RIFTS Protocol: How 62 Solana Security Flaws Were Resolved
Security Assessments
RIFTS Protocol is a sophisticated DeFi infrastructure built on Solana, implementing a multi-module architecture encompassing token wrapping, fee collection with Jupiter integration, LP staking rewards, and on-chain governance. The protocol's complexity—spanning oracle integration, cross-program invocations (CPIs), and liquidity management—necessitated a thorough security assessment to ensure the safety of user funds and protocol integrity.
Given the protocol's interaction with external DeFi primitives (Jupiter aggregator, Meteora liquidity pools, Pyth/Switchboard oracles), security was paramount. The audit focused on validating authorization controls, preventing economic exploits, ensuring numerical precision, and hardening against common Solana-specific attack vectors such as PDA seed collisions, account substitution, and CPI manipulation.
The security assessment covered four primary Rust modules compiled to Solana BPF programs using the Anchor framework:
programs/rifts-protocol/src/lib.rs — Core wrapping, unwrapping, oracle updates, and liquidity operationsprograms/fee-collector/src/lib.rs — Fee processing and Jupiter swap integrationprograms/lp-staking/src/lib.rs — LP token staking and reward distributionprograms/governance/src/lib.rs — On-chain proposal creation, voting, and executionAssure DeFi employed a hybrid methodology combining static analysis, manual code review, and formal verification techniques. The audit examined PDA derivation patterns, account constraint enforcement, arithmetic safety, oracle integrity, CPI security, and governance controls. Three remediation cycles were conducted, with fixes validated at commits 295f0287, 71f877ea, and 6397acfc.
The initial audit identified 62 total findings across all severity levels. The distribution revealed systemic issues in authorization, numerical precision, and external integration safety:
The severity distribution highlighted critical weaknesses in oracle validation, CPI security, and governance controls. High-severity findings dominated the initial report, reflecting the protocol's complexity and the inherent risks of cross-program interactions on Solana. The team's systematic remediation approach—addressing authorization gaps, implementing strict account binding, upgrading arithmetic to u128, and enforcing slippage protections—transformed the codebase from a failing security posture to a production-ready state.
While the comprehensive audit identified 62 findings across all modules, the remediation process demonstrated the development team's commitment to security excellence. All findings were systematically addressed through three remediation cycles, with fixes validated and re-tested at each stage.
The resolution process included implementing strict PDA seed standardization, upgrading arithmetic operations to u128 to prevent overflow, binding all external accounts to state-stored keys, enforcing post-swap slippage checks, implementing snapshot-based voting to prevent double-counting, and adding governance-controlled emergency controls. The team also replaced custom Jupiter ABI implementations with official SDK integrations, validated oracle feeds against whitelisted publishers with staleness checks, and implemented comprehensive account constraint enforcement across all modules.
Through rigorous collaboration between the Assure DeFi audit team and RIFTS developers, the protocol evolved from an initial FAIL status to achieving a PASS rating, with a final security score of 30/100 improving to production-ready standards. The systematic resolution of all identified vulnerabilities—from critical authorization bypasses to informational code quality improvements—demonstrates the value of thorough security auditing in the DeFi ecosystem.
Assure DeFi conducted a multi-phase security assessment combining automated tooling and expert manual review. The methodology included:
Each finding was classified by severity (High, Medium, Low, Informational) based on exploitability and potential impact. The audit team provided detailed remediation guidance for each issue, including code examples and architectural recommendations. Three remediation cycles ensured all fixes were properly implemented and did not introduce new vulnerabilities.
The RIFTS development team demonstrated exceptional responsiveness throughout the remediation process. Fixes were implemented across three distinct commits, with each cycle addressing progressively more complex issues:
Cycle 1 (commit 295f0287): Resolved critical authorization bypasses, implemented PDA seed standardization, and upgraded arithmetic operations to u128 across all modules.
Cycle 2 (commit 71f877ea): Addressed CPI security gaps, implemented strict account binding to state, and added comprehensive slippage enforcement for all swap operations.
Cycle 3 (commit 6397acfc): Finalized governance controls, implemented snapshot voting, validated oracle feed integrity, and resolved remaining informational findings.
Each remediation cycle was followed by complete re-verification, including regression testing to ensure fixes did not introduce new vulnerabilities. The final assessment confirmed that 59 of 62 findings were fully resolved, with 3 findings acknowledged by the team with documented risk acceptance. The protocol achieved a PASS status, meeting Assure DeFi's security standards for production deployment.
Explore the complete audit results and security metrics for RIFTS Protocol on the Assure DeFi dashboard. Ready to secure your Solana smart contracts with the same rigorous methodology? Get in touch with Assure DeFi →
This case study is based on publicly available audit reports. All findings discussed have been resolved prior to publication. This content is for informational purposes only and does not constitute security advice.
For the most up-to-date security information, please visit the project's official channels and the Assure DeFi dashboard.