docs: Clarify audit status of all programs, no S word (#4046)

joncinque · web-flow · commit 34b57d62fe5a · 2023-02-13T22:05:49.000Z
diff --git a/README.md b/README.md
@@ -1,21 +1,52 @@
-[![Build status][travis-image]][travis-url]
-
-[travis-image]:
-https://travis-ci.org/solana-labs/solana-program-library.svg?branch=master
-[travis-url]: https://travis-ci.org/solana-labs/solana-program-library
-
 # Solana Program Library
 
 The Solana Program Library (SPL) is a collection of on-chain programs targeting
 the [Sealevel parallel
 runtime](https://medium.com/solana-labs/sealevel-parallel-processing-thousands-of-smart-contracts-d814b378192).
 These programs are tested against Solana's implementation of Sealevel,
-solana-runtime, and deployed to its mainnet.  As others implement Sealevel, we
-will graciously accept patches to ensure the programs here are portable across
-all implementations.
+solana-runtime, and some are deployed to Mainnet Beta.  As others implement
+Sealevel, we will graciously accept patches to ensure the programs here are
+portable across all implementations.
 
 For more information see the [SPL documentation](https://spl.solana.com) and the [Token TypeDocs](https://solana-labs.github.io/solana-program-library/token/js/).
 
+## Audits
+
+Only a subset of programs within the Solana Program Library repo are deployed to
+the Solana Mainnet Beta. Currently, this includes:
+
+| Program | Last Audit Date | Version |
+| --- | --- | --- |
+| [token](https://github.com/solana-labs/solana-program-library/tree/master/token/program) | 2022-08-04 (Peer review) | [3.4.0](https://github.com/solana-labs/solana-program-library/releases/tag/token-v3.4.0) |
+| [associated-token-account](https://github.com/solana-labs/solana-program-library/tree/master/associated-token-account/program) | 2022-08-04 (Peer review) | [1.1.0](https://github.com/solana-labs/solana-program-library/releases/tag/associated-token-account-v1.1.0) |
+| [token-2022](https://github.com/solana-labs/solana-program-library/tree/master/token/program-2022) | [2022-12-05](https://github.com/solana-labs/security-audits/blob/master/spl/ZellicToken2022Audit-2022-12-05.pdf) | [0.5.0](https://github.com/solana-labs/solana-program-library/releases/tag/token-2022-v0.5.0) |
+| [governance](https://github.com/solana-labs/solana-program-library/tree/master/governance/program) | N/A | [3.1.0](https://github.com/solana-labs/solana-program-library/releases/tag/governance-v3.1.0) |
+| [stake-pool](https://github.com/solana-labs/solana-program-library/tree/master/stake-pool/program) | [2023-01-31](https://github.com/solana-labs/security-audits/blob/master/spl/NeodymeStakePoolAudit-2023-01-31.pdf) | [1.0.0]() |
+| [account-compression](https://github.com/solana-labs/solana-program-library/tree/master/account-compression/programs/account-compression) | [2022-12-05](https://github.com/solana-labs/security-audits/blob/master/spl/OtterSecAccountCompressionAudit-2022-12-03.pdf) | [0.1.3](https://github.com/solana-labs/solana-program-library/releases/tag/account-compression-v0.1.3) |
+| [shared-memory](https://github.com/solana-labs/solana-program-library/tree/master/shared-memory/program) | [2021-02-25](https://github.com/solana-labs/security-audits/blob/master/spl/KudelskiTokenSwapSharedMemAudit-2021-02-25.pdf) | [1.0.0](https://github.com/solana-labs/solana-program-library/commit/b40e0dd3fd6c0e509dc1e8dd3da0a6d609035bbd) |
+| [feature-proposal](https://github.com/solana-labs/solana-program-library/tree/master/feature-proposal/program) | Not audited | [1.0.0](https://github.com/solana-labs/solana-program-library/releases/tag/feature-proposal-v1.0.0) |
+| [name-service](https://github.com/solana-labs/solana-program-library/tree/master/name-service/program) | Not audited | [0.3.0](https://github.com/solana-labs/solana-program-library/releases/tag/name-service-v0.3.0) |
+| [memo](https://github.com/solana-labs/solana-program-library/tree/master/memo/program) | Not audited | [3.0.0](https://github.com/solana-labs/solana-program-library/releases/tag/memo-v3.0.0) |
+
+All other programs may be updated from time to time. These programs are not
+audited, so fork and deploy them at your own risk. Here is the full list of
+unaudited programs:
+
+* [binary-option](https://github.com/solana-labs/solana-program-library/tree/master/binary-option/program)
+* [binary-oracle-pair](https://github.com/solana-labs/solana-program-library/tree/master/binary-oracle-pair/program)
+* [instruction-padding](https://github.com/solana-labs/solana-program-library/tree/master/instruction-padding/program)
+* [managed-token](https://github.com/solana-labs/solana-program-library/tree/master/managed-token/program)
+* [record](https://github.com/solana-labs/solana-program-library/tree/master/record/program)
+* [stateless-asks](https://github.com/solana-labs/solana-program-library/tree/master/stateless-asks/program)
+* [token-lending](https://github.com/solana-labs/solana-program-library/tree/master/token-lending/program)
+* [token-swap](https://github.com/solana-labs/solana-program-library/tree/master/token-swap/program)
+* [token-upgrade](https://github.com/solana-labs/solana-program-library/tree/master/token-upgrade/program)
+
+More information about the repository's security policy at
+[SECURITY.md](https://github.com/solana-labs/solana-program-library/tree/master/SECURITY.md).
+
+The [security-audits repo](https://github.com/solana-labs/security-audits) contains
+all past and present program audits.
 
 ## Development
 
@@ -68,16 +99,17 @@ Integration testing may be performed via the per-project .js bindings.  See the
 [token program's js project](token/js) for an example.
 
 ### Common Issues
+
 Solutions to a few issues you might run into are mentioned here.
 
 1. `Failed to open: ../../deploy/spl_<program-name>.so`
 
     Update your Rust and Cargo to the latest versions and re-run `cargo build-sbf` in the relevant `<program-name>` directory,
     or run it at the repository root to rebuild all on-chain programs.
 
-2. [Error while loading shared libraries. (libssl.so.1.1)](https://github.com/project-serum/anchor/issues/1831)
+2. [Error while loading shared libraries. (libssl.so.1.1)](https://solana.stackexchange.com/q/3029/36)
 
-    A working solution was mentioned [here](https://github.com/project-serum/anchor/issues/1831#issuecomment-1109124934).
+    A working solution was mentioned [here](https://solana.stackexchange.com/q/3029/36).
     Install libssl.
     ```bash
     wget http://nz2.archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1l-1ubuntu1.2_amd64.deb
@@ -110,6 +142,7 @@ $ rustup toolchain install nightly-x86_64-apple-darwin
 
 
 ## Release Process
+
 SPL programs are currently tagged and released manually. Each program is
 versioned independently of the others, with all new development occurring on
 master. Once a program is tested and deemed ready for release:
diff --git a/SECURITY.md b/SECURITY.md
@@ -42,7 +42,7 @@ for details on classes of bugs and payment amounts.
 ## Scope
 
 Only a subset of programs within the Solana Program Library repo are deployed to
-the Solana Mainnet Beta and maintained by the team. Currently, this includes:
+the Solana Mainnet Beta. Currently, this includes:
 
 * [associated-token-account](https://github.com/solana-labs/solana-program-library/tree/master/associated-token-account/program)
 * [feature-proposal](https://github.com/solana-labs/solana-program-library/tree/master/feature-proposal/program)
diff --git a/account-compression/README.md b/account-compression/README.md
@@ -29,3 +29,8 @@ With a built local SDK, the test suite can be ran with:
 1. `yarn link @solana/spl-account-compression`
 2. `yarn`
 3. `yarn test`
+
+## Audit
+
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
diff --git a/binary-option/README.md b/binary-option/README.md
@@ -12,6 +12,11 @@ Now suppose the Bucks win Game 3, and the estimated probability of the Bucks win
 
 We'll discuss this mechanism in more detail later.
 
+## Audit
+
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
+
 ## Client Setup 
 First, clone down the repository (TODO publish to PyPI)
 
diff --git a/binary-oracle-pair/README.md b/binary-oracle-pair/README.md
@@ -1,4 +1,4 @@
-Simple Oracle Pair Token
+# Simple Oracle Pair Token
 
 1. pick a deposit token
 2. pick the decider's pubkey
@@ -10,3 +10,8 @@ the mint term end slot.  After the decide term end slot the `Pass`
 token converts 1:1 with the deposit token if and only if the decider
 had set `pass` before the end of the decide term, otherwise the `Fail`
 token converts 1:1 with the deposit token.
+
+## Audit
+
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
diff --git a/docs/src/token-lending.md b/docs/src/token-lending.md
@@ -2,13 +2,10 @@
 title: Token-Lending Program
 ---
 
-A lending protocol for the Token program on the Solana blockchain inspired by Aave and Compound.
+A lending protocol for the Token program on the Solana blockchain inspired by
+Aave and Compound.
 
+## Audit
 
-### On-Chain Programs
-
-| Cluster | Program Address |
-| --- | --- |
-| Mainnet Beta | [`LendZqTs8gn5CTSJU1jWKhKuVpjJGom45nnwPb2AMTi`](https://explorer.solana.com/address/LendZqTs7gn5CTSJU1jWKhKuVpjJGom45nnwPb2AMTi) |
-| Testnet | [`LendZqTs8gn5CTSJU1jWKhKuVpjJGom45nnwPb2AMTi`](https://explorer.solana.com/address/LendZqTs8gn5CTSJU1jWKhKuVpjJGom45nnwPb2AMTi?cluster=testnet) |
-| Devnet | [`LendZqTs8gn5CTSJU1jWKhKuVpjJGom45nnwPb2AMTi`](https://explorer.solana.com/address/LendZqTs8gn5CTSJU1jWKhKuVpjJGom45nnwPb2AMTi?cluster=devnet) |
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
diff --git a/docs/src/token-swap.md b/docs/src/token-swap.md
@@ -5,25 +5,22 @@ title: Token Swap Program
 A Uniswap-like exchange for the Token program on the Solana blockchain,
 implementing multiple automated market maker (AMM) curves.
 
-## Available Deployments
+## Audit
 
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
 
-| Network | Version | Program Address | Fee Owner Address |
-| --- | --- | --- |
-| Devnet, Testnet | 3.0.0 | `SwapsVeCiPHMUAtzQWZw7RjsKjgCjhwU55QGu4U1Szw` | Any |
-| All | 2.0.0 | `SwaPpA9LAaLfeLi3a68M4DjnLqgtticKg6CnyNwgAC8` | `HfoTxFR1Tm6kGmWgYWD6J7YHVy1UwqSULUGVLXkJqaKN` |
+## Available Deployments
 
-The Token Swap Program was deployed to all networks by the Serum team at
-`SwaPpA9LAaLfeLi3a68M4DjnLqgtticKg6CnyNwgAC8`, requiring a fee owner of
-`HfoTxFR1Tm6kGmWgYWD6J7YHVy1UwqSULUGVLXkJqaKN`, but that version was deprecated
-in the middle of 2021.  Though that program still exists, it is not actively
-maintained.
+| Network | Version | Program Address |
+| --- | --- | --- |
+| Testnet | 3.0.0 | `SwapsVeCiPHMUAtzQWZw7RjsKjgCjhwU55QGu4U1Szw` |
+| Devnet | 3.0.0 | `SwapsVeCiPHMUAtzQWZw7RjsKjgCjhwU55QGu4U1Szw` |
 
-For devnet and testnet, please use the maintained deployment at
-`SwapsVeCiPHMUAtzQWZw7RjsKjgCjhwU55QGu4U1Szw`, and for mainnet, please use any
-other AMM project on Solana. Almost all of these were based on Token Swap!
+While third-party deployments of token-swap exist on Mainnet Beta, the team has
+no plans to deploy it themselves.
 
-Check out
+Check out the
 [program repository](https://github.com/solana-labs/solana-program-library/tree/master/token-swap)
 for more developer information.
 
@@ -66,8 +63,7 @@ bindings](https://github.com/solana-labs/solana-program-library/blob/master/toke
 are available that support loading the Token Swap Program on to a chain and
 issuing instructions.
 
-Example user interface built and maintained by Serum team is available
-[here](https://github.com/project-serum/oyster-swap)
+Example user interface is available [here](https://github.com/solana-labs/oyster-swap).
 
 ## Operational overview
 
diff --git a/docs/src/token-upgrade.md b/docs/src/token-upgrade.md
@@ -8,6 +8,11 @@ tokens from one mint to another.
 The program provides a simple mechanism for burning the original tokens and receiving
 an equal number of new tokens from an escrow account controlled by the program.
 
+## Audit
+
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
+
 ## Background
 
 Token-2022 contains many new features for mint owners to customize the behavior
diff --git a/examples/c/README.md b/examples/c/README.md
@@ -19,4 +19,9 @@ To build the examples and run the tests:
 
 ```bash
 $ make
-```
+```
+
+## Audit
+
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
diff --git a/examples/rust/README.md b/examples/rust/README.md
@@ -8,3 +8,8 @@ with a live cluster.
 
 The root [README](../../README.md) gives instructions on how to build and test
 these examples.
+
+## Audit
+
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
diff --git a/farms/docs/intro.md b/farms/docs/intro.md
@@ -16,6 +16,11 @@ This source code is an example that third parties can utilize to create and use
 
 To quickly build, test and deploy Solana Farms and try it out in action, please follow the [Quick Start](https://github.com/solana-labs/solana-program-library/blob/master/farms/docs/quick_start.md) guide.
 
+## Audit
+
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
+
 ## Dive in
 
 If you want to learn more about the tools and building blocks of the Solana Farms suite, follow the links below:
diff --git a/governance/README.md b/governance/README.md
@@ -197,3 +197,8 @@ the DAO until the token is distributed.
 ### Proposal Workflow
 
 ![Proposal Workflow](./resources/governance-workflow.jpg)
+
+## Audit
+
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
diff --git a/instruction-padding/program/README.md b/instruction-padding/program/README.md
@@ -22,3 +22,8 @@ all large transaction tests, and comparing TPS numbers between:
 
 * using the program with no padding
 * using the program with data and account padding
+
+## Audit
+
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
diff --git a/libraries/math/README.md b/libraries/math/README.md
@@ -0,0 +1,8 @@
+# Math
+
+Library with utilities for on-chain math.
+
+## Audit
+
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
diff --git a/managed-token/README.md b/managed-token/README.md
@@ -0,0 +1,10 @@
+# Managed Token
+
+On-chain program for "managed tokens", SPL tokens that are perpetually frozen,
+and must be used through this program, which will thaw the account, perform an
+instruction, and re-freeze the account.
+
+## Audit
+
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
diff --git a/memo/README.md b/memo/README.md
@@ -7,3 +7,8 @@ record a string on-chain, stored in the instruction data of a successful
 transaction, and optionally verify the originator.
 
 Full documentation is available at https://spl.solana.com/memo
+
+## Audit
+
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
diff --git a/name-service/README.md b/name-service/README.md
@@ -8,4 +8,9 @@ utilize to create and use their own version of a name service of any kind.
 
 Full documentation is available at https://spl.solana.com/name-service
 
-JavaScript binding are available in the `./js` directory.
+JavaScript binding are available in the `./js` directory.
+
+## Audit
+
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
diff --git a/name-service/js/src/utils.ts b/name-service/js/src/utils.ts
@@ -132,7 +132,6 @@ export async function getNameOwner(
   return NameRegistryState.retrieve(connection, nameAccountKey);
 }
 
-//Taken from Serum
 export async function getFilteredProgramAccounts(
   connection: Connection,
   programId: PublicKey,
diff --git a/record/program/README.md b/record/program/README.md
@@ -0,0 +1,9 @@
+# Record
+
+On-chain program for writing arbitrary data to an account, authorized by an
+owner of the account.
+
+## Audit
+
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
diff --git a/shared-memory/README.md b/shared-memory/README.md
@@ -4,3 +4,8 @@ A shared-memory program on the Solana blockchain, usable for sharing data
 between programs or within cross-program invocations.
 
 Full documentation is available at https://spl.solana.com/shared-memory
+
+## Audit
+
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
diff --git a/stake-pool/README.md b/stake-pool/README.md
@@ -7,3 +7,8 @@ The command-line interface tool is available in the `./cli` directory.
 Javascript bindings are available in the `./js` directory.
 
 Python bindings are available in the `./py` directory.
+
+## Audit
+
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
diff --git a/stateless-asks/README.md b/stateless-asks/README.md
@@ -1,22 +1,27 @@
 # Stateless Offer
 
- Simple program to make token offers to any bidder that can satisfy
- the constraints.
+Simple program to make token offers to any bidder that can satisfy
+the constraints.
 
- This program is stateless.  It is up to the maker to advertise.  It
- uses the PDA as a one way hash of the offer that the maker wants
- to create.  The maker then only needs to approve their token to the
- PDA address for the taker to receive the items.  The maker doesn't
- need to be online to complete the transaction, but needs to advertise
- the offer off-chain.
+This program is stateless.  It is up to the maker to advertise.  It
+uses the PDA as a one way hash of the offer that the maker wants
+to create.  The maker then only needs to approve their token to the
+PDA address for the taker to receive the items.  The maker doesn't
+need to be online to complete the transaction, but needs to advertise
+the offer off-chain.
 
- ## Maker
- 1. compute the offer PDA
- 2. approve the token delegation for the amount to the PDA
- 3. publish the offer off-chain
+## Maker
+1. compute the offer PDA
+2. approve the token delegation for the amount to the PDA
+3. publish the offer off-chain
 
- ## Taker
- 1. Create the offer TX
- 2. Submit the TX to the stateless-offer program
+## Taker
+1. Create the offer TX
+2. Submit the TX to the stateless-offer program
 
- To cancel, the maker simply needs to cancel the delegation.
+To cancel, the maker simply needs to cancel the delegation.
+
+## Audit
+
+The repository [README](https://github.com/solana-labs/solana-program-library#audits)
+contains information about program audits.
diff --git a/token-lending/README.md b/token-lending/README.md
diff --git a/token-lending/program/src/pyth.rs b/token-lending/program/src/pyth.rs
diff --git a/token-swap/README.md b/token-swap/README.md
diff --git a/token-swap/proposals/DynamicMarketMaking.md b/token-swap/proposals/DynamicMarketMaking.md
diff --git a/token-upgrade/README.md b/token-upgrade/README.md
diff --git a/token/README.md b/token/README.md
