 yellow Fallback behavior on oracle failure No external oracle to fail in the traditional sense. For LST pricing: if any individual LST's stake pool state is unreadable (e.g., program halted or account corrupted), the Router/Infinity cannot compute that LST's value and the relevant swap route becomes unavailable. There is no fallback pricing source — the protocol does not fall back to a secondary oracle or last-known price. The failure mode is a revert/unavailability for that specific LST route rather than a wrong-price execution. Structurally acceptable for a single-LST failure but the Infinity pool's multi-LST basket concentration amplifies the aggregate exposure. RD-F-052 yellow Breakage analysis per dependency SPL Stake Pool program failure: wrong LST redemption rates across all SPL-based pools — affects pricing for all Sanctum products simultaneously. Single-LST pool failure: Infinity NAV impaired proportionally; Router routes for that LST fail; Unstake Reserve may not be able to honor instant-unstake for the affected LST. Multiple simultaneous LST failures: Unstake Reserve SOL liquidity faces bank-run pressure. Solana runtime failure: all operations halted. Gateway product failure: transaction delivery degrades but no TVL at risk. RD-F-057 yellow Circuit breaker on price deviation No circuit breaker identified for LST rate deviation. Sanctum reads stake pool state as authoritative at transaction time; there is no cross-check against a reference price or deviation-triggered halt. If a stake pool's totalActiveStake / poolTokenSupply ratio is corrupted by a bug in the upstream SPL Stake Pool program, Sanctum would execute swaps at the corrupted rate. This is a structural characteristic of trusting on-chain state as the authoritative source — an accepted design tradeoff given the SPL Stake Pool program's audit history. No circuit-breaker logic visible in Infinity/Router design documentation. RD-F-058 yellow Max-deviation threshold (bps) Not configured — no circuit breaker present for price deviation (see F057). No maximum deviation threshold in basis points is set because no deviation monitoring exists in Sanctum's pricing layer. RD-F-059 yellow Oracle staleness check present Structural characteristic distinct from EVM oracle staleness. LST exchange rates update at each Solana epoch boundary (~2–3 days). Within an epoch the rate is static. There is no staleness window in the EVM 'updatedAt > now - X' sense; instead the rate is epoch-anchored and read live from on-chain state. Infinity V2 introduced continuous yield distribution per slot (reducing in-epoch staleness for yield accrual), but the underlying stake pool epoch mechanics remain. Yellow because the ~2–3 day epoch window creates a period where accumulated epoch yield is not yet reflected in the redemption rate — materially different from EVM heartbeat-based staleness but structurally present. RD-F-054 n/a TWAP window duration Not applicable — no TWAP oracle used anywhere in Sanctum. Pricing derives from on-chain stake pool state, not DEX pools. No TWAP window to assess. RD-F-055 n/a Oracle pool depth (USD) Not applicable — no DEX pool oracle used. Pricing source is stake pool program state, not a DEX liquidity pool. No pool depth to assess. RD-F-056 n/a Single-pool oracle (no medianization) Not applicable — no pool-based oracle used. Pricing source is SPL Stake Pool program state (totalActiveStake / poolTokenSupply), not a DEX pool. The concept of single-pool vs medianization across venues does not apply. RD-F-060 n/a Chainlink aggregator min/max bound misconfig Not applicable — no Chainlink feed used in any Sanctum product. Profile §7 explicit; data cache confirms oracle_feeds: []. RD-F-061 n/a LP token balanceOf used for pricing Not applicable — pricing derives from SPL Stake Pool program's totalActiveStake / poolTokenSupply accounting, not balanceOf of an LP token. Solana native validator delegation state is not manipulable by direct token transfer. Direct SOL donation to a stake pool does not affect the totalActiveStake accounting variable. RD-F-180 n/a Immutable oracle address CRITICAL-CANDIDATE FACTOR (T-12 PD-017) — NOT_APPLICABLE for Sanctum. Sanctum embeds no external oracle address in any of its programs. The pricing source is the SPL Stake Pool program state — the canonical Solana system program, not a third-party oracle with a specific address that could be 'immutable.' There is no Chainlink feed address, Pyth price account address, or DEX pool address hardcoded in Sanctum's programs. The USR/USD0++ exploit class (immutable oracle address, no admin-replaceable wrapper) is structurally inapplicable to Sanctum's architecture. F180 ★ evaluated as not_applicable for sanctum. No T-14 escalation needed. RD-F-181 n/a Permissionless-pool lending oracle Not applicable. Sanctum does not operate a lending protocol. Infinity is an AMM, not a lending market. Router is a swap aggregator. Unstake Reserve is a liquidity pool for instant unstaking. No lending market, no collateral oracle, no permissionless pool creation for lending purposes exists in any Sanctum product. Data cache: borrow.present: false. Protocol type = LST, not lending.
RD-F-048 green Oracle providers used No external oracle providers used in any Sanctum core product. Router and Infinity price LSTs by reading on-chain stake-pool exchange rates (totalActiveStake / poolTokenSupply) from each LST's SPL Stake Pool program state. Infinity V2 (March 2026) added continuous yield distribution and dynamic fees but retained the same pricing architecture — no new oracle. Gateway is transaction delivery infrastructure with no pricing oracle. No Chainlink, Pyth, Switchboard, or DEX-TWAP feed found in any product.
RD-F-049 green Oracle role per asset No external oracle role for any asset. Each LST's SOL value derives from its own stake pool on-chain state as the sole primary source — no secondary or fallback needed as the value is intrinsic. INF token value is a composite of all pooled LST rates via the same mechanism. Profile §7: 'Prices determined by their intrinsic SOL valuations, which are read from the on-chain state of external liquid staking programs.'
RD-F-053 green Oracle source = spot DEX pool (no TWAP) CRITICAL FACTOR — GREEN by construction. Sanctum does not use any DEX spot price as an oracle. All pricing derives from on-chain SPL Stake Pool program state (totalActiveStake / poolTokenSupply per LST). Confirmed for: Router (cross-invokes stake pool deposit/withdraw; exchange rate = on-chain state); Infinity V1 and V2 (SOL Value Calculator reads stake pool state per LST); Unstake Reserve (fee-based, no price oracle); Gateway (transaction delivery, no pricing). Infinity V2 (March 2026) confirmed to use same pricing architecture — no external oracle introduced. Sanctum's official blog: 'Infinity doesn't rely on traditional AMM formulas or price oracles — instead, it directly reads SOL values from on-chain stake account states.' F053 ★: GREEN.
RD-F-062 green External keeper/relayer not redundant Sanctum's core products (Router, Infinity, Unstake Reserve) do not require an external keeper or relayer for pricing — all pricing reads are synchronous on-chain at transaction execution time. No off-chain rate-update relayer analogous to Jito's Wormhole rate updater exists. Gateway product routes through multiple providers (RPCs, Jito bundles, Triton, Paladin, Temporal) — multi-route redundant architecture for transaction delivery, not a single-keeper dependency for TVL-bearing operations. No single-operator keeper/relayer dependency identified.
Economic risk Yellow 25 13 of 13
RD-F-065 yellow Liquidity depth per major asset Sanctum's Infinity pool and Unstake Reserve (>200k SOL) provide primary LST/SOL swap liquidity on Solana. Instant-unstake fee is dynamic 0.01–3%. October 2025 BNSOL flash crash showed Infinity providing hundreds of thousands of SOL of liquidity without depletion — positive real-world depth datapoint. However, Reserve is replenished only at epoch cadence (~2 days); simultaneous large-scale stress withdrawals could transiently deplete it, forcing elevated fees (up to 3%) or epoch-delayed paths. No precise 2%/5% slippage depth figure obtainable for secondary INF markets (Solana-native; Dune 403). Yellow for epoch-level liquidity contingency risk. RD-F-071 yellow Seed-deposit requirement for new market listing Adapted factor: applied to Infinity LST admission rather than lending-market listing. New LSTs admitted to Infinity pool require minimum 1,000 SOL AUM allocation to enter the 20% new-LST tranche. Underperforming LSTs are unstaked each epoch via automated rebalancing. The sanctum-lst-list repository (github.com/igneous-labs/sanctum-lst-list) is the canonical whitelist; Router and Unstake programs enforce it. Threshold is modest (1k SOL ~$140k) and protocol-internal rather than a hard on-chain seed-deposit guard enforced at listing transaction. Yellow because the admission threshold exists but is low relative to protocol scale and is not a cryptographically enforced seed deposit. RD-F-072 yellow Market-listing governance threshold Adapted factor: applied to Infinity LST whitelist governance. LST program changes require majority vote from 11-member multisig (Jito, Jupiter, Laine, Mango, MRGN, Solblaze, SolanaFM, Sanctum, plus others). CLOUD token holders can participate in futarchy-based governance (vote.sanctum.so) on important decisions including LST selection. However, CLOUD governance for LST admission is nascent and not confirmed as a hard on-chain requirement; team/multisig retains operational approval authority. Yellow because governance sits between low-threshold (team multisig) and full-DAO (CLOUD futarchy) — the transition is in progress. RD-F-064 gray TVL concentration (top-10 wallet share) On-chain enumeration of top INF or Sanctum-LST holders not accessible via WebFetch (Dune Analytics 403; no Solana subgraph via standard tooling). Institutional partner LSTs (BNSOL, bbSOL) introduce known sub-pool concentration but relative share of aggregate TVL not quantifiable. CLOUD token holder distribution (81,873 wallets) provides partial distribution signal but is governance token not TVS token. Top-10 TVS share not computable within time budget. RD-F-066 n/a Utilization rate (lending protocols) Sanctum is not a lending protocol. No borrow/supply markets. Data cache confirms borrow.present: false. Utilization rate concept does not apply to LST AMM/liquidity layer. RD-F-067 n/a Historical bad-debt events No lending markets, no concept of bad debt at the stake pool layer. Socialized loss would require Solana validator slashing; Solana mainnet has no slashing mechanism. No incidents in data cache (hacks: [], rekt.incidents: []). RD-F-068 n/a Collateralization under stress Stake pool is 1:1 SOL-backed by design. INF token value equals sum of underlying LST values at current stake-pool exchange rates. No leverage or partial-collateral design. Redemption at pro-rata SOL stake value (epoch-delayed path) or Reserve-price (instant path). Collateralization-under-stress simulation concept does not apply. RD-F-069 n/a Algorithmic / under-collateralized stablecoin INF is a yield-bearing LST receipt token, not a stablecoin. It does not target a fixed USD or SOL peg; its value accretes as staking yields and trading fees accumulate. CLOUD governance token is also not a stablecoin. Terra/Luna-class algorithmic failure mode does not apply. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) Not a Compound V2 fork. No cToken-style markets, no per-market minting, no permissionless market-listing mechanism. Infinity uses SPL stake pool accounting (total_stake / token_supply = exchange_rate). Donation attack precondition (empty cToken market with zero supply) cannot arise in this architecture. N/A per orchestrator scope instructions and taxonomy PD-024 Compound-fork-only bucket. RD-F-073 n/a Oracle-manipulation-proof borrow cap No borrow markets. Sanctum uses no external price oracle for core operations; LST pricing derives from on-chain stake-pool exchange rates, not manipulable DEX spot prices. Borrow-cap / oracle-manipulation concept does not apply. RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) Sanctum is non-EVM (Solana Rust/Anchor BPF programs). No ERC-4626 contracts exist. INF share accounting is SPL stake pool program, not OpenZeppelin-based. ERC-4626 virtual-share offset pattern is not applicable to this architecture. RD-F-075 n/a First-depositor / share-inflation guard SPL stake pool does not use ERC-4626-style share minting where first-depositor can inflate share price via donation. Pool accounting is total_stake / token_supply = exchange_rate managed by SPL program stake authority. The donation attack vector (sending tokens directly to vault to inflate exchange rate) does not exist in SPL stake pool design. OtterSec audited the SPL Stake Pool program on 2023-01-20 specifically for this vulnerability class.
RD-F-063 green TVL (current + 30d trend) TVL $1.37B as of 2026-05-04, 100% Solana, 100% staked SOL. Positive 30d trend: +10.82% per data cache, approximately +16.5% per fresh DefiLlama API read. TVL is genuine staked SOL with no circular-dependency inflation. Protocol recovering from $3.38B August 2024 peak; current trajectory is upward.
Operational history Green 11 15 of 15
RD-F-089 red Insurance coverage active No active insurance coverage found for Sanctum on Nexus Mutual, Sherlock, Unslashed, or equivalent providers. Web search 'Nexus Mutual Sherlock insurance coverage Sanctum INF SOL staking 2024 2025' returned no confirming results. At $1.37B current TVL, the green threshold (>=5% coverage = $68.5M minimum) is structurally infeasible for Solana-native protocols under current insurance provider capacity. This is the expected default for large Solana LST protocols (comparable finding to Jito). Red = no active coverage. The structural gap is noted as a protocol-type limitation, not a specific Sanctum failure. RD-F-081 gray Post-exploit response score No prior smart-contract exploits; no response to score. Gray = N/A per methodology (no prior incidents). No operational incidents involving on-chain fund loss have occurred in Sanctum's 34-month operational history. The Infinity V1 to V2 upgrade (March 2026) and CLOUD token launch (July 2024) completed without reported security incidents requiring a response. RD-F-082 gray Post-mortem published within 30 days No prior smart-contract exploits; no post-mortem obligation has arisen. Gray = N/A per methodology (no prior incidents). Sanctum has no published incident post-mortem documents because no exploitable events requiring them have occurred over the protocol's 34-month operational history. RD-F-083 gray Auditor re-engaged after last exploit No prior smart-contract exploits; no post-exploit re-audit obligation. Gray = N/A per methodology (no prior exploits). Sanctum proactively engaged OtterSec, Neodyme, and Sec3 for pre-launch Infinity audits (February 2024) but these are pre-deployment security reviews, not post-exploit remediation audits. RD-F-085 gray Incident response time (minutes) No prior smart-contract exploits; no incident response time to measure. Gray = N/A per methodology (no prior incidents). Infinity V2 upgrade (March 2026) and CLOUD TGE (July 2024) are operational milestones, not security incidents requiring first-response timing measurement. RD-F-086 gray Pause activations (trailing 12 months) Sanctum is a Solana BPF program suite (Unstake Program, Router, Infinity/S Program). No EVM-style Paused/Unpaused event mechanism exists. Solana upgradeable programs can be authority-frozen at the runtime level but this is not equivalent to a Pausable pattern. No on-chain program freeze events identified in the trailing 12 months from Solscan or public sources. Gray = no on-chain pause mechanism applicable to this Solana protocol type (methodology: 'gray = protocol has no pause mechanism'). RD-F-087 gray Pause > 7 consecutive days No on-chain pause mechanism applicable (same reasoning as RD-F-086). Solana BPF program architecture does not implement EVM-style consecutive pause duration tracking. No program freeze event of any duration identified in the last 12 months. Gray = no pause events in last 12 months (methodology gray condition).
RD-F-076 green Protocol age (days) Sanctum mainnet launched July 2022 (unstake.it). Age at 2026-05-07 = approximately 1,406 days (~46 months). Exceeds 365-day green threshold by nearly 4x. Infinity product launched Q1 2024, also exceeding 365 days independently. Current DefiLlama TVL $1.47B (2026-05-07); all-time peak $1.47B on 2025-01-08 — Solana LST infrastructure layer with sustained nine-figure TVL across multiple market cycles.
RD-F-077 green Prior exploit count 0 confirmed prior smart-contract exploits. Hacksdatabase grep across all files for 'sanctum', 'Sanctum', 'CLOUD', 'infinity', 'Infinity', 'jitoSOL', 'mSOL' returned 0 matching Sanctum incident files. DefiLlama data cache sources.rekt.incidents: [], sources.defillama.hacks: []. Sanctum legacy docs security page states: 'multiple security firms have audited the stake pool program nine times to ensure total safety of funds, controlled 4B+ dollars of value over more than two years, with no exploits found.' Web search for 'Sanctum sanctum.so exploit hack security incident 2022 2023 2024 2025' returned no exploit articles. mSOL appeared as an asset in the Mango Markets 2022 exploit (adversarial-venue-use — Sanctum was not the victim protocol).
RD-F-078 green Chronic-exploit flag (≥3 incidents) Incident count from F077 = 0. Chronic-exploit flag (>=3 distinct incidents) does not fire. Green threshold condition (<3 incidents) satisfied. CHRONIC badge does not apply.
RD-F-079 green Same-root-cause repeat exploit Incident count from F077 = 0. Same-root-cause repeat exploit requires >=2 incidents with matching root-cause cluster tags. With 0 incidents no repeat pattern can exist. Green = no repeat root cause.
RD-F-080 green Days since last exploit No prior exploits. The 'no incidents' green condition is satisfied (green = >365 days or no incidents). Days-since-last-exploit is undefined — there is no incident timestamp to measure from. Sanctum has been continuously operational since July 2022 with 0 confirmed exploit events.
RD-F-084 green TVL stability (CoV over 90d) 90-day daily TVL series from DefiLlama API (2026-05-04 fetch). Over approximately Feb 4 – May 4, 2026: range $1.10B (tariff-shock trough, early April) to $1.53B (late-March local peak). Mean approximately $1,320M. Estimated standard deviation approximately $85M (most values cluster $1.20B–$1.45B; brief $1.10B excursion was 2-3 day outlier). Estimated CoV ~0.06–0.07 — well below the 0.15 green threshold. TVL volatility is SOL-price-correlated (Solana-wide market factor), not protocol-specific instability. 30-day change per data cache: +10.82% — stable recovery trajectory. Medium confidence estimate (granular σ not precisely computed).
RD-F-088 green Re-deployed to new addresses in last year No full redeployment of core Sanctum programs to new addresses in trailing 12 months (May 2025 – May 2026). Unstake Program address unpXTU2Ndrc7WWNyEhQWe4udTzSibLPi25SXv2xbCHQ: unchanged, feature-frozen per last commit 2024-11-20. Infinity Program 5ocnV1qiCgaQR8Jb8xWnVbApfaygJ8tNoZfgPwsgx9kx: Infinity V2 (March 2026) was an in-place BPF upgradeable program upgrade via Sanctum Multisig — no new address deployed. Router Program stkitrT1Uoy18Dk1fTrgPw8W6MVzoCfYoAFT4MLsmhq: no evidence of address change. Green = no full redeployment with incomplete migration in last 12 months.
RD-F-166 green Deprecated contracts still holding value No Sanctum-announced deprecated contract holds >$100K in stranded user assets. The has_legacy_v1: true flag in profile meta refers to the unstake.it predecessor product rebranding (July 2022), not a separately-deployed idle contract. The Unstake Program is feature-frozen (last commit 2024-11-20) but still actively serving traffic and holding the SOL Reserve pool — it is not a deprecated program per any official announcement. Infinity V2 (March 2026) was an in-place BPF upgrade at the same program address; no separate V1 contract address was retired and left holding value. No EVM deprecated router with stale ERC-20 allowances applies (Solana is the sole chain). CHANGELOG.md documents v1.0.0/v2.0.0 as implementation versions of the same deployed program, not separate on-chain addresses.
Real-time signals Green 10 22 of 22
RD-F-105 yellow DNS/CDN/frontend hash drift T-09 v1 phase 2 signal (Tier A — instant grade flip on unscheduled drift). CONFIRMED HISTORICAL EVENT: July 30, 2024, Sanctum lost control of the unstake.it legacy domain to an unknown entity. The domain was being used for scamming/phishing purposes. Team warned users, began blacklisting process within ~1 hour. No confirmed user fund losses reported. The event constitutes a direct RD-F-105 trigger (domain control loss = frontend DNS compromise). Current primary domain sanctum.so: no active compromise detected as of 2026-05-04. Legacy domain unstake.it remains a persistent risk surface for users who recall the prior brand name. Yellow score reflects confirmed historical fire + residual legacy domain risk; current primary domain appears clean. RD-F-109 yellow Social-media impersonation scam spike Sanctum is a high-recognition Solana DeFi brand ($1.37B TVL, top-10 by TVL on Solana). Two confirmed malicious impersonator domains active: sanctumsol.com (registered 2024-05-27, trust score 0, flagged as malware by Gridinsoft and DNSFilter) and sanctums.network (registered 2024-05-29, trust score 0, flagged suspicious by IPQS, explicitly claims LST trading on Solana). Historical: July 2024 unstake.it domain loss used for phishing. Brand impersonation is a persistent elevated threat for this protocol. v1 deferred signal. RD-F-182 yellow Security-Council threshold reduction (RT) Batch-24 Cat 6B addition. T-09 v1.1 candidate (not yet production-live; pending FP-rate review). Highly relevant to Sanctum's architecture: Drift Protocol (April 2026, Solana, DPRK-attributed, $285M) was preceded by a 3/5→2/5 Security Council threshold reduction + timelock removal, then exploited 6 days later via durable-nonce pre-signed transactions. Sanctum uses Squads multisig for program upgrades (6-of-10 CLOUD supply; 11-member LST upgrade). Same Squads infrastructure; same durable-nonce attack class now confirmed active in Solana DeFi ecosystem. No confirmed threshold reduction on Sanctum's multisigs as of 2026-05-04. Multisig addresses not publicly resolved, preventing on-chain event monitoring. 11-member LST multisig with external reputable signers (Jito, Jupiter, Solblaze) provides stronger social-engineering resistance than Drift's 2-of-5 setup, but the attack class remains relevant. RD-F-090 gray Mixer withdrawal → protocol interaction T-09 Tier C advisory-only signal. Sanctum is Solana-native; Tornado Cash (EVM-only) is architecturally inapplicable. No confirmed mixer-to-Sanctum interaction found in public sources. Drift hack (April 2026, DPRK-attributed, $285M) used Jupiter aggregator for Solana swaps; Sanctum/Infinity not named in Elliptic or TRM laundering-route analysis. On-chain cluster analysis (Chainalysis/Nansen Solana) required for definitive assessment — not available at OSINT tier. RD-F-092 gray Unusual mempool pattern from deployer wallet Solana program upgrade authority is a Squads multisig, not an EOA deployer wallet. Individual deployer EOA patterns are not monitorable through standard Solana mempool tooling at OSINT tier. Upgrade authority multisig addresses not publicly resolved per profile §3 gap flag. v1 deferred signal. RD-F-093 n/a Abnormal gas-price willingness from attacker wallet Solana uses priority fees (compute units), not EVM-style gas. The signal definition (5x gas vs EMA baseline) is EVM-specific and does not translate to Solana's fee model. v1 deferred signal. RD-F-096 n/a New ERC-20 approval to unverified contract from whale Sanctum is Solana-native; ERC-20 token approvals do not exist on Solana. Solana uses SPL token program delegate authorities — architecturally different from ERC-20 approval mechanism. Signal as defined is EVM-specific. v1 deferred signal. RD-F-099 n/a Oracle price deviation >X% from secondary T-09 v1 phase 2 signal. Sanctum does not use external oracle feeds (Chainlink/Pyth) in core operations. LST pricing derives from on-chain SPL stake-pool exchange rates (total active stake / token supply) read directly from on-chain state of each stake pool — no external oracle feed. Oracle-deviation signal requires a primary oracle feed vs secondary feed comparison, which is not applicable by construction. Profile §7 confirms: F053 pre-mark GREEN; F180 pre-mark N/A. BNSOL depeg (Oct 2025) handled by Infinity's AMM mechanics, not an oracle-dependent check. RD-F-100 n/a Flash loan >$10M targeting protocol tokens T-09 v1 phase 2 signal. Solana does not have EVM-style atomic flash loan primitives. Sanctum's pricing derives from SPL stake-pool exchange rates that update per epoch (not intra-transaction), making it structurally immune to flash-loan price manipulation. No flash-loan attack surface identified for Sanctum's core contracts. RD-F-101 gray Large governance proposal queued T-09 v1 launch signal (Tier B). No on-chain governor contract (Realms DAO / OZ Governor) confirmed for Sanctum. Governance is forum-based (research.sanctum.so) with Squads multisig admin control. Signal cannot fire in its standard form without an on-chain governor contract to poll for ProposalCreated/ProposalQueued events. CLOUD market cap ($10.65M) vs TVL ($1.37B) ratio of ~0.78% creates theoretical governance dilution risk if token votes were ever used, but current governance is multisig-based. No malicious-pattern proposals identified in research.sanctum.so forum. RD-F-103 n/a Bridge signer-set change proposed/executed T-09 v1 launch signal. Sanctum has no canonical bridge. Profile meta: has_bridge_surface: false; is_a_bridge: false; cross_chain: false; layerzero.present: false. Bridge signer-set change signal is not applicable. RD-F-104 n/a Stablecoin depeg >2% on shared-LP venue T-09 v1 launch signal (Tier B). Sanctum's core products hold SOL-denominated LSTs (jitoSOL, mSOL, bSOL, jupSOL, BNSOL, bbSOL), not stablecoins. Infinity pool basket is 100% LST/SOL-denominated; no USDC/USDT pool in Sanctum's direct custody. Stablecoin depeg does not trigger an RD-F-104 event for Sanctum's core holdings. Secondary downstream effect (reduced DeFi collateral demand) exists but does not meet the signal threshold (protocol exposure ≥5% of TVL to the depegged stable). RD-F-106 n/a Cross-chain bridge unverified mint pattern Sanctum has no cross-chain bridge surface. Profile meta: has_bridge_surface: false; cross_chain: false. Cross-chain bridge tx pattern signal is not applicable. v1 deferred signal. RD-F-107 gray Admin EOA signing from new geography/device Sanctum uses Squads multisig for admin actions, not EOA signing. Multi-sig signers include geographically distributed external parties (Robert/Neodyme, Stepan/Squads, Soju/Jupiter), providing geographic diversity by construction. Off-chain signing telemetry not available without MPC/session-key provider cooperation. v1 deferred signal. RD-F-110 gray Unusual pending/executed proposal ratio No on-chain governor contract confirmed for Sanctum. CLOUD governance is forum-based (research.sanctum.so) with no Realms DAO or Snapshot space. Proposal ratio signal requires on-chain governor event data unavailable without an on-chain governor contract. Forum discussion activity appears normal. v1 deferred signal.
RD-F-091 green Partial-drain test transactions No partial-drain test-transaction patterns identified in public sources targeting Sanctum programs. No hacksdatabase entries for Sanctum (hacksdatabase grep: zero matches for sanctum/Sanctum/CLOUD/Infinity as protocol incidents). Infinity October 2025 BNSOL depeg event was a market event, not an attacker-driven partial drain. v1 deferred signal.
RD-F-094 green New contract with similar bytecode to exploit template No exploit-template contracts targeting Sanctum's SPL stake-pool mechanics or Infinity multi-LST AMM found in public security research. Hacksdatabase grep returns zero Sanctum-specific entries; Rekt leaderboard has no Sanctum entries; DefiLlama protocol page records no incidents in 34-month operating history. The signal does not fire — no exploit-template precedent class exists for Sanctum's architecture.
RD-F-095 green Known-exploit function-selector replay No known-exploit replay patterns targeting Sanctum programs found. No prior Sanctum exploit events exist from which to derive a selector/calldata replay template. Hacksdatabase + Rekt + DefiLlama all return zero direct entries for Sanctum across 34 months of operation.
RD-F-097 green Sybil surge of identical-pattern transactions No sybil surge patterns targeting Sanctum programs identified in public sources. No Sanctum security team alerts about unusual transaction pattern bursts. Hacksdatabase grep + Rekt leaderboard + DefiLlama all confirm no exploit-class events from which sybil-surge signal templates would be derived. Signal does not fire today.
RD-F-098 green TVL anomaly — % drop in <1h T-09 v1 launch signal (Tier A). Current TVL $1.37B; 30-day change +10.82% as of 2026-05-04 per DefiLlama. No TVL anomaly detected. BNSOL depeg stress (October 2025) did not drain Sanctum TVL — Infinity functioned as liquidity provider earning elevated fees during the event. No prior TVL drain events in hacksdatabase or rekt records. Threshold: TVL_now / TVL_baseline_30d < 0.70 within 60 min — not triggered.
RD-F-102 green Admin/upgrade transaction in mempool T-09 v1 phase 2 signal (Tier B). Infinity program (5ocnV1qiCgaQR8Jb8xWnVbApfaygJ8tNoZfgPwsgx9kx) is BPF upgradeable with Sanctum Multisig as upgrade authority. Last known upgrade: Infinity V2 launch March 2026. No anomalous admin/upgrade transactions detected as of 2026-05-04. Solana mempool observability is lower than EVM. Post-Drift, the durable-nonce admin-tx attack class is confirmed for Solana Squads-governed protocols — this signal's applicability to Sanctum's Squads governance is elevated.
RD-F-108 green GitHub force-push to sensitive branch No GitHub security advisories or force-push alerts identified for igneous-labs repos. Primary repos: sanctum-unstake-program (last commit 2024-11-20), inf-1.5 (Infinity V2 rework). Infinity V2 launched March 2026 — preceding development activity appears normal. No unauthorized branch modifications detected via public GitHub OSINT. v1 deferred signal.
Dev identity & insider risk Green 3 16 of 16
RD-F-123 yellow Sudden admin-rescue/ACL change without discussion Sanctum's upgrade authority for core programs described as Squads multisig (4-of-7 for CLOUD supply layer; 11-member for LST programs per profile §6). Infinity V2 launch (March 2026) was publicly announced with prior blog announcements and active governance forum at research.sanctum.so. No affirmative incident of sudden unilateral on-chain upgrade authority change without community discussion identified. However, specific on-chain Squads multisig addresses for core program upgrade authority (Unstake, Router, Infinity) are NOT_RESOLVED per profile — governance-admin-analyst gap. Without confirming upgrade authority is definitively the named multisig and not a residual EOA, cannot assign green. Yellow from enumeration gap, not affirmative red signal. RD-F-117 n/a ENS/NameStone identity bound to deployer ENS binding is Ethereum-specific and not applicable to Solana-native protocols. Sanctum operates on Solana exclusively; the closest equivalent (Solana Name Service / .sol domains) is not part of the F117 measurement. Structural N/A by non-EVM substrate. RD-F-122 n/a Contributor paid to DPRK-cluster wallet Cannot be meaningfully assessed at OSINT tier. Off-chain payroll for Igneous Labs (Singapore entity) is not publicly traceable. Web search for 'Sanctum Solana DPRK Lazarus North Korea' returned no Sanctum-specific results. A broader Google/Decrypt article documented DPRK IT workers infiltrating European Solana-based projects but did not mention Sanctum. No on-chain contributor payment paths are publicly enumerable without paid Chainalysis/TRM feed. Flagged not_assessed per methodology; no red signal identified. RD-F-184 gray Real-capital social-engineering persona No curator-flagged social-engineering persona identified for Sanctum. The Drift Protocol April 2026 exploit (UNC4736/DPRK) used real capital to build Solana-ecosystem credibility but targeted Drift, not Sanctum — no Sanctum connection found. Data-cache hacks: []. Profile §11 raises no social-engineering flag for Sanctum. F184 is curator-flagged M-only P1; no active curator flag has been set. Cannot affirmatively rule out via OSINT alone but no signal present. Gray per leave-no-trace pattern guidance.
RD-F-111 green Team doxx status FP Lee is consistent-pseudonym-with-track-record: on-camera multiple years (YouTube 2022-2026), Solana Foundation stake-pool collaboration, AppWorks investment blog photo-attributed, X @soleconomist, Breakpoint 2025 and Accelerate speakers. Jesse Cho is real-name doxxed via LinkedIn (prior roles at Bluebox and CapedBoys confirmed). Jaye Tan named publicly as co-founder with NUS LLB background. Primary coder billythedummy (Han Yang) has 11-year GitHub tenure with UW robotics affiliation.
RD-F-112 green Team public accountability surface FP Lee: X (@soleconomist active), 5+ YouTube podcast/conference appearances (2022-2026), Solana Foundation collaboration, AppWorks blog, Solana Breakpoint 2025 speaker, Solana Accelerate speaker, RootData profile, Solana Compass podcast. Jesse Cho: LinkedIn, SoSoValue, Tracxn with prior company roles. Primary coder billythedummy: 11-year GitHub with UW robotics affiliation and 197 contributions. FP Lee scores 4/5 OSINT depth; core team meets ≥2 verifiable trails threshold.
RD-F-113 green Team other-protocol involvement history FP Lee: prior co-founder/CEO of Socean Stake Pool (launched Aug 2021, second SPL stake pool on Solana; no adverse security events; rebranded under Sanctum umbrella). Solana Foundation grant recipient 2021 — FP Lee played a crucial role in the design of the Solana Foundation's SPL stake-pool program. Jesse Cho: prior head of software at Bluebox Labs; co-founder & CEO of CapedBoys; embedded systems / Rust expertise; no adverse history. Jaye Tan: no adverse protocol involvement found. No team member linked to rugged protocol. Data-cache rekt.incidents: []; hacksdatabase: no match. Founder roles cross-confirmed across independent podcasts and crypto-research articles.
RD-F-114 green Deployer address prior on-chain history Solana-native protocol; programs deployed via Igneous Labs operational keypairs, not persistent pseudonymous EOAs. Data-cache deployer.address: null (non-EVM substrate gap; expected). Unstake program unpXTU2Ndrc7WWNyEhQWe4udTzSibLPi25SXv2xbCHQ and Router stkitrT1Uoy18Dk1fTrgPw8W6MVzoCfYoAFT4MLsmhq confirmed Solana BPF programs under igneous-labs GitHub org. No rug-deployer history found for any Igneous Labs operational address. Upgrade authority held by named Squads multisig (governance-admin-analyst to confirm on-chain).
RD-F-115 green Prior rug/exit-scam affiliation No rug or exit-scam affiliation found for FP Lee, Jesse Cho, or Jaye Tan. Web search for 'Igneous Labs rug exit scam' returned no relevant hits. Socean Stake Pool (FP Lee predecessor) had no adverse security events. Data-cache rekt.incidents: []; data-cache hacks: []. No REKT or hacksdatabase entry for Sanctum. Zero affirmative adverse findings.
RD-F-116 green Contributor tenure at admin-permissioned PR Top 3 contributors to sanctum-unstake-program: billythedummy (Han Yang, 197 contributions, GitHub created 2015-05-28 — 11-year tenure); f8122dac91 (0xF812, 155 contributions, @igneous-labs org member — tenure not confirmed from API but org membership implies established relationship); Johnnycus (Albert Itayev, 87 contributions, GitHub created 2013-10-29 — 12.5-year tenure). All confirmed contributors exceed 180-day green threshold by substantial margin.
RD-F-118 green Handle reuse across failed/rugged projects FP Lee (@soleconomist on X): consistent handle across Sanctum/unstake.it/Socean lineage since 2021; no prior rugged-project association under different alias. Jesse Cho: LinkedIn identity consistent with Bluebox/CapedBoys/Sanctum timeline. billythedummy: GitHub handle consistent with UW robotics affiliation since 2015; no failed protocol association found. No handle reuse across rugged projects for any named team member or top contributor.
RD-F-119 green Commit timezone consistent with stated geography Igneous Labs is a Singapore entity. Primary contributor billythedummy bio references @uw-advanced-robotics (US university), indicating multi-timezone team. No commit-timezone anomaly analysis performed programmatically. No DPRK timezone/commit pattern reported in any security research on Sanctum. Singapore (UTC+8) and US West Coast (UTC-8) are plausible timezones for the team composition. FP Lee appears on US-friendly podcast times. No adverse signal.
RD-F-120 green Video-off/voice-consistency flag FP Lee has extensive on-camera presence: YouTube 'Sanctum Founder: Solana's Liquid Staking Future' (RtW8TS0g33U); 'The Infinite-LST Future w/ FP Lee' (BEguFy-uN70); 'Episode 14: LST Innovation with Sanctum's FP Lee' (RBZVJOi-1uw); 'The Future of Staking on Solana w/ FP Lee' (7NN-IWjiS1g); Solana Breakpoint 2025 conference speaker (in-person). Consistent identity across years of on-camera appearances is a strong counter-signal for DPRK implant. Jesse Cho: no confirmed on-camera appearances found but LinkedIn-doxxed.
RD-F-121 green Contributor OSINT depth score FP Lee: X active, 5+ YouTube podcast/conference videos, Solana Foundation collaboration, AppWorks blog, RootData, Solana Compass, Breakpoint 2025 + Accelerate speaker. Score 4/5. Jesse Cho: LinkedIn, SoSoValue, Tracxn, prior employers. Score 3/5. Jaye Tan: Tracxn listing and search results only. Score 2/5. Primary coder billythedummy: GitHub 11-year tenure, 197 contributions, UW robotics bio. Average for founders ~3/5. FP Lee exceeds green threshold at 4/5.
RD-F-124 green Deployer wallet mixer-funded within 30 days Solana-native protocol; no EVM deployer EOA with 30-day pre-fund chain applies. Programs deployed from Igneous Labs operational keypairs (Unstake: July 2022; Infinity: Q1 2024). No OFAC-sanctioned Solana mixer existed in those deployment windows. Data-cache deployer.funded_by: null (non-EVM substrate; expected gap). No mixer-funding signal identified for any privileged Igneous Labs wallet. Upgrade authority held by named Squads multisig — institutional control, not EOA.
RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No DPRK or Lazarus cluster proximity identified. Web search 'Sanctum Solana DPRK Lazarus North Korea' returned zero Sanctum-specific hits. FP Lee has multi-year on-camera identity with Solana Foundation roots. Jesse Cho has documented prior employment (Bluebox, CapedBoys). billythedummy has 11-year GitHub with US university affiliation (inconsistent with DPRK fresh-identity implant). External multisig signers Stepan Simkin (Squads co-founder) and Robert (Neodyme) are well-documented Solana ecosystem figures. Drift Protocol April 2026 DPRK exploit (UNC4736) confirmed as separate protocol; no Sanctum connection. No OFAC SDN hit for any named individual. No DPRK escalation.
Fork / dependency lineage Green 11 10 of 10
RD-F-133 yellow Dependency manifest uses unpinned versions igneous-labs/S Cargo.toml uses >=1 range specifiers for solana-program, solana-sdk, spl-token, spl-stake-pool with a code comment stating 'lock to 1.17.6 for deploy' — relying on Cargo.lock discipline rather than manifest pinning. Cargo.lock resolves solana-program 1.14.20 and anchor-lang 0.28.0. Unstake-program pins Rust toolchain to 1.70.0. This flexible-manifest, lockfile-discipline approach is yellow (not best practice but mitigated by lockfile). RD-F-126 n/a Is-a-fork-of Sanctum is not a fork. Profile §5 explicitly states all programs are original implementations by Igneous Labs. No upstream declared in any repo README. SPL Stake Pool is a dependency (cross-invoked), not a code fork. RD-F-127 n/a Upstream patch not merged Not applicable — Sanctum is not a fork. No upstream security patch channel exists to monitor. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) Not applicable — Sanctum is not a fork. The SPL Stake Pool dependency has no active vulnerability disclosure in the last 90 days from anza-xyz/security-audits. RD-F-129 n/a Code divergence from upstream (%) Not applicable — no upstream to measure divergence from; Sanctum is an original codebase. RD-F-130 n/a Fork depth (generations from original audit) Not applicable — not a fork; fork depth metric is meaningless for original code. RD-F-131 n/a Fork retains upstream audit coverage Not applicable — not a fork. No upstream audit coverage to retain. RD-F-132 n/a Fork has different economic parameters than upstream Not applicable — not a fork. No upstream parameters to diverge from.
RD-F-134 green Dependency had malicious-release incident (last 90d) No malicious-release advisory affecting Sanctum's Rust dependencies (anchor-lang, solana-sdk, spl-token, spl-stake-pool) identified from GHSA or crates.io in the trailing 90 days. The September 2025 malicious Rust crates incident was general ecosystem noise not specific to Sanctum's dependency set.
RD-F-135 green Shared-library version with known-vuln status anchor-lang 0.28.0, solana-program 1.14.20/1.17.6: no active high/critical CVE or GHSA advisory identified. SPL Token canonical programs maintained by Solana Foundation with no active advisory. No known-vuln on any identified shared library.
Post-deploy hygiene & change mgmt Yellow 26 13 of 13
RD-F-139 red Post-audit code changes without re-audit Three audits (OtterSec, Neodyme INV-24-01, Sec3) all dated ~February 2024 cover the original Infinity/S V1 program. The inf-1.5 repository (Reworked INF, aka S) has 348 commits and was tagged Controller Program V2 on March 12 2026 — a material rewrite deployed as Infinity V2. The sanctum-static/audits directory contains only the three V1 PDFs. No V2 audit PDF found via GitHub directory check or web search. With $1.37B TVL in Infinity, a material post-audit code deployment without confirmed re-audit coverage is a critical finding. RD-F-136 yellow Deployed bytecode matches signed release tag Solana programs support solana-verify for bytecode-to-source matching. The sanctum-unstake-program README references mainnet commit 11aac05b22794e6c2c3366dbb7141f4c61845c24. For inf-1.5, Controller Program V2 was tagged March 12 2026. Whether a public solana-verify check output exists for each deployed release is not confirmed in available evidence. Positive infrastructure exists (toolchain pinning, tagged releases) but public verification confirmation is absent. RD-F-137 yellow Upgrade frequency (per 90 days) Active development cadence. Infinity V2 (Controller Program V2) deployed March 2026 as a material upgrade. Ironforge acquisition July 2025 added new transaction infrastructure programs. Unstake-program last commit November 2024 (data cache). Estimated 1-3 significant program upgrades in the trailing 90 days. Not in the red range (>=6) but higher than zero. RD-F-142 yellow Storage-layout collision risk across upgrades Solana BPFLoaderUpgradeable replaces entire program bytecode; data accounts are separately managed via Anchor discriminators. EVM-style storage slot collision does not apply. The primary risk is data migration when account schemas change across upgrades — relevant for the V1-to-V2 Infinity migration. Not fully assessable from public evidence. Yellow (low confidence, potential risk but not confirmed). RD-F-145 yellow Deployed bytecode reproducibility Sanctum supports solana-verify reproducible builds. The unstake-program toolchain is pinned (solana 1.17.6 / ellipsislabs/solana Docker image). inf-1.5 has a tagged release. However, no explicit public solana-verify check output confirming the inf-1.5 V2 deployed bytecode matches the tagged release was found in public evidence. RD-F-143 n/a Reinitializable implementation (no _disableInitializers) Sanctum programs are Solana BPF/Anchor programs, not EVM proxy contracts. The _disableInitializers() OpenZeppelin pattern does not apply. Anchor's #[account(init)] constraint prevents double-initialization of data accounts. The EVM proxy re-initialization attack vector does not exist on Solana. RD-F-144 n/a CREATE2 factory permits same-address redeploy Sanctum uses Solana BPFLoaderUpgradeable, not CREATE2. Program IDs are stable on Solana; the upgrade authority controls bytecode at the same program ID. Same-address redeployment with different bytecode is not the attack vector on Solana. RD-F-168 n/a Stale-approval exposure on deprecated router Not applicable. Solana uses a token account ownership model, not ERC-20 approval-based access. Users do not grant allowances to deprecated Sanctum programs. Stake accounts are held by the SPL stake pool program directly. The domain loss of unstake.it (July 2024) affected the frontend but not any on-chain token approvals. RD-F-185 n/a Bridge rate-limiter / chain-pause as positive mitigant Sanctum has no canonical bridge component (has_bridge_surface: false per data cache; cross_chain: false). Cat 10 is N/A for this protocol. There is no bridge over which a rate-limiter would provide a mitigant. Factor is N/A by design — applies only to bridge-touching protocols.
RD-F-138 green Hot-patch deploys without timelock (last 30 days) No confirmed hot-patches in the last 30 days (from assessment date 2026-05-04). Infinity V2 was deployed in March 2026 (outside the 30-day window). No emergency deployment incidents found in public sources. Ironforge integration was planned, not emergency. 0 hot-patches confirmed within 30d.
RD-F-140 green Fix-merged-but-not-deployed gap No documented case of a known vulnerability with a merged fix awaiting deployment. The inf-1.5 development culminated in a tagged release (Controller Program V2, March 2026). No open security PRs or fix-merged-but-not-deployed gaps identified in public GitHub evidence.
RD-F-141 green Test-mode parameters in deploy No evidence of test-mode parameters in production. Sanctum Infinity has been live with material TVL for over 2 years (since Q1 2024). Three 2024 audits would have flagged test-mode parameters. No evidence of test oracle, infinite allowances, or deployer-as-admin in production.
RD-F-146 green New contract deploys in last 30 days No specific new contract deploys in the 30 days immediately before assessment date (May 4, 2026) confirmed from public sources. Infinity V2 was deployed in March 2026 (outside the 30-day window). Last Ironforge-related infrastructure integration was July 2025. Data cache shows unstake-program last commit November 2024. 0-2 new deploys in last 30d — within green threshold.
Cross-chain & bridge Gray 0 12 of 12
RD-F-147 n/a Protocol has bridge surface Sanctum is a Solana-only LST liquidity layer; no bridge contracts operated. Cat 10 N/A by construction per profiler determination. Profile §7: has_bridge_surface: false, is_a_bridge: false, cross_chain: false. Data cache: layerzero.present: false. RD-F-148 n/a Bridge validator count (M) Sanctum is a Solana-only LST liquidity layer; no bridge contracts operated. Cat 10 N/A by construction per profiler determination. RD-F-149 n/a Bridge validator threshold (k-of-M) Sanctum is a Solana-only LST liquidity layer; no bridge contracts operated. Cat 10 N/A by construction per profiler determination. RD-F-150 n/a Bridge validator co-hosting Sanctum is a Solana-only LST liquidity layer; no bridge contracts operated. Cat 10 N/A by construction per profiler determination. RD-F-151 n/a Bridge ecrecover checks result ≠ address(0) CRITICAL FACTOR — NOT_APPLICABLE. Sanctum is a Solana-only LST liquidity layer; no bridge contracts operated. No ecrecover verification code to assess. Cat 10 N/A by construction per profiler determination. RD-F-152 n/a Bridge binds message to srcChainId Sanctum is a Solana-only LST liquidity layer; no bridge contracts operated. Cat 10 N/A by construction per profiler determination. RD-F-153 n/a Bridge tracks nonce-consumed mapping Sanctum is a Solana-only LST liquidity layer; no bridge contracts operated. Cat 10 N/A by construction per profiler determination. RD-F-154 n/a Default bytes32(0) acceptable as valid root CRITICAL FACTOR — NOT_APPLICABLE. Sanctum is a Solana-only LST liquidity layer; no bridge contracts operated. No Merkle root acceptance pattern exists to assess. Cat 10 N/A by construction per profiler determination. RD-F-155 n/a Bridge validator-set rotation recency Sanctum is a Solana-only LST liquidity layer; no bridge contracts operated. Cat 10 N/A by construction per profiler determination. RD-F-156 n/a Bridge uses same key custody for >30% validators Sanctum is a Solana-only LST liquidity layer; no bridge contracts operated. Cat 10 N/A by construction per profiler determination. RD-F-157 n/a Bridge TVL per validator ratio Sanctum is a Solana-only LST liquidity layer; no bridge contracts operated. Cat 10 N/A by construction per profiler determination. RD-F-179 n/a LayerZero OFT DVN config (count, threshold, diversity) Not applicable. Sanctum does not use LayerZero OFT. No LayerZero integration of any kind. Data cache confirms layerzero.present: false. Cat 10 N/A by construction per profiler determination.
Threat intelligence & recon Yellow 20 8 of 8
RD-F-158 yellow Known-threat-actor cluster has touched protocol T-09 v1 phase 2 signal (Tier C — advisory only). No confirmed DPRK/Lazarus cluster direct interaction with Sanctum contracts identified in public sources. Drift exploit (April 2026, DPRK-attributed, $285M) used a Solana DEX aggregator (Jupiter per reports) for post-exploit swaps; Sanctum/Infinity not specifically named in Elliptic or TRM laundering-route analysis. Bybit (February 2025, $1.5B, Lazarus) funds routed through Solana broadly without Sanctum-specific interaction documented. Elevated background exposure: Sanctum is the largest Solana LST liquidity layer ($1.37B TVL) — all major high-TVL Solana protocols are passive potential drain venues for DPRK actors. Framing: any DPRK actor using Sanctum as a passive swap venue is adversarial-venue-use (F158, Cat 11), not dev-identity contamination (F125, Cat 7). Cannot confirm or deny without licensed Chainalysis/TRM Solana cluster feed. RD-F-161 yellow Protocol-impersonator domain registered (typosquat) Three confirmed suspicious impersonator domains identified. (1) sanctumsol.com: registered 2026-05-04 minus 706 days = 2024-05-27. Trust score 0/100 per ScamAdviser. Flagged as malware by Gridinsoft and threat by DNSFilter. Cryptocurrency-focused with hidden WHOIS. Likely Sanctum impersonator. (2) sanctums.network: registered 2024-05-29 (delta 704 days). Trust score 0/100. Flagged suspicious by IPQS. Claims LST trading on Solana — direct product impersonation. Hidden WHOIS. (3) sanctumus.com: registered 2025-07-14 (delta 294 days). Trust score low; caution recommended. Hidden WHOIS. Registration-date delta vs 90-day taxonomy window: all three are outside the 90-day new-registration alert threshold (sanctumsol.com: 706 days; sanctums.network: 704 days; sanctumus.com: 294 days) — the signal does not fire on current-window criteria but persistent impersonation risk is elevated. Historical precedent: July 30, 2024 unstake.it domain loss confirmed phishing use. Yellow score reflects confirm RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols Peer-class reconnaissance time for similar Solana DeFi protocols: Drift Protocol (April 2026, $285M, DPRK, same Solana DeFi class) involved 3–6 months of social engineering reconnaissance before the April 1 strike (CVT fake token deployed March 12, 2026 — ~20 days on-chain staging; social engineering over months). Bybit (February 2025, $1.5B, Lazarus) involved multi-week reconnaissance of the Safe{Wallet} developer environment. USPD baseline (T-09 §4.9): average 78-day reconnaissance window across sample. For high-TVL Solana DeFi protocols with visible teams, Drift-class recon (multi-month social engineering targeting team members and multisig signers) is the dominant threat model. Sanctum's profile — high-recognition brand ($1.37B TVL), partially doxxed founders (FP Lee, Jesse Cho, Jaye Tan), external multisig signers from reputable Solana entities — places it in the primary reconnaissance target class for DPRK actors. v1 deferred analytical signal. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) No public identification of pre-strike failing transaction patterns (Solana analogue: failed txs to protocol programs) targeting Sanctum. Requires Solana-specific mempool plus cluster analysis not accessible at OSINT tier. v1 deferred signal. RD-F-164 gray Leaked credential on paste/sentry site No paste-site credential leaks for Sanctum infrastructure identified via public OSINT. Assessment requires automated credential-monitoring (HaveIBeenPwned API, PasteHunter, Sentry-alt monitoring) — production pipeline gap. No evidence either way. v1 deferred signal. RD-F-165 gray Protocol social channel has scam-coordinator flag No Sanctum Discord admin or moderator flagged on public scam-coordinator watchlists found via OSINT. Sanctum Discord linked from sanctum.so (URL not independently verified via fetch). Unsolicited DM scam pattern is endemic to all high-recognition DeFi Discord servers but no specific coordinator flagging identified for Sanctum's channels. v1 deferred signal; requires curator scam-coordinator watchlist.
RD-F-160 green GitHub malicious-dependency incident touching protocol deps No GitHub security advisory flagging a malicious release in Sanctum's Rust/Cargo dependency chain found as of 2026-05-04. The unstake-program README references cargo-audit and Soteria scanner usage (per profile §11), indicating security-conscious dependency management. No active CVE or GHSA against Sanctum's dependencies identified. v1 deferred signal.
RD-F-162 green Known-exploit-template selector deployed by any address No exploit-template bytecode targeting Sanctum's SPL stake-pool integration or multi-LST intrinsic-value AMM identified in deploy-scan corpora. No prior Sanctum on-chain exploits to seed the template class. Hacksdatabase + Rekt + DefiLlama all clean. Signal does not fire today.
Tooling / compiler / AI Green 8 5 of 5
RD-F-172 yellow Repo shows AI-tool co-authorship in critical files No AI-tool co-authorship metadata (Copilot Co-authored-by trailers) found in commit history for igneous-labs/S, inf-1.5, or sanctum-unstake-program. However, the inf-1.5 ctl-v2.0.0 release note references 'thanks codex 5.4 high (#173)' — 'codex' is ambiguous (possibly GitHub Copilot CLI or PR convention), raising a low-confidence signal of AI-assisted development in a V2 change. Rated yellow due to this ambiguous signal. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Sanctum is an original codebase, not a fork of any audited upstream. The inf-1.5 repo is an incremental rework of the same team's S program. No cross-organization bytecode-copy risk pattern applies. Factor intent (detecting hidden forks inheriting bugs) is structurally inapplicable.
RD-F-170 green Solc version used (known-bug versions flagged) Sanctum programs use Rust, not Solidity. Rust toolchain: sanctum-unstake-program pins 1.70.0 (stable, not EOL); igneous-labs/S uses 1.68.0 (BPF) / 1.73.0 (general); inf-1.5 uses 1.89.0 per recent search result. None are on known critical-bug lists. No Solidity compiler exposure.
RD-F-173 green Team self-disclosure of AI-generated Solidity No team disclosure of AI-generated Rust or Solidity in production security-critical code found. No Sanctum blog, docs, or tweet references AI-generated production contracts. The 'codex' reference in one release note is ambiguous and not a definitive team self-disclosure.
RD-F-174 green Dependency tree uses EOL Solidity version Sanctum primary programs are Rust/SBF. Rust 1.68.0, 1.70.0, 1.73.0, 1.89.0 are all stable releases on the supported release track. No EOL Rust version in use. No Solidity EOL risk applies.
Response & disclosure hygiene Red 50 4 of 4
RD-F-175 red Disclosure channel exists No public security disclosure channel found. (1) No Immunefi bug bounty program: CertiK Skynet shows 'No third-party bounty program'; Immunefi search returned no sanctum.so listing; data cache bug_bounty.platform: null, bug_bounty.url: null. (2) No security.txt: https://sanctum.so/.well-known/security.txt returns 404. (3) No SECURITY.md: data cache security_md_present: false for sanctum-unstake-program; igneous-labs/S also has no SECURITY.md per GitHub. (4) No security@ or equivalent contact found in learn.sanctum.so/docs, learn.sanctum.so/legacy-docs, or sanctum.so website. This is a significant gap for a $1.37B protocol — no white-hat researcher has a sanctioned path to report a critical vulnerability. RD-F-176 red Disclosure SLA public No acknowledgment-time SLA published. No disclosure channel exists (F175 red), so no SLA can be attached to any channel. No Immunefi program to embed an SLA, no SECURITY.md with response timeline, no docs security page with a committed acknowledgment window. Scored red (not gray) because the absence of both channel and SLA represents compounding disclosure hygiene failures, not simply a downstream consequence of a single gap. Red = no SLA published.
RD-F-177 green Prior known-ignored disclosure No evidence of any vulnerability being disclosed to Sanctum and subsequently ignored before exploitation. No exploits have occurred (F077 = 0), so no post-mortem could document a 'received-but-not-actioned' disclosure pattern. Web search for Sanctum security incidents returned no reports of ignored disclosures. hacksdatabase grep: 0 Sanctum incident files. Green = no evidence of ignored disclosure per methodology. Caveat: absence of a formal disclosure channel (F175 red) creates a structural forward-looking risk that future disclosures may not be received — this is a Cat 13 process concern, not a backward-looking Cat 5 finding.
RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory has been published against Sanctum's on-chain programs. (1) igneous-labs/sanctum-unstake-program security advisories: 'There aren't any published security advisories' — verified via GitHub. (2) igneous-labs/S (Infinity) security advisories: 'There aren't any published security advisories' — verified via GitHub. (3) NVD/CVE search returned no Sanctum DeFi protocol advisories. (4) OtterSec, Neodyme, and Sec3 Infinity audit reports (February 2024) documented pre-launch findings; these were not converted to public GHSAs post-launch. Green = no advisory issued.
rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol sanctum