Reserve Protocol Solana DTFs

Findings · 12

1. 1 Incomplete building and testing instructions Informational
2. 2 No Solana-specific documentation Informational
3. 3 Testing deficiencies Informational
4. 4 Accounts structs store fields in differing orders, making them difficult to compare Informational
5. 5 DTF owner key compromise allows manipulation of DAOFeeConfig Medium
6. 6 Trade instructions do not require a dtf_pogram_signer account High
7. 7 Comparison against wrong constant in accrue_rewards High
8. 8 remove_from_registrar succeeds if passed program IDs are not in accepted_programs Informational
9. 9 update_folio has error-prone interface that can lock out the owner Low
10. 10 add_tokens_to_basket does not check whether any of the values in mints is Pubkey::default() Informational
11. 11 Incorrect TTL check in approve_trade Low
12. 12 Folio owner can rug pull DTF shareholders High

Findings extracted from the published report PDF. See the full report below for details and remediation.