H33 Solana Programs — Security Audit Report v2

01 Executive Summary

Overall Assessment: PASS

Three Anchor-based Solana programs (Token B, Token C, Token D) were deployed to devnet and subjected to automated static analysis via Sec3 X-Ray, manual code review, and end-to-end devnet integration testing. All three programs passed with zero outstanding critical or high-severity findings. One medium finding was identified by Sec3 X-Ray in Token C (unvalidated AccountInfo in recover_identity) and has been remediated. A total of 80 on-chain instructions across the three programs were reviewed.

Programs Audited

Instructions Reviewed

Critical / High Findings

Medium (Fixed)

19/19

Devnet Tests Passed

Unit / Integration Tests

Program	Devnet Address	Instructions	Sec3 X-Ray	Status
Token B	8d6hMwqgodjZGG4Wkc1J2UyDZRwXFdcgKBaueA2VUuu	15	0 Issues	Pass
Token C	d3SpEuALT8eJFz41hLG7TMaB3a8ZXdRoVJJ74UxtQVT	34	1 Fixed	Pass
Token D	Dg4jqcsvZ2yfxu2uHL5EFF4YcPn8HX1MmrvVh4eorSTa	31	0 Issues	Pass

02 Per-Program Analysis

Token B — SPL Token 2022 with Deflationary Tokenomics

Instruction Inventory (15) Token 2022

1	`initialize_token`	Mint + TransferFeeConfig init
2	`distribute_pda_wallets`	Phase 1: 4 PDA vaults
3	`distribute_external_wallets`	Phase 2: 5 Squads multisigs
4	`finalize_distribution`	Revoke mint authority forever
5	`revenue_burn`	Stage-aware burn from reserve
6	`advance_stage`	Revenue threshold + burn unmined
7	`disburse_mining_rewards`	Stage-limited mining payouts
8	`process_collected_fees`	Harvest + 4-way fee split
9	`disburse_token_d_ops`	Token D operations vault
10	`disburse_token_c_ops`	Token C operations vault
11	`burn_tokens`	Manual burn by Burner role
12	`pause_token`	Emergency pause
13	`unpause_token`	Resume operations
14	`grant_role`	RBAC role assignment
15	`revoke_role`	RBAC role removal

PDA Design

6 PDAs serve as autonomous authorities for isolated vault operations:

seeds: [b"token_mint"]

seeds: [b"mint_authority"]

seeds: [b"fee_collector_authority"]

seeds: [b"revenue_burn_authority"]

seeds: [b"mining_pool_authority"]

seeds: [b"token_d_ops_authority"]

seeds: [b"token_c_ops_authority"]

seeds: [b"token_config"]

seeds: [b"burn_stage_state"]

seeds: [b"mining_stage_state"]

Access Control

6-role RBAC system: Owner, Minter, Burner, Pauser, Admin, Upgrader
All admin/burn/pause instructions require explicit role check via has_role()
Minter role intentionally unused — minting only during distribution phases
Owner role cannot be revoked (CannotRevokeOwner guard)
Maximum 20 role assignments enforced (MaxRolesExceeded)
has_one = authority constraint on TokenConfig for distribution instructions
All authority accounts are Signer<'info>

Arithmetic Safety

Every arithmetic operation uses checked_add / checked_sub
Fee split uses u128 intermediates to prevent overflow (total_fees * 7000 can exceed u64)
Staker rewards calculated as remainder: total - burn - dev - treasury to avoid rounding loss
Stage 7 burn reads actual vault balance via .reload() before burning
Mining availability capped at actual pool balance after stage advance
Total supply = 21,000,000,000,000,000 (21B * 10^6) fits u64 max

CPI Safety

All CPI calls go through anchor_spl::token_2022 typed wrappers
CpiContext::new_with_signer used for all PDA-authorized operations
Token program verified as Program<'info, Token2022> (Anchor type check)
Vault ATAs validated against stored config keys: constraint = revenue_burn_ata.key() == token_config.revenue_burn_vault
Fee staging ATA ownership validated: constraint = fee_staging_ata.owner == fee_collector_authority.key()
Mint authority permanently revoked in finalize_distribution — no further minting possible

Token C — Soulbound Identity with Biometric Auth & MFA

Instruction Inventory (34) Soulbound NFT

1–2	`initialize_config`, `update_config`	Program authority management
3	`initialize_identity`	Soul mint + freeze + guardian setup
4–6	`update_biometric`, `add_credential`, `remove_credential`	Identity data management
7–9	`update_trust_score`, `lock_identity`, `unlock_identity`	Trust & security controls
10	`recover_identity`	Guardian-mediated soul transfer
11–12	`grant_document_access`, `revoke_document_access`	Token D document ACL
13	`add_certification`	Certification management
14–15	`stake_token_b`, `unstake_token_b`	Token B staking via CPI
16–17	`subscribe_to_service`, `verify_subscription`	Service subscription layer
18	`verify_age_proof`	SPARK-verified age attestation
19	`update_auth_key`	Auth key rotation
20	`process_nft_payment`	NFT-authenticated payment
21–22	`generate_quantum_totp`, `verify_quantum_totp`	PQ-TOTP with Dilithium
23	`risk_based_authentication`	Behavioral risk scoring
24–26	`initiate_multi_sig_recovery`, `approve_recovery`, `complete_recovery`	Multi-guardian recovery flow
27–28	`verify_zkp_data_access`, `grant_compliant_data_access`	ZKP-gated data sharing
29	`real_time_recovery`	Biometric + guardian emergency recovery
30	`grant_travel_access`	Travel/event credential
31–34	`register_mfa_factor`, `update_mfa_threshold`, `remove_mfa_factor`, `process_mfa_authentication`	Multi-factor auth system

PDA Design

seeds: [b"program_config"]

seeds: [b"soul_mint", identity.key()]

seeds: [b"stake_vault", identity.key()]

Soul mint PDA uses identity account as seed, ensuring 1:1 binding between identity and its soulbound token. Freeze authority is the mint PDA itself, enforcing non-transferability.

Access Control

ProgramConfig PDA stores trust_oracle, security_authority, risk_authority addresses
update_trust_score requires trust_oracle signer matching config
lock_identity / unlock_identity require security_authority signer
risk_based_authentication requires risk_authority signer
Owner-gated instructions use has_one = owner + Signer
Guardian validation: identity.guardians.contains(&guardian.key())
initiate_multi_sig_recovery requires initiator to be a guardian (prevents arbitrary initiation)
Recovery requires majority (or all) guardians depending on count

Cryptographic Verification

Ed25519: Introspects instructions sysvar for precompile IX with matching pubkey, message, signature
Dilithium: Structural validation only (length, entropy). Comment documents off-chain attestation requirement
SPARK Lookup: Keccak-based range proof + commitment verification (post-quantum safe, no pairings)
TOTP: HMAC-SHA256 with 30-second window, RFC 6238 compliant
Biometric: Keccak hash similarity matching (90% threshold)
MFA: Threshold-based multi-factor combining any supported auth types

Capacity Guards

All dynamic vectors enforce capacity limits before .push(): guardians (5), credentials (5), document_access (20), certifications (10), auth_factors (10), compliant_data_access (10), payment_history (20), service_subscriptions (10)
CapacityExceeded error prevents unbounded account growth and potential DoS
Arithmetic uses checked_add / checked_sub with ArithmeticOverflow errors

Token D — Document Management, Private NFTs & Staking

Instruction Inventory (31) Documents + NFTs

1	`initialize_service_config`	Service vault config PDA
2–8	`initialize_document` .. `reactivate_document`	Document CRUD + NFT mint
9–11	`create_collection`, `add_to_collection`, `remove_from_collection`	Collection management
12	`set_encryption_status`	Encryption toggle
13–14	`create_share_link`, `deactivate_share_link`	Shareable links
15–16	`create_template`, `create_from_template`	Document templates
17	`pay_for_document_service`	Token B payment processing
18–20	`grant_document_role`, `revoke_document_role`, `set_payment_tier`	Role & tier management
21–22	`verify_token_b_access`, `check_document_access`	Access verification
23–25	`create_private_nft`, `transfer_private_nft`, `spend_private_nft`	ZK private NFTs (SPARK)
26–28	`stake_document`, `unstake_document`, `claim_token_b_rewards`	Document staking
29	`claim_token_d_milestone`	Milestone Token D minting
30	`update_mining_rewards`	Daily reward accrual
31	`report_fraud`	Fraud reporting (event only)

PDA Design

seeds: [b"service_config"]

seeds: [b"document_mint", document.key()]

seeds: [b"token_d_mint_authority"]

Document mint PDA uses document account key as seed, creating a unique NFT per document. Service config PDA prevents payment redirection attacks by storing the authorized vault address.

Access Control

5-role system: Owner, Editor, Viewer, Admin, Auditor
grant_document_role / revoke_document_role require Admin role via has_role()
set_payment_tier requires Admin (prevents free tier bypass by owners)
Document update/deactivation requires owner signature via has_one = owner
Private NFT transfer requires owner_hint == sender.key() constraint
Service vault validated against ServiceConfig PDA (InvalidServiceVault)
Token B CPI validated via TOKEN_B_PROGRAM_ID constant check

SPARK Proof Verification

Token D's SPARK verification is strengthened vs Token C: includes threshold_proof hash
Range proof binds to commitment: keccak(commitment || similarity_bps || "range_proof")
Threshold proof binds to match result: keccak(commitment || similarity_bps || match_result || "threshold_proof")
Prevents proof replay: nullifier derived from keccak(commitment || owner || timestamp)
Trivial commitments (all zeros) rejected

Arithmetic Safety

Mining reward calculation uses u128 intermediates: (time * rate) / SECONDS_PER_DAY
Referral bonus uses u128 for (rewards * percentage) / 100
All vault counters use checked_add / checked_sub with CalculationError
overflow-checks = true enabled in [profile.release]

03 Sec3 X-Ray Static Analysis Results

Program	Medium	Status
Token B	0	Clean
Token C	1	Fixed
Token D	0	Clean

Token C — Medium Finding: Unvalidated AccountInfo in recover_identity

Finding Detail Remediated

Severity	Medium
Category	Missing Account Validation
Location	`RecoverIdentity` context — `new_owner` field
Description	The `new_owner` AccountInfo in the `RecoverIdentity` account context was not validated against the `new_owner: Pubkey` instruction argument, allowing a guardian to pass a different account than the declared new owner.
Fix Applied	Added constraint in instruction handler: `require!(ctx.accounts.new_owner.key() == new_owner, IdentityError::InvalidOwner)`. Also added `old_owner` constraint: `constraint = old_owner.key() == identity.owner`.
Verified	Sec3 X-Ray re-scan returned 0 findings after fix.

04 Security Fixes Applied

The following security hardening measures were identified during audit and applied prior to the devnet deployment under review.

1

DAO Module Removal (Token C)
Removed community-based recovery voting mechanism that allowed a DAO quorum to override identity ownership. This created a social engineering vector where attackers could organize enough DAO votes to steal identities. Replaced with deterministic guardian-based recovery requiring cryptographic signatures from pre-registered guardians.
2

Account Validation in recover_identity (Token C)
Added new_owner account validation against instruction argument and old_owner validation against identity.owner. Without this, an attacker could substitute a different account for the new owner while the guardian approved the legitimate pubkey.
3

overflow-checks = true in Cargo.toml (Token C & Token D)
Enabled Rust's built-in integer overflow checking for release builds in [profile.release]. This provides a safety net for any arithmetic operations that may have been missed by checked_* methods. Token B inherits this from the workspace-level Cargo.toml.
4

Signer Validation on All Admin Instructions
All privileged instructions across all three programs require Signer<'info> on the authority account. Token B uses RBAC role checks; Token C uses ProgramConfig PDA authority matching; Token D uses has_one = owner and Admin role checks.
5

Recovery Initiator Must Be Guardian (Token C)
initiate_multi_sig_recovery now requires the initiator to be a registered guardian: require!(identity.guardians.contains(&ctx.accounts.initiator.key())). Previously, any account could initiate recovery, creating a DoS vector where arbitrary parties could flood identities with recovery requests.
6

Service Vault Validation (Token D)
Added ServiceConfig PDA that stores the authorized service vault address. pay_for_document_service validates the vault against config: constraint = service_vault.key() == service_config.service_vault. Prevents payment redirection to attacker-controlled accounts.
7

Fraud Report Milestone Decoupled (Token D)
report_fraud now only emits an event — it does not directly create milestone rewards. This prevents attackers from self-reporting fake fraud to mint unlimited Token D milestone rewards. Milestone creation requires admin confirmation via a separate instruction.
8

Payment Source Ownership (Token C & Token D)
Token B source accounts in payment instructions are validated for ownership: constraint = payment_source.owner == owner.key() (Token C) and constraint = token_b_source.owner == payer.key() (Token D). Prevents spending from another user's token account.
9

Token B CPI Program ID Validation (Token D)
The InvokeTokenB context validates the Token B program account key against the hardcoded TOKEN_B_PROGRAM_ID constant: constraint = token_b_program.key() == TOKEN_B_PROGRAM_ID. Prevents CPI to a malicious program masquerading as Token B.

05 Test Coverage

Token B Tests

Token C Tests

12+1

Token D Tests (+ CPI)

42+

Total Tests

Token B Test Suite (18 tests)

Mint initialization with TransferFeeConfig extension
Phase 1 PDA vault distribution (4 vaults)
Phase 2 external wallet distribution (5 wallets)
Distribution finalization & mint authority revocation
Revenue burn stage execution (stages 1–7)
Stage advancement with revenue threshold validation
Mining pool disbursement with stage limits
Fee harvesting, withdrawal, and 4-way split
Token D and Token C ops vault disbursements
Pause/unpause token operations
Role grant/revoke with RBAC enforcement
Error cases: unauthorized access, overflow, double-phase

Token C Test Suite (12 tests)

Identity initialization with soul mint + freeze
Biometric hash update
Credential add/remove with capacity limits
Trust score update via oracle
Identity lock/unlock via security authority
Guardian recovery with soul token transfer
Document access grant/revoke
Multi-sig recovery initiation, approval, completion
MFA factor registration and authentication
TOTP verification with HMAC-SHA256
Token B staking/unstaking via CPI
Error cases: locked identity, invalid guardian, insufficient MFA

Token D Test Suite (12 tests + 1 CPI staking test)

Document initialization with NFT minting
Document update with version history
Access grant/revoke with expiration
Ownership transfer with role migration
Document deactivation/reactivation
Collection creation, add, remove
Template creation and document-from-template
Payment processing with tier upgrade
Private NFT create/transfer/spend with SPARK proofs
Document staking with referral system
Mining reward calculation and claiming
Fraud reporting (event emission)
CPI staking test: Cross-program Token B staking from Token D

06 Devnet Integration Test Results

19 / 19 steps passed (100%)

All end-to-end integration tests executed successfully on Solana devnet against the deployed programs.

Token B — 9/9 Steps Pass

#	Step	Result
1	Initialize Token B mint with TransferFeeConfig	Pass
2	Phase 1: Distribute to 4 PDA vaults	Pass
3	Phase 2: Distribute to 5 external wallets	Pass
4	Finalize distribution & revoke mint authority	Pass
5	Verify total supply = 21,000,000,000 tokens	Pass
6	Revenue burn from stage 1 reserve	Pass
7	Fee harvest + 4-way split (70/15/12.5/2.5)	Pass
8	Mining pool disbursement (stage-limited)	Pass
9	Stage advance with unmined token burn	Pass

Token C — 5/5 Steps Pass

#	Step	Result
1	Initialize soulbound identity with guardians	Pass
2	Update biometric hash	Pass
3	Add WebAuthn credential	Pass
4	Guardian-mediated identity recovery	Pass
5	Lock and unlock identity via security authority	Pass

Token D — 5/5 Steps Pass

#	Step	Result
1	Initialize document with ownership NFT mint	Pass
2	Grant access and verify permissions	Pass
3	Create private NFT with SPARK proof	Pass
4	Transfer private NFT (spend old + mint new)	Pass
5	Document staking + reward accrual	Pass

07 Recommendations for Mainnet Readiness

Priority: High

Squads Multisig for Admin Keys: All admin/authority keypairs for the three programs should be managed via Squads multisig (or equivalent) requiring M-of-N approval for privileged operations (role changes, stage advances, fee processing).
Upgrade Authority Management: Transfer program upgrade authority to a multisig or governance PDA. Consider making Token B non-upgradeable after mainnet stabilization since mint authority is already revoked.
Rate Limiting on Recovery: Implement a cooldown period (e.g., 48 hours) between initiate_multi_sig_recovery calls for the same identity to prevent recovery spam.
Dilithium Off-Chain Attestation Service: Deploy the off-chain Dilithium verification attestation service. Currently structural validation only. The program correctly documents this limitation but production should verify signatures.

Priority: Medium

Account Closure / Rent Reclamation: Add close instructions for expired share links, completed recovery states, and spent private NFTs to allow lamport recovery.
Event Indexing Infrastructure: Token B fee processing, Token D reward claims, and Token C MFA events all emit Anchor events. Deploy an indexer (e.g., Helius webhooks or custom geyser plugin) to capture these for the backend API.
Formal Verification of Fee Math: The 4-way fee split in process_collected_fees uses u128 intermediates. Consider formal verification or property-based testing (proptest) that burn + dev + treasury + staker == total for all inputs.
Guardian Timelock: Consider adding a time-delayed recovery window where the current owner can cancel a guardian recovery within a grace period (e.g., 24 hours).

Priority: Low

Token B Workspace Cargo.toml: Add [profile.release] overflow-checks = true at the workspace level (currently in Token C and Token D Cargo.toml only). Token B may inherit this from the parent workspace but should be explicitly declared.
Version History Cap: Token D Document.version_history has no explicit cap. For documents with many updates, consider limiting to the last N versions to prevent unbounded growth.
Private NFT Commitment Binding: Token D private NFTs derive nullifiers from keccak(commitment || owner || timestamp). Consider additionally binding to a nonce provided by the user for stronger replay protection.
Monitoring Dashboards: Set up alerts for unusual patterns: rapid stage advances, large fee processing events, identity lock/unlock frequency, and private NFT spending velocity.

Operational Readiness Checklist

[ ] Squads multisig deployed for all admin keys
[ ] Upgrade authority transferred to multisig
[ ] Dilithium attestation service deployed and tested
[ ] Event indexer capturing all program events
[ ] Monitoring and alerting configured
[ ] Emergency pause runbook documented
[ ] Fee processing automation (cron/bot) tested
[ ] Stage advance governance process documented
[ ] Guardian registration UX flow completed
[ ] Third-party audit engagement for mainnet sign-off

08 Risk Assessment Matrix

Risk categories rated by likelihood (rows) and impact (columns). Current residual risk after all fixes applied.

	Negligible	Minor	Moderate	Major	Critical
Almost Certain
Likely
Possible
Unlikely
Rare

Current Risk Positions

Risk Category	Program	Likelihood	Impact	Residual	Mitigation
Unauthorized minting	Token B	Rare	Critical	Low	Mint authority permanently revoked on-chain
Supply manipulation	Token B	Rare	Major	Low	All arithmetic uses checked_*, u128 intermediates for fees
Admin key compromise	All	Unlikely	Major	Medium	Recommend Squads multisig (not yet deployed on mainnet)
Identity theft via recovery	Token C	Unlikely	Major	Low	DAO removed, guardian-only, initiator must be guardian, account validated
Payment redirection	Token D	Rare	Moderate	Low	ServiceConfig PDA validates vault address
Private NFT double-spend	Token D	Rare	Minor	Low	is_spent flag + nullifier derivation
ZK proof forgery	Token C/D	Unlikely	Moderate	Low	SPARK proof binds commitment to identity; range/threshold hashes verified
Dilithium bypass	Token C	Possible	Minor	Medium	Structural validation only; off-chain attestation service required for production
Milestone reward abuse	Token D	Unlikely	Minor	Low	Fraud report decoupled from reward minting; admin confirmation required
Fee split rounding error	Token B	Rare	Negligible	Low	Staker rewards = remainder (total - burn - dev - treasury)

A Appendix: Architecture Summary

Token B — Deflationary Utility Token

Standard: SPL Token 2022 with TransferFeeConfig extension
Supply: Fixed 21 billion tokens (6 decimals), mint authority permanently revoked
Fee: 1% transfer fee (100 bps), split: 70% burn / 15% dev / 12.5% treasury / 2.5% stakers
Distribution: 9-wallet model (4 PDA vaults + 5 Squads multisigs)
Burn Schedule: 7-stage revenue-linked burn with thresholds from $46K to $500K
Mining Pool: 15% allocation with staged availability (50/20/15/10/3/2/remaining)
State Accounts: TokenInfo, TokenConfig, BurnStageState, MiningStageState
Source: programs/token-b/programs/token_b/src/lib.rs (1,810 lines)

Token C — Soulbound Identity Layer

Standard: SPL Token (classic) with 0-decimal soulbound NFT
Soulbound: Token frozen immediately after mint; transfer only via guardian recovery
Auth Methods: Ed25519, Dilithium (ML-DSA), SPARK ZK proofs, Biometric, TOTP
MFA: Threshold-based multi-factor with up to 10 registered factors
Recovery: Guardian-mediated (single guardian or multi-sig with majority approval)
Integrations: Token B staking, Token D document access, service subscriptions
State: Identity (rich struct with vectors), ProgramConfig, RecoveryState
Source: programs/token-c/src/lib.rs (2,362 lines)

Token D — Document Management & Private NFTs

Standard: SPL Token (classic) for document ownership NFTs
Documents: Full CRUD with versioning, access control, collections, templates, share links
Private NFTs: UTXO-style with commitment hashes and SPARK ZK proof verification
Staking: Document staking with daily Token B reward accrual and referral bonuses
Milestones: Token D minting via PDA authority for milestone achievements
Payments: Token B payment processing with tier upgrades (Free/Basic/Premium/Enterprise)
CPI: Token B program ID validated via hardcoded constant for cross-program calls
Source: programs/token-d/src/lib.rs (2,063 lines)

This security audit report was prepared based on source code review, Sec3 X-Ray automated static analysis, and Solana devnet integration testing of the three H33 programs. This report reflects the state of the programs as deployed on devnet on February 17, 2026.

H33 Security Audit — v2.0

February 17, 2026

Programs reviewed: Token B (8d6hMwq...), Token C (d3SpEuA...), Token D (Dg4jqcs...)
Framework: Anchor 0.31.0 · Solana SDK 2.3 · Network: Devnet