If you discover a security vulnerability in LazorKit, please report it responsibly:
- Do not open a public GitHub issue.
- Use GitHub's private vulnerability reporting, or
- Email: security@lazorkit.app
- 48 hours — acknowledgement of report
- 7 days — initial assessment and severity classification
- 30 days — target for fix and disclosure
In scope:
- On-chain Solana program (
program/src/) - TypeScript SDK (
sdk/sdk-legacy/) - PDA derivation and signature verification logic
- Replay protection mechanisms
Out of scope:
- Frontend applications built on top of LazorKit
- Third-party dependencies (please report to upstream)
- Test files and scripts
LazorKit V2 underwent an audit by Accretion plus internal pre-mainnet review. All findings were resolved.
- Odometer counter replay protection (monotonic u32 per authority; works with synced passkeys).
- Clock-based slot freshness (150-slot window via
Clock::get()). - CPI
stack_heightanti-reentrancy check on every authenticated path. - Challenge hash binds signature to payer, accounts, counter, and program ID.
- Account ownership + discriminator checks on every PDA read.
- Transfer-allocate-assign pattern prevents create-account DoS.
- Session action enforcement: expired spending limits are a hard deny; expired whitelists block all programs.
SolMaxPerTxuses per-CPI gross-outflow tracking (DeFi round-trips can't bypass the per-tx cap).- Vault metadata + per-listed-mint token account invariants enforced in session execute (blocks
System::Assign, SPL TokenSetAuthority,Approveescapes). - Token balance sum-all-accounts prevents dummy-account bypass.
- Admin-gated protocol instructions verify config ownership before reading admin field.
- Constant-time comparison on the signed challenge field.
compact.rshas runtime assert guards against u8 truncation (not debug-only).actions_lencapped at 2,048 bytes to prevent BPF heap exhaustion.