Deployed bytecode matches signed release tag

Sanctum's assessment for RD-F-136 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Solana programs support solana-verify for bytecode-to-source matching. The sanctum-unstake-program README references mainnet commit 11aac05b22794e6c2c3366dbb7141f4c61845c24. For inf-1.5, Controller Program V2 was tagged March 12 2026. Whether a public solana-verify check output exists for each deployed release is not confirmed in available evidence. Positive infrastructure exists (toolchain pinning, tagged releases) but public verification confirmation is absent.

Sources #

Docs
Verifying Programs | SolanaSolana verified builds documentation: solana-verify verify-from-repo mechanismretrieved 2026-05-04
GitHub
GitHub: sanctum-unstake-programigneous-labs/sanctum-unstake-program README: mainnet commit 11aac05b22794e6c2c3366dbb7141f4c61845c24retrieved 2026-05-04

Methodology #

Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sanctum factor RD-F-136 score yellow collected_at 2026-05-04 18:49:23