defirisk.co
rubric v1.7.0

Jito

Multi-product Solana protocol operating the largest Solana LST (JitoSOL, MEV-enhanced liquid staking), the Jito-Solana MEV validator client (~90%+ Solana stake), the Jito StakeNet decentralized stake pool manager, the Jito (Re)Staking primitive (VRT-based restaking for Solana), and the Jito TipRouter NCN (programmatic MEV tip distribution via on-chain consensus). JTO is the governance token (Realms DAO). Primary TVS sink is JitoSOL staked SOL.

Sector lst
TVL $877.4M
Reviewed May 12, 2026
Factors 184
Categories 13
Risk score 10.4
DeploymentsSolana · $877.4M
01

Risk profile at a glance

0 red · 2 yellow · 11 green
25 24 17 13 15 22 16 10 13 12 8 5 4
02

Categories & evidence

184 factors · 13 categories
Code & audits Green 8 25 of 25
RD-F-001 yellow Audit scope mismatch Each program cluster has audits referencing explicit commit SHAs (Steward f4ea93a, Validator History fc34c25, Restaking f04242f/ecbe19a/3fdcd88, TipRouter ac76352/443368a). No public mismatch identified, but Solana BPF bytecode-to-commit verification tooling (solana-verify) is not Etherscan-equivalent; confirmation is medium confidence. RD-F-003 yellow Resolved-without-proof findings Certora Restaking V2 identified 5 high, 3 medium, 2 low findings. Immunefi audit competition ran concurrently/after (Nov–Dec 2024) suggesting material findings addressed before public launch. PDFs inaccessible for finding-by-finding resolution verification. No post-mortem suggests unresolved high/critical findings. RD-F-007 yellow Bug bounty presence & max payout Immunefi program active since 2024-08-28, max $250,000 (critical). Managed by Asymmetric Research. $250K is above $50K yellow floor but below $500K green threshold per methodology. Total ecosystem bounty surface (main + BAM $100K + $150K competition) is substantial. Scored yellow strictly per methodology threshold. RD-F-009 yellow Formal verification coverage Certora formal verification on Restaking+Vault (Oct 2024 + Dec 2024) and TipRouter NCN (Jan 2025). Covers restaking invariants (zero-supply VRT ratio, token validation, PDA verification). No FV coverage for StakeNet Steward or SPL Stake Pool. Partial coverage = yellow. RD-F-010 gray Static-analyzer high-severity count Slither/Mythril/Semgrep are EVM tools and cannot analyze Solana BPF programs. No published cargo-audit or Clippy report is publicly available. Audit findings from OtterSec/Certora/Offside serve as proxies but cannot be mapped to a 'high-severity static-analyzer count.' Marked gray per methodology: source tooling not applicable. RD-F-011 n/a SELFDESTRUCT reachable from non-admin path SELFDESTRUCT is an EVM opcode. Solana BPF programs have no equivalent. The primary $877M TVS is in Solana programs, not EVM contracts. RD-F-012 n/a delegatecall with user-controlled target EVM delegatecall opcode does not exist in Solana BPF instruction set. Solana CPI is not context-inheriting. Not applicable. RD-F-015 n/a ERC-777/1155/721 hook without reentrancy guard ERC-777/1155/721 are EVM token standards. Solana uses SPL Token with no callback hooks. Not applicable to Jito's Solana programs. RD-F-019 n/a ecrecover zero-address return unchecked ecrecover is an EVM precompile. Solana uses Ed25519 signature verification (binary valid/invalid). Not applicable to Solana programs. RD-F-020 n/a EIP-712 domain separator missing chainId EIP-712 is an EVM standard. Solana programs do not use EIP-712 domain separators. Not applicable. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned UUPS is an EVM proxy pattern. Solana uses BPF upgradeable loader for program upgrades, not an in-program _authorizeUpgrade function. Not applicable as a code pattern. RD-F-023 n/a Constructor calls _disableInitializers() _disableInitializers() is an OZ EVM pattern for proxy implementation contracts. Solana programs have no equivalent proxy architecture. Not applicable.
RD-F-002 green Audit recency Most recent Jito-authored program audit: Certora TipRouter 2025-01-05 (~115 days). Certora Restaking follow-up 2024-12-23 (~128 days). OtterSec ongoing per-release reviews for jito-solana validator client. All within 365-day green threshold for Jito-controlled programs.
RD-F-004 green Audit count 5 distinct audit firms: OtterSec (5 engagements), Neodyme (1), Halborn (1), Offside Labs (2), Certora (3). Well above ≥2 firm green threshold.
RD-F-005 green Audit firm tier OtterSec (Tier-1 Solana), Neodyme (Tier-1), Certora (Tier-1 FV). Halborn (Tier-2), Offside Labs (Tier-2 Solana). At minimum three Tier-1-equivalent firms engaged across Jito's program surface.
RD-F-006 green Audit-to-deploy gap Certora TipRouter audit completed 2025-01-05; TipRouter launched in production early 2025. OtterSec Steward audit 2024-07-29; Steward transitioned July 2024. No >180-day gap identified between audit sign-off and deployment for any program cluster.
RD-F-008 green Ignored bounty disclosure No security exploits have targeted Jito's on-chain programs. Rekt leaderboard: 0 incidents. DeFiLlama hacks: 0. SECURITY.md in jito-programs and jito-solana references Immunefi as disclosure channel. No post-mortem evidence of an ignored disclosure.
RD-F-013 green Arbitrary call with user-controlled target Equivalent Solana concern (unchecked arbitrary CPI) is mitigated by Anchor 0.31.1's account ownership/discriminator checks. Offside found and resolved 'Incorrect PDA Validation in CooldownVaultNcnTicket Instruction.' No unmitigated arbitrary-CPI finding in published audit summaries.
RD-F-014 green Reentrancy guard on external-calling functions Solana runtime enforces max CPI depth 4 and account ownership rules, making reentrancy structurally infeasible. Certora formal verification covers state consistency invariants for restaking programs. No reentrancy finding in any published audit.
RD-F-016 green Divide-before-multiply pattern Rust integer arithmetic uses checked_mul/checked_div with u128 intermediates. Anchor framework uses safe math. Certora FV covers arithmetic invariants (VRT ratio, unstaking calc). No divide-before-multiply finding in any audit summary.
RD-F-017 green Mixed-decimals math without explicit scaling JitoSOL stake pool uses SOL (9 decimals) exclusively. Restaking VRTs are SOL-denominated. No cross-decimal arithmetic path exists in core programs. Single decimal domain eliminates mixed-decimal risk.
RD-F-018 green Signed/unsigned arithmetic confusion Rust's type system enforces signed/unsigned separation at compile time. Implicit i64/u64 casts generate Clippy warnings. Certora FV covers arithmetic invariants. No signed/unsigned confusion finding in any published audit.
RD-F-022 green Public initialize() without initializer modifier Anchor programs use #[account(init)] constraints enforced at the runtime level — an account can only be initialized once (discriminator + non-zero lamports rejects re-init). No initialize() vulnerability class exists on Solana. No such finding in any of the five published audit reports.
RD-F-024 green Code complexity vs audit coverage Restaking+Vault: ~14,000 LOC, audited by OtterSec + Offside + Certora (3 firms, multiple weeks of coverage). TipRouter: Certora FV + Offside. Steward: OtterSec. Coverage depth is proportional to codebase size; no auditor expressed scope concerns.
RD-F-183 green Bug bounty scope gap on highest-TVL contracts Immunefi Jito bounty (8 assets in scope) explicitly covers the 'Interceptor (SPL Stake Pool LST program)' — the primary $877M TVS surface. StakeNet Steward, Validator History, Restaking, Vault, Tip Payment/Distribution, Jito-Solana validator client are all in scope. The upstream canonical SPL Stake Pool program itself has Solana Foundation security coverage. No highest-TVL contract identified as out of scope.
Governance & admin Green 13 24 of 24
RD-F-026 yellow Upgrade multisig signer configuration (M/N) Squads multisig at 4ivLcnNLhe4cKdpV9b4jyEmxgbYWFgktHcTyyBvYavsD has 'at least 4 signers' per Squads blog. Exact M/N threshold and signer identities not publicly disclosed; team deliberately withholds this per JIP-14 discussion citing targeted attack risk. Cannot confirm threshold adequacy for $877M TVL. RD-F-028 yellow Low-threshold multisig vs TVL [★] Squads multisig confirmed with 'at least 4 signers' but exact M/N unknown. At $877M TVL, peer-cohort norm is 4/7 or 5/9. Signer identities undisclosed. Cannot confirm threshold adequacy. Effective threshold risk is unknown but not confirmed low. RD-F-032 yellow Timelock duration on upgrades No standalone on-chain TimelockController identified. SPL Governance has a 2-day delay period post-vote before on-chain execution. Squads V4 has optional timelock feature but Jito's configuration is not confirmed publicly. Emergency Security Council actions explicitly bypass DAO vote procedure. 2-day delay for standard DAO proposals; no delay for emergency paths. RD-F-033 yellow Timelock on sensitive actions DAO proposals: 2-day delay period after vote before on-chain execution. Program upgrades via Squads: no confirmed timelock beyond multi-party signing requirement. Steward pause: no timelock (immediate). Emergency Security Council actions explicitly bypass DAO procedures. Mixed — standard DAO proposals timelocked (48h), emergency paths not. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle Program upgrades: Squads multisig PDA. Stake pool fee params: Squads multisig (same address). Merkle upload (tip distribution): separate key 8F4jGUmxF36vQ6yabnsxX6AQVXdKBhs8kGSUuRKSg8Xt. TipRouter NCN: programmatic post-transition. Partial role separation — upgrade and fee management may share the same Squads multisig, but merkle authority is separate. Not fully separated across all roles. RD-F-041 yellow Rescue/emergencyWithdraw without timelock [★] No EVM-style rescue/emergencyWithdraw exists (Solana program model differs). However: (a) StakeNet Steward admin can immediately pause state machine without timelock; (b) Foundation Directors can execute off-chain JIPs without full DAO vote in emergencies; (c) Squads multisig signers can execute program upgrades without confirmed on-chain timelock if Squads timelock feature is not configured. These admin power paths lack a confirmed on-chain timelock. RD-F-046 yellow Contract unverified on Etherscan/Sourcify [★] On-chain programs: open source and verified via solana-verify against GitHub release commits — green baseline. Yellow due to: (a) March 2024 unilateral mempool disable by Jito Labs without DAO vote — discretionary admin action over off-chain block engine; (b) Jito-Solana validator client (off-chain binary on ~90% of Solana stake) is not verifiable on any explorer. The off-chain MEV infrastructure represents significant unverifiable discretionary admin power. JIP-4 authorized subsequent validator blacklisting but did not retroactively ratify the mempool disable itself. RD-F-047 yellow Governance token concentration (Gini) Token distribution at launch: ~24.5% core contributors (3-year vest, 1-year cliff), ~16.2% investors, ~25% Foundation, ~24.3% DAO treasury, ~10% airdrop. Investors+team+Foundation hold ~65.7% combined. Quorum reduced from 30M to 10M JTO indicating low retail participation. Concentration is moderately high but DAO treasury (24.3%) is community-controlled. No Gini coefficient found. RD-F-029 gray Multisig signers co-hosted Signer identities and addresses not publicly disclosed. Cannot assess co-hosting. Data gap. RD-F-030 gray Hot-wallet signer flag Signer addresses not publicly disclosed. Cannot assess hot-wallet behavior. Data gap. RD-F-044 gray Admin wallet interacts with flagged addresses Squads multisig vault PDA is upgrade authority; individual signer addresses not publicly disclosed. Cannot assess signer interaction with flagged addresses. Data gap. RD-F-045 gray Constructor args match governance proposal Solana programs do not use EVM-style constructor args. Deployment configurations set via admin instructions post-deploy. JIP proposals describe intended parameters but on-chain verification of all parameters against all proposals not assessable from available evidence.
RD-F-025 green Admin key custody type Admin key custody is hybrid: Squads multisig PDA for program upgrades and stake pool manager; JTO DAO (Realms SPL Governance) for protocol-level decisions; Foundation Directors for off-chain/operational decisions. Not a single EOA.
RD-F-027 green Single admin EOA [★] Program upgrade authority 4ivLcnNLhe4cKdpV9b4jyEmxgbYWFgktHcTyyBvYavsD is a Squads multisig vault PDA, not a single EOA. Stake pool manager key also held in Squads multisig. Not a single admin EOA.
RD-F-031 green Signer rotation recency JIP-19 proposed expanding Security Council from 6 to 7 members maintaining 4-member threshold (expansion, not reduction). JIP-14 sought 12-month reaffirmation (Feb 2025). No threshold-reduction event documented (contrast Drift $285M pattern). Most recent change was an expansion (6 to 7 seats).
RD-F-034 green Guardian/pause-keeper distinct from upgrader Security Council holds emergency veto/action authority distinct from the Squads upgrade multisig. Steward program has its own admin for pause/unpause. These roles are functionally distinct from program upgrade authority.
RD-F-036 green Flash-loanable voting weight [★] Not flash-loanable. SPL Governance requires JTO deposit into Realm prior to voting (creates TokenOwnerRecord). Voting power determined by deposited balance, not live balance. Flash-loan acquisition of JTO post-proposal-creation cannot affect existing vote weight.
RD-F-037 green Quorum achievable via single-entity flash loan Flash loan quorum attack not achievable due to SPL Governance deposit requirement (see F036). Quorum is 10M JTO (reduced from 30M). Deposit requirement means flash-loan-acquired JTO cannot be used for a governance quorum attack.
RD-F-038 green Proposal execution delay < 24h DAO proposals have a 2-day delay period after vote before on-chain execution. This is ≥ 24h. Emergency Security Council actions can bypass this, but standard DAO proposals meet the 24h threshold.
RD-F-039 green delegatecall/call in proposal execution without allowlist [★] Solana does not have delegatecall (EVM construct). SPL Governance proposals execute instructions only through the Governance PDA's derived authority — they cannot target arbitrary programs. The SPL governance model provides an inherent authority-scope allowlist: 'a Proposal can only use the Program Derived Address authority given by the Governance account.'
RD-F-040 green Emergency-veto multisig present Security Council (4-of-7 per JIP-19) holds emergency veto authority over JIPs and can implement emergency proposals bypassing ordinary DAO procedures. Veto right on JIPs violating Constitution/Bylaws. Emergency-veto multisig exists.
RD-F-042 green Admin has mint() with unlimited max [★] JTO has fixed total supply of 1,000,000,000 tokens. Airdrop completed December 2023. No admin-callable mint function with unlimited max documented. JitoSOL minting is proportional to SOL deposits under SPL stake pool mechanics — not admin-discretionary.
RD-F-043 green Admin = deployer EOA after 7 days [★] Programs deployed with Squads multisig as upgrade authority from launch — not a deployer EOA. Squads blog confirms Jito's 'first use of Squads is to secure the stake pool manager of JitoSOL.' Transfer to multisig predated 7-day window by design.
RD-F-167 green Deprecated contract paused but pause reversible by live admin No deprecated contracts with live TVL identified. StakeNet Steward transition (July 2024) replaced prior stake pool manager key cleanly — prior manager key no longer holds authority. No deprecated program surfaces holding material user funds documented.
Oracle & external dependencies Yellow 21 17 of 17
RD-F-050 yellow Dependency graph (protocols depended upon) Dependency graph assembled. Solana core depends on: (1) SPL Stake Pool program (audited by OtterSec Jan 2023); (2) Solana validator network (269 validators); (3) Agave runtime. EVM surface adds Wormhole infrastructure dependency. Yellow because Wormhole guardian quorum (13-of-19) is an external dependency that, if compromised, enables forged cross-chain rate for downstream EVM lending markets. Solana core dependency graph is clean. RD-F-051 yellow Fallback behavior on oracle failure Solana core: no oracle to fail (intrinsic). Arbitrum StakePoolRate: staleness revert present (allowedRateStaleness immutable threshold) but no secondary oracle fallback. If updater service offline, getRate() reverts — EVM consumers halt JitoSOL borrowing. No documented fallback oracle or secondary source for the cross-chain rate relay. RD-F-052 yellow Breakage analysis per dependency Breakage analysis: (1) Solana runtime halt blocks $877M. (2) SPL Stake Pool bug = catastrophic accounting risk. (3) Wormhole guardian quorum compromise = forged Arbitrum rate, downstream EVM lending exploitable. (4) Jito updater service offline = Arbitrum rate stale, EVM JitoSOL lending freezes. Core Solana TVS safe from EVM bridge failures — bridge is small wrapper, not a liquidity bridge. RD-F-057 yellow Circuit breaker on price deviation No circuit breaker on price deviation identified in StakePoolRate.sol. The contract implements staleness checks but not a deviation-threshold halt. Solana core has no circuit breaker needed. Yellow for EVM surface: no deviation circuit breaker on the cross-chain rate relay. RD-F-058 yellow Max-deviation threshold (bps) No deviation threshold configured — no circuit breaker present (F057 yellow). Max-deviation threshold factor is not configured. Yellow consistent with F057. RD-F-062 yellow External keeper/relayer not redundant Jito Foundation operates the jitosol-wormhole-updater service as the sole updater for the Arbitrum StakePoolRate oracle. Single-operator off-chain relayer with no documented redundancy or failover. If offline, Arbitrum oracle goes stale and EVM lending markets halt JitoSOL borrowing (staleness revert protection). Solana core has no keeper dependency. RD-F-180 yellow Immutable oracle address [★ F180 CRITICAL — T-12 PD-017 tracking] YELLOW. StakePoolRate at 0x8aa73ec870dc4a0af6b471937682a8fc3b8a21f8 is immutable: constructor params (Wormhole address, stakePoolAccount, staleness thresholds) stored immutably, no admin-replaceable wrapper. Repository describes it as 'an immutable QueryResponse processor.' Downstream EVM consumers (Aave, Morpho) have hardcoded this address. Not RED because: (a) Jito is oracle source, not consumer; (b) failure requires 13-of-19 Wormhole guardian compromise; (c) underlying rate is intrinsic stake pool state, not a depeggable third-party asset. Rated YELLOW — operational inflexibility and no upgrade path. Orchestrator must log for T-14 post-launch promotion tracking. RD-F-054 n/a TWAP window duration No TWAP oracle used. JitoSOL redemption rate is intrinsic on-chain calculation. TWAP window duration measurement is not applicable. RD-F-055 n/a Oracle pool depth (USD) No DEX pool oracle used. Oracle pool depth measurement is not applicable for Jito. RD-F-056 n/a Single-pool oracle (no medianization) No pool-based oracle used. Single-pool oracle / medianization factor is not applicable. RD-F-060 n/a Chainlink aggregator min/max bound misconfig No Chainlink feed used in core Jito protocol. Chainlink aggregator min/max bound misconfig factor is not applicable. RD-F-061 n/a LP token balanceOf used for pricing No LP token balanceOf pricing used. Factor not applicable to Jito's LST architecture. RD-F-181 n/a Permissionless-pool lending oracle Jito does not operate a lending protocol. Permissionless-pool lending oracle / isolation-tier config factor is not applicable. JitoSOL is used as collateral in external lending protocols — their oracle configuration is their own risk.
RD-F-048 green Oracle providers used JitoSOL Solana core: no external oracle used. Exchange rate is on-chain stake pool accounting (totalActiveStake / poolTokenSupply). Arbitrum StakePoolRate: Wormhole Queries cross-chain read from Solana state, operated by Jito Foundation. No Chainlink, Pyth, or DEX-TWAP used anywhere in core protocol.
RD-F-049 green Oracle role per asset JitoSOL redemption: Solana-native stake pool state (primary, intrinsic — no secondary/fallback needed). Arbitrum StakePoolRate: primary cross-chain rate for EVM consumers (Jito-operated, no fallback oracle). Oracle role map is clear and appropriate for each asset/chain.
RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL] GREEN. JitoSOL does not use any DEX spot price feed for redemption pricing. Exchange rate = totalActiveStake / poolTokenSupply, a deterministic on-chain calculation from Solana native program state. No spot pool oracle anywhere in core protocol. F053 critical factor: green.
RD-F-059 green Oracle staleness check present Staleness check present in StakePoolRate.sol: validateBlockTime() called against both allowedUpdateStaleness (for updatePool() calls) and allowedRateStaleness (for getRate() calls). Both are immutable thresholds set at deployment. If stale, getRate() reverts — consuming protocols receive revert rather than stale data.
Economic risk Yellow 33 13 of 13
RD-F-063 yellow TVL (current + 30d trend) TVL $877M as of 2026-04-29, 100% Solana, 100% staked SOL. Significant negative trend: -22.2% 7-day, -70.5% 90-day from ~$3.57B. TVL is genuine staked SOL — no circular leverage or inflated figures. Decline driven by SOL-USD price compression and separation of restaking TVL to jito-restaking slug. Marked yellow rather than red because: (a) absolute TVL remains above the $100M threshold for A-grade eligibility; (b) decline is correlated with SOL price, not protocol-specific outflows indicating a loss of confidence event; (c) protocol is operational with 10.4M SOL staked across 269 validators at epoch 964. RD-F-065 yellow Liquidity depth per major asset JitoSOL secondary market liquidity estimated at ~$1.1B across Solana DEXes (Jupiter routing). No precise 2%/5% slippage depth figure retrievable (Dune Analytics 403; no EVM subgraph for Solana). Instant unstake via DEX swap is the primary liquidity path; native delayed unstake adds ~2-day (1 epoch) delay with 0.1% fee. Yellow because: (a) depth is not independently verified at 2%/5% slippage level; (b) secondary market depth is highly correlated with SOL price and compresses during drawdowns; (c) during the March 2024 mempool suspension event, MEV yield compression would have reduced holding incentive and potentially widened bid-ask on JitoSOL/SOL pairs. JitoSOL has not had a documented material secondary-market depeg relative to nav. RD-F-064 gray TVL concentration (top-10 wallet share) Top-10 JitoSOL holder wallet share not assessable via WebFetch. Dune Analytics returns 403. Partial qualitative evidence: 192,000+ JitoSOL holders (StakePoint March 2026); institutional protocols using JitoSOL as collateral (Kamino, Marginfi) likely concentrate top holdings. On-chain Solana RPC enumeration required for a quantitative finding. Marked gray — factor applies but data is unavailable within assessment scope. RD-F-066 n/a Utilization rate (lending protocols) Jito is an LST/stake pool, not a lending protocol. No borrow/supply markets exist. Data cache confirms borrow.present: false. Taxonomy PD-024 designates F066 as lending-only. RD-F-067 n/a Historical bad-debt events No lending markets; no bad debt concept at the stake pool layer. Solana has no slashing mechanism, so validator failure does not produce socialized loss at the pool level. Data cache hacks: [] confirms no documented loss events. Taxonomy PD-024 designates F067 as lending-only. RD-F-068 n/a Collateralization under stress No leverage or partial-collateral design. JitoSOL is a 1:1 SOL-backed stake pool token (pool token value = total active stake / token supply = 1.276 SOL per JitoSOL at epoch 964). No collateralization ratio exists. Taxonomy PD-024 designates F068 as lending-only. RD-F-069 n/a Algorithmic / under-collateralized stablecoin JitoSOL is a liquid staking token, not a stablecoin. It does not maintain a fixed peg; its value accretes with staking + MEV rewards relative to SOL. Terra/Luna-class algorithmic-stablecoin risk does not apply. The novel risk of MEV yield volatility (1.2-1.8% APY premium that can collapse on operational/governance decisions) is noted but does not fit F069 taxonomy definition. Taxonomy PD-024 designates F069 as lending-only. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) [★ CRITICAL — NOT APPLICABLE] Jito is not a Compound V2 fork. No cToken-style markets, no permissionless market listing, no share-inflation donation attack surface. SPL stake pool architecture uses aggregate-stake/token-supply accounting managed by the on-chain SPL program. Taxonomy PD-024 explicitly designates F070 as Compound-fork-only and N/A for all other protocols. The upstream SPL stake pool was audited by OtterSec (2023-01-20) specifically for token accounting vulnerabilities. RD-F-071 n/a Seed-deposit requirement for new market listing No market listing mechanism in stake pool architecture. Validator admission governed by StakeNet Steward Program (algorithmic performance-based selection), not a user-triggered market listing with seed deposit requirement. Taxonomy PD-024 designates F071 as lending-only. RD-F-072 n/a Market-listing governance threshold No permissionless market listing threshold. Validator set management is algorithmic via StakeNet Steward, not a governance-gated market listing. Taxonomy PD-024 designates F072 as lending-only. RD-F-073 n/a Oracle-manipulation-proof borrow cap No borrow markets; no oracle-manipulation-proof borrow cap concept applies. Taxonomy PD-024 designates F073 as lending-only. RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) Jito is non-EVM (Solana). No ERC-4626 contracts. JitoSOL share accounting is SPL stake pool program (Rust/BPF), not OpenZeppelin ERC-4626. Virtual-share offset pattern not applicable. Taxonomy PD-024 designates F074 as lending-only; non_evm_substrate flag confirmed in data cache. RD-F-075 n/a First-depositor / share-inflation guard SPL stake pool does not use ERC-4626-style share minting. No first-depositor share-inflation attack vector in SPL stake pool design. Pool exchange rate = total_active_stake / token_supply, accumulated monotonically. OtterSec January 2023 audit of SPL stake pool covered token accounting including first-depositor patterns. Non-EVM substrate; taxonomy PD-024 designates F075 as lending-only.
Operational history Green 7 15 of 15
RD-F-084 yellow TVL stability (CoV over 90d) Current TVL $877M (data cache 2026-04-29); 30d change -13.98%. Broader decline from ~$3.75B peak (Jan 2025) to $877M (Apr 2026) — ~77% USD decline in 15 months, primarily SOL price compression and Solana DeFi TVL contraction. CoV estimated in 0.15–0.35 yellow range based on directional signal. Exact 90-day CoV not computed (granular daily series not fetched). Market-driven volatility, not protocol-specific instability. RD-F-078 n/a Chronic-exploit flag (≥3 incidents) 0 incidents. Chronic flag (>=3 exploits) does not fire. CHRONIC badge does not apply. [v1-deferred Pass 3] RD-F-079 n/a Same-root-cause repeat exploit 0 incidents. Same-root-cause repeat exploit is impossible with 0 prior incidents. [v1-deferred Pass 3] RD-F-080 n/a Days since last exploit No prior exploits. Green threshold condition 'no incidents' is satisfied. [v1-deferred Pass 3] RD-F-081 gray Post-exploit response score No prior smart-contract exploits. Post-exploit response score is N/A (no incidents to score). Two operational events exist (Nov 2024 block engine outage ~1.5h; Mar 2024 mempool disable) but neither involved on-chain fund loss or constitutes a smart-contract exploit. Gray per methodology: no incidents. RD-F-082 gray Post-mortem published within 30 days No prior smart-contract exploits; no post-mortem obligation has arisen. Gray = N/A. Note: Jito stated 'detailed technical post-mortem will follow' for Nov 2024 block engine outage but no published document confirmed as of 2026-04-29. RD-F-083 gray Auditor re-engaged after last exploit No prior exploits; no post-exploit re-audit obligation has arisen. Gray = N/A. Jito does proactively engage auditors (OtterSec per-release reviews; Certora FV; Neodyme; Halborn; Offside) but this is pre-emptive, not post-exploit. RD-F-085 gray Incident response time (minutes) P2 factor. No prior smart-contract exploits; no incident response time to measure. For Nov 2024 block engine outage (off-chain infra), Jito responded on X within minutes — good response posture, but out of scope for this factor which targets smart-contract exploit response. RD-F-086 gray Pause activations (trailing 12 months) Jito is a Solana BPF program suite. No EVM-style Paused/Unpaused event mechanism exists. The Mar 2024 mempool disable was an off-chain block engine admin action (Jito Labs configuration change), not an on-chain program pause. No on-chain pause events identified in the trailing 12 months. Gray = no on-chain pause mechanism applicable to this protocol on Solana. RD-F-087 gray Pause > 7 consecutive days No on-chain pause mechanism applicable. Same reasoning as RD-F-086. Solana BPF program architecture does not implement EVM-style consecutive pause tracking. Gray = no pause events in last 12 months (methodology gray condition). RD-F-089 gray Insurance coverage active No active insurance coverage found on Nexus Mutual, Unslashed, Sherlock, or equivalent for JitoSOL. Web search for 'JitoSOL Nexus Mutual Sherlock insurance' returned no confirming results. Immunefi is a bug bounty program, not smart-contract insurance. Gray = no coverage identified; exhaustive cross-provider check not completed.
RD-F-076 green Protocol age (days) 1,276 days since JitoSOL mainnet launch (2022-10-31). Exceeds 365-day green threshold by 3.5x. Protocol live ~42 months on Solana mainnet. Well above any A-grade age floor.
RD-F-077 green Prior exploit count 0 prior smart-contract exploits. Hacksdatabase grep returned 0 files matching 'jito'. DefiLlama hacks API in data cache: empty array. Rekt.news: no Jito entries. Web search for 'Jito exploit hack 2022-2025': no exploit articles found. Jito tokens appeared as stolen assets in the Drift Protocol incident but Jito was not the victim protocol.
RD-F-088 green Re-deployed to new addresses in last year No full redeployment of core JitoSOL stake pool or tip programs to new addresses in trailing 12 months (Apr 2025 – Apr 2026). TipRouter NCN (Jan 2025) and TDA v2 (Apr 2025 JIP-16) are additive/upgrade deployments, not retirements of existing addresses. Core stake pool address Jito4APyf… unchanged. StakeNet Steward transition (Jul 2024) is outside the 12-month window.
RD-F-166 green Deprecated contracts still holding value No Jito-announced deprecated contract holds >$100k in stranded user assets. TipRouter v1 to v2 transition (Jan–Apr 2025) is a managed upgrade. StakeNet Steward v1 to v2 transition (Jul 2024) is managed. Primary TVS ($877M) is in active stake pool Jito4APyf… — not deprecated. Data cache has_legacy_v1: true flag refers to validator client architecture, not a deprecated value-holding on-chain contract. No EVM deprecated router addresses with stale user approvals (Solana is primary chain; EVM exposure is rate-feed oracle only, no user asset custody).
Real-time signals Green 4 22 of 22
RD-F-102 yellow Admin/upgrade transaction in mempool Jito DAO upgrade authority (4ivLcnNLhe4cKdpV9b4jyEmxgbYWFgktHcTyyBvYavsD) controls on-chain program upgrades via Realms. No upgrade tx pending outside governance-approved proposals as of 2026-04-29. HOWEVER: the dominant Jito risk vector is off-chain. Jito Labs unilaterally disabled the block engine mempool on 2024-03-09 — a major operational action affecting all JitoSOL stakers' MEV yield — with zero on-chain footprint. This is structurally undetectable by the RD-F-102 signal. Jito Labs' BAM system (launched July 2025) also involves off-chain infrastructure changes not captured by on-chain mempool monitoring. Signal is applicable to on-chain upgrade txs but the most material risk is off-chain. v1 phase-2 signal; Solana mempool listener required (Solana TPU pipeline differs from EVM mempool). RD-F-090 n/a Mixer withdrawal → protocol interaction Mixer-withdrawal signal is Tornado Cash-centric (Ethereum); Jito is Solana-native. TC does not operate on Solana. Solana-native privacy tool (Elusiv, Light Protocol) feed not in T-09 v1 scope. No Solana-native mixer-funded wallets interacting with Jito programs identified from public sources. v1-deferred: requires Solana-specific wallet-clustering feed and attribution SLA before signal can be applied to Solana protocols. RD-F-091 n/a Partial-drain test transactions No partial-drain pre-strike test transactions detected on Jito stake pool (Jito4APyf642JPZPx3hGc6WWJ8zPKtRbRs4P815Awbb). No unusual small-value unstake patterns observed. Unstake queue managed via StakeNet Steward program. v1-deferred signal (methodology scope only); static assessment shows no evidence of precursor drain patterns. RD-F-092 n/a Unusual mempool pattern from deployer wallet Deployer wallet maps to Jito DAO program address (4ivLcnNLhe4cKdpV9b4jyEmxgbYWFgktHcTyyBvYavsD) and Merkle Upload Authority (8F4jGUmxF36vQ6yabnsxX6AQVXdKBhs8kGSUuRKSg8Xt). Solana mempool is a short-lived TPU pipeline (~400ms transaction lifecycle), not a persistent EVM-style mempool. Signal as defined is EVM-centric. No unusual sequences detected from DAO authority or Merkle Upload addresses. v1-deferred; requires Solana-native mempool monitoring infrastructure. RD-F-093 n/a Abnormal gas-price willingness from attacker wallet EVM gas-price signal does not apply to Solana. Solana uses compute unit prices (priority fees), not gas prices. The MEV dynamics on Solana (Jito bundles, TPU pipeline) are fundamentally different from EVM gas-price race patterns. N/A for Solana-native protocol. RD-F-094 n/a New contract with similar bytecode to exploit template Applies to Solana BPF programs targeting Jito's stake pool or MEV program instruction discriminators. No Solana BPF programs with similar bytecode to Jito programs deployed in malicious context identified from public sources. Requires Solana BPF bytecode similarity monitoring infrastructure (distinct from EVM bytecode monitoring). v1-deferred. RD-F-095 n/a Known-exploit function-selector replay Solana programs use instruction discriminators (Anchor-style 8-byte discriminators) rather than EVM 4-byte function selectors. No exploit-template discriminator patterns targeting Jito programs identified. Requires Solana-native instruction discriminator monitoring. v1-deferred. RD-F-096 n/a New ERC-20 approval to unverified contract from whale ERC-20 approval signal is EVM-specific. Jito is Solana-native; SPL token approval (the Solana equivalent) has different mechanics and Jito's stake pool does not use approval-based token flows in the same ERC-20 sense. N/A for Solana-native protocol. RD-F-097 n/a Sybil surge of identical-pattern transactions Sybil patterns could apply to JitoSOL unstake requests or governance token deposits on Realms. No documented sybil surge targeting Jito programs from public sources. Requires Solana on-chain clustering infrastructure for Sybil detection. v1-deferred. RD-F-106 n/a Cross-chain bridge unverified mint pattern Jito uses Wormhole NTT for EVM JitoSOL token bridge (rate relay, not liquidity bridge). No abnormal cross-chain deposit/mint-without-proof pattern detected. The bridge is a rate-relay for wrapped JitoSOL, not a large TVL bridge (primary $877M TVS is all on Solana). No unverified mint events identified. v1-deferred signal. RD-F-107 n/a Admin EOA signing from new geography/device Jito program upgrade authority is Jito DAO Realms program (4ivLcnNLhe4cKdpV9b4jyEmxgbYWFgktHcTyyBvYavsD), not a human EOA. Geography signing patterns are not applicable when the signing entity is an on-chain DAO program. Off-chain signing telemetry would require access to Jito Foundation's internal key management — not publicly observable. N/A. RD-F-108 n/a GitHub force-push to sensitive branch jito-foundation/jito-solana has active normal commit cadence (last commit 2026-04-29 per data cache). No force-push events or unauthorized sensitive-branch pushes detected from available public sources. Data cache confirms github.last_commit_date=2026-04-29 and security_md_present=true. v1-deferred signal; GitHub API monitoring required for automated detection. RD-F-109 n/a Social-media impersonation scam spike Sustained impersonation ecosystem documented: (1) jito-network.org — active typosquat registered 2023-12-31, ScamAdviser trust score 0/100 ('Very Likely Unsafe'), hidden ownership, hosted Finland/Hetzner; (2) Jito phishing email campaign confirmed by @jito_sol X post (November 2024, status 1859676916044779919); (3) sites.google.com/view/jito-network/home — fake Jito staking guide page active. Not a single-day spike but a persistent impersonation infrastructure. v1-deferred signal; advisory level under T-09 framework. RD-F-110 n/a Unusual pending/executed proposal ratio Jito DAO on Realms shows routine governance cadence. Visible proposals are standard maintenance. No accumulation of pending/unexecuted proposals relative to baseline detected. Governance parameters: 3-day voting + 2-day delay = 5-day total cycle; Security Council veto capability provides additional proposal queue management. v1-deferred signal.
RD-F-098 green TVL anomaly — % drop in <1h TVL $877,359,827 as of 2026-04-29 (DeFiLlama API). 30-day change: -13.98% (gradual, SOL-price-driven). 1-day change: -0.19%. T-09 v1 primary condition (TVL_now / TVL_baseline_30d < 0.70 in 60 min) is not breached. The -13.98% 30-day decline is a steady market trend, not a single-hour anomalous drain. Sector-wide SOL price compression also applies as suppression context. No anomalous drain event. T-09 v1 production-live signal.
RD-F-099 green Oracle price deviation >X% from secondary Core JitoSOL stake pool has no external oracle — rate is derived on-chain from stake pool accounting (total active stake / token supply = 1.276 SOL per JitoSOL, epoch 964). This is not oracle-dependent in the Chainlink/Pyth sense. Arbitrum StakePoolRate oracle (0x8aa73ec870dc4a0af6b471937682a8fc3b8a21f8) is Jito-operated relay, not a price-setting oracle. JitoSOL/SOL on Orca DEX matches canonical rate. No deviation detected. v1 phase-2 signal; per-asset secondary-oracle mapping required before live alerting.
RD-F-100 green Flash loan >$10M targeting protocol tokens Solana flash loan mechanics (Solend, Kamino) differ from EVM. JTO governance token flash-loan feasibility: JTO market cap ~$385M; Orca/Raydium JTO pools insufficient for $10M flash-loan at governance quorum scale (10M JTO required for quorum). No documented flash-loan events targeting JTO governance contracts or Jito stake pool programs. Realms SPL Governance uses deposited-token-at-time-of-vote, limiting within-transaction flash-loan attacks. v1 phase-2 signal; Solana-specific block scan required.
RD-F-101 green Large governance proposal queued Jito DAO on Realms (gov.jito.network) has program upgrade authority 4ivLcnNLhe4cKdpV9b4jyEmxgbYWFgktHcTyyBvYavsD. Active proposals as of 2026-04-29 are routine program maintenance (Upgrade Validator History And Steward Programs; Freeze upgrade authority for Distributor). No flagged-pattern proposals detected. Governance parameters: 250K JTO proposal threshold, 3-day voting, 2-day delay, 10M JTO quorum. Security Council has veto right on proposals violating constitution or constituting security emergencies. No malicious-pattern governance activity detected. T-09 v1 production-live signal.
RD-F-103 green Bridge signer-set change proposed/executed Jito uses Wormhole NTT infrastructure for EVM JitoSOL token bridge. Core $877M Solana TVS has no bridge surface. No unscheduled Wormhole guardian-set change detected. Jito-operated StakePoolRate oracle updater (jitosol-wormhole-updater service) shows no key rotation event. The primary Solana stake pool has no bridge signer set. Signal is partially applicable only to EVM bridge surface. T-09 v1 production-live signal.
RD-F-104 green Stablecoin depeg >2% on shared-LP venue Reframed for LST: JitoSOL/SOL secondary-DEX depeg signal. Canonical stake pool rate: 1.276 SOL per JitoSOL (Solana Compass, epoch 964). Orca DEX JitoSOL/SOL pool (8bDeibmKzTmVpcB8QZf1UtMJgu7UmFgrG4eiNnxCSQb3) tracking canonical rate. No >2% deviation detected. Jito does not hold stablecoin positions as primary collateral (it is an LST issuer, not a lending protocol). Monitoring applicable for LST depeg signal. T-09 v1 production-live signal (reframed for LST context).
RD-F-105 green DNS/CDN/frontend hash drift Primary frontend jito.network shows no DNS or SSL cert change as of 2026-04-29. Jito issued a phishing warning (X/@jito_sol, 2024-11-21) about fake emails from non-jito.network domains. The external typosquat jito-network.org is a Cat 11 finding (RD-F-161), not a hash-drift signal on the primary domain. No evidence of primary domain compromise. v1 phase-2 signal; external monitoring stack required for hash-drift detection.
RD-F-182 green Security-Council threshold reduction (RT) Batch-24 addition: Security-Council threshold reduction event. Jito has a Security Council per constitutional docs (minimum 5 members, Foundation Director-established, emergency veto rights on JIPs). No SC threshold reduction event detected as of 2026-04-29. Governance parameter change (quorum 30M → 10M JTO) was a DAO parameter update — distinct from SC multisig threshold reduction (the Drift-class DPRK precursor pattern). SC signer addresses not publicly published; governance-admin-analyst should enumerate via Realms program state. T-09 v1.1 candidate signal.
Dev identity & insider risk Green 4 16 of 16
RD-F-117 yellow ENS/NameStone identity bound to deployer ENS is an Ethereum-specific naming system; Jito is Solana-native. No ENS binding to the JTO DAO upgrade authority address (4ivLcnNLhe4cKdpV9b4jyEmxgbYWFgktHcTyyBvYavsD). Solana Name Service (.sol domains) binding to this address not confirmed from public data. However, team identity is robustly established through non-ENS means (company registration, LinkedIn, press, GitHub). Yellow assigned because deployer address identity is established but no on-chain ENS/SNS name-binding exists. Factor is structurally less applicable to Solana protocols than EVM protocols. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion March 9, 2024 mempool disable: Jito Labs made a unilateral decision to suspend the Jito Block Engine mempool with no preceding DAO vote, governance proposal, or public forum discussion. Announcement was via a single tweet. However, the mempool is off-chain block engine software — not an on-chain admin-rescue or ACL change. No on-chain RoleGranted/RoleRevoked or program upgrade authority change occurred. The JTO DAO upgrade authority at 4ivLcnNLhe4cKdpV9b4jyEmxgbYWFgktHcTyyBvYavsD remained unchanged. The Jito Foundation constitution assigns operational decisions (off-chain software) to Jito Labs, while on-chain upgrades require DAO governance. This is governance-process centralization at the protocol-economic level without DAO ratification (yellow) but not an on-chain insider ACL change without discussion (red). No on-chain admin-rescue or ACL change in 180-day lookback identified without preceding discussion.
RD-F-111 green Team doxx status Lucas Bruder (CEO) and Zano Sherwani (CTO) are real-name doxxed with verifiable prior professional histories. Bruder: CMU ECE degree 2016, prior roles at Mindtribe/Tesla/Built Robotics/Ouster, active LinkedIn and GitHub presence, multiple on-camera conference appearances (Breakpoint 2023, Consensus Miami 2026). Sherwani: George Mason CS degree 2018, prior roles at Amazon and Parsec Finance, on-camera YouTube/podcast appearances. Brian Smith (Foundation ED) also real-name doxxed via LinkedIn. All three meet the green threshold of real-name with verifiable prior professional history.
RD-F-112 green Team public accountability surface Lucas Bruder: 5+ verifiable trails (LinkedIn with full employment history, GitHub buffalu with 228 followers and 9 repos, Substack engineering articles, conference speaker profiles at Blockworks/CoinDesk, multiple podcast appearances). Zano Sherwani: 4+ verifiable trails (LinkedIn, GitHub segfaultdoc created 2016, YouTube on-camera appearances, conference speaker profiles). Both exceed the green threshold of ≥3 verifiable trails per core member.
RD-F-113 green Team other-protocol involvement history Lucas Bruder: no prior DeFi protocol involvement; clean engineering background (Mindtribe, Built Robotics, Ouster). Zano Sherwani: prior role at Parsec Finance (DeFi on Solana, 2021) — ended cleanly to co-found Jito Labs; no adverse events at Parsec identified. RICO lawsuit naming Bruder and Smith (July 2025) fully dismissed by court September 2025 — not a rug or exit-scam finding. No rug or failed-protocol affiliations for any team member.
RD-F-114 green Deployer address prior on-chain history Jito is a Solana-native protocol. Programs are deployed via Jito Labs operational keypairs (a US-incorporated company), not pseudonymous EOAs. The stake pool program uses the canonical SPL Stake Pool; upgrade authority is the JTO DAO multisig. Data-cache deployer address is null (non-EVM substrate; pipeline gap). No prior rug or flagged deployer history found for Jito Labs operational addresses. Classification: normal institutional deployer history for a VC-backed US startup.
RD-F-115 green Prior rug/exit-scam affiliation No prior rug or exit-scam affiliation confirmed for any Jito team member. Lucas Bruder: clean engineering background; no rug history. Zano Sherwani: prior Parsec Finance role ended cleanly. Brian Smith: no adverse history. RICO lawsuit (July 2025) naming Bruder and Smith in Pump.fun class action was fully dismissed by court September 2025 — Jito Labs, Jito Foundation, Bruder, and Smith all dismissed. Does not constitute a rug affiliation.
RD-F-116 green Contributor tenure at admin-permissioned PR Top two contributors to jito-programs are segfaultdoc (40 contributions, GitHub account created 2016-02-15 = 9+ years tenure, bio 'cto @jito-labs') and buffalu (35 contributions, confirmed CEO Lucas Bruder). Both have tenure far exceeding the 180-day green threshold. All admin-permissioned code changes are made by the two longest-tenured contributors who are also the company founders.
RD-F-118 green Handle reuse across failed/rugged projects No handle reuse detected. Lucas Bruder has used @buffalu__ (X) and github.com/buffalu consistently since Jito Labs founding in October 2021, with no prior rugged-project associations under any alias. Zano Sherwani's github.com/segfaultdoc account was created 2016-02-15, predating Jito by 5 years, with no prior failed-project associations identified. OSINT searches for prior rugged projects under either handle returned no adverse results.
RD-F-119 green Commit timezone consistent with stated geography Jito Labs is a US-incorporated company. Both founders have US-based backgrounds: Lucas Bruder (CMU, Pittsburgh/SF area, prior US employers), Zano Sherwani (George Mason University, Virginia; Amazon AWS US). No commit timezone analysis performed programmatically (non-EVM tooling gap), but no DPRK timezone anomaly has been reported in any security research and the team's real-name doxxed status with verifiable US-based prior employment is a strong mitigant against DPRK UTC+9 pattern. Confidence: medium due to absence of automated analysis.
RD-F-120 green Video-off/voice-consistency flag Both founders have extensive on-camera video presence. Lucas Bruder: on-camera at Breakpoint 2023 (Jito StakeNet presentation), on-camera in 'JitoSol: Building Solana's Hot Seat DeFi Moment' YouTube video, conference speaker at Consensus Miami 2026. Zano Sherwani: on-camera in 'Building MEV on Solana' YouTube (2022), on-camera in 'The Future of Solana in 2024 & Beyond' Lightspeed podcast YouTube (2024), on-camera at Breakpoint 2023. No video-off flag; voice and identity consistent. Green threshold (≥2 on-camera public appearances) met.
RD-F-121 green Contributor OSINT depth score Lucas Bruder OSINT depth score: 5/5 (LinkedIn with full employment history, GitHub with 228 followers, Substack with technical engineering articles, multiple conference speaker profiles, IQ.wiki entry, podcast presence). Zano Sherwani OSINT depth score: 4/5 (LinkedIn, GitHub, YouTube appearances, IQ.wiki, conference speakers). Average score 4.5 ≥ 4 green threshold.
RD-F-122 green Contributor paid to DPRK-cluster wallet No on-chain path ≤3 hops from Jito contributor payment addresses to DPRK-labeled cluster identified. Jito Labs pays contributors via normal US corporate payroll structures. Web search for DPRK proximity (query: 'Jito Labs DPRK OR Lazarus OR North Korea') returned no relevant results linking Jito team or program addresses to DPRK actors. Alameda Research seed investment (equity, not on-chain contributor payment flow) does not constitute a contributor payment path to DPRK cluster. CTI feed unavailable at this assessment level; confidence medium.
RD-F-124 green Deployer wallet mixer-funded within 30 days Jito is Solana-native. No OFAC-sanctioned Solana mixer existed at the time of the October 2022 program deployment (OFAC sanctioned Ethereum Tornado Cash in August 2022; no Solana equivalent was labeled at that time). No mixer-funding path identified for any Jito operational keypair in the 30-day pre-deploy window (October 1–31, 2022). Data-cache deployer.funded_by: null (non-EVM pipeline gap, not a red signal). Factor assessed via OSINT and institutional context: Jito Labs is a VC-backed US entity with institutional funding sources (Multicoin Capital, Framework Ventures, Alameda Research via Series A August 2022).
RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No DPRK or Lazarus cluster proximity identified for any Jito privileged wallet or contributor. Web search for 'Jito Labs OR jito-foundation DPRK OR Lazarus OR North Korea' returned no relevant results. Founders (Lucas Bruder, Zano Sherwani) have verifiable US-based professional histories inconsistent with DPRK implant patterns. No OFAC SDN hits for any Jito-associated address. Drift Protocol April 2026 DPRK exploit is a separate protocol with no Jito connection. CTI feed not available at this assessment level; confidence medium. Absence of any affirmative evidence of DPRK proximity across all assessed vectors.
RD-F-184 green Real-capital social-engineering persona No curator-flagged social-engineering persona identified for Jito. The Drift Protocol April 2026 DPRK exploit (UNC4736 using real capital ≥$1M to build credibility over 6 months on Solana MEV ecosystem) targeted Drift Protocol specifically — no Jito connection identified. Alameda Research seed investment ($2.1M, December 2021) is a corporate equity stake, not an on-chain ≥$1M real-capital deposit by a persona building credibility for a social-engineering attack against Jito. No active curator flag. Data-cache hacks array is empty.
Fork / dependency lineage Green 7 10 of 10
RD-F-129 yellow Code divergence from upstream (%) jito-solana has MEV-specific modifications: bundle processing, block engine, tip payment hooks, relayer integration. Divergence is focused MEV additions (not wholesale rewrite) confirmed by Neodyme+Halborn+OtterSec delta audits. Exact LOC % not computable via WebFetch (requires local git diff). Estimated 20–40% functional divergence. Yellow per methodology. RD-F-133 yellow Dependency manifest uses unpinned versions Stakenet Cargo.toml: Anchor 0.31.1 (exact pin), Solana SDK 2.3.x (= pinned), SPL Stake Pool 2.0.0 (exact), SPL Token 4.0 (no = prefix — range allowed minor updates). The SPL Token 4.0 range specifier is a minor flexibility in a well-controlled library but technically not fully pinned per methodology. Most critical deps are exactly pinned.
RD-F-126 green Is-a-fork-of jito-solana is an explicitly declared fork of anza-xyz/agave (confirmed by README and 292 scheduled GitHub Actions rebase runs). SPL Stake Pool: Jito deploys the canonical upstream program — not a fork. StakeNet/Restaking/TipRouter: original Jito-authored code.
RD-F-127 green Upstream patch not merged Automated rebase workflow runs continuously (292 recorded runs). April 2025 ZK ElGamal critical patch: Jito published v2.1.21-jito and v2.2.11-jito same-day as Agave patches (Apr 17–18, 2025). Jito engineers were part of the coordinated incident response. Current mainnet v3.1.14-jito (Apr 28, 2026) tracks stable Agave v3.1.x. No unmerged upstream security patches identified.
RD-F-128 green Upstream vulnerability disclosure (last 90d) The April 2025 ZK ElGamal Proof Bug (within trailing 90 days) was patched by Jito same-day (v2.1.21-jito). The current mainnet v3.1.14-jito (Apr 28, 2026) is on a fully patched stable branch. No current unpatched upstream disclosure affecting deployed jito-solana versions.
RD-F-130 green Fork depth (generations from original audit) jito-solana is a direct fork (depth 0) of Agave, which is maintained by Anza with its own security program and was audited by Asymmetric Research, Neodyme, OtterSec in April 2025. SPL Stake Pool: depth 0 (canonical upstream). StakeNet/Restaking/TipRouter: not forks (N/A for depth).
RD-F-131 green Fork retains upstream audit coverage jito-solana MEV modifications audited by Neodyme (2022), Halborn (2022–2023), OtterSec (v1.18, v2.0 ongoing). Coverage model: upstream Agave security + delta-audit for Jito-specific changes. SPL Stake Pool: upstream OtterSec 2023-01-20 audit via anza-xyz/security-audits. All fork-specific changes have dedicated audit coverage.
RD-F-132 green Fork has different economic parameters than upstream jito-solana MEV features are entirely new code surfaces (no 'different parameters from audited upstream defaults') — they are audited independently. SPL Stake Pool uses canonical Solana Labs parameters with no Jito modification. StakeNet Steward introduces original delegation algorithms audited by OtterSec.
RD-F-134 green Dependency had malicious-release incident (last 90d) No malicious-release advisory affecting jito-foundation Rust dependencies (anchor-lang 0.31.1, solana-sdk 2.3.x, spl-token 4.0, spl-stake-pool 2.0.0) identified from public GHSA feeds in the trailing 90 days (2026-01-29 to 2026-04-29).
RD-F-135 green Shared-library version with known-vuln status Anchor 0.31.1: no CVE/GHSA found. Solana SDK 2.3.x: April 2025 ZK ElGamal patch was to the ZK Token program (on-chain program), not the SDK itself; patched versions are deployed. Rust 1.93.1: not on known-critical-bug list. SPL Token 4.0: no high/critical advisory found. No active known-vulnerable library version identified.
Post-deploy hygiene & change mgmt Green 17 13 of 13
RD-F-136 yellow Deployed bytecode matches signed release tag Solana programs use solana-verify for bytecode-to-source matching. StakeNet documentation confirms: 'can be verified from repository with solana-verify verify-from-repo.' OtterSec audits cite specific commit SHAs. However, comprehensive verification of all deployed programs vs. latest commits is not confirmed from available public evidence. Programmatic verification path exists but completeness is unconfirmed. RD-F-137 yellow Upgrade frequency (per 90 days) Active development cadence: StakeNet Steward launched July 2024; TipRouter NCN launched 2025; JIP-16 (TDA v2) proposed March 2025; JIP-24 passed August 2025. Estimated 2-4 program upgrades per 90 days across all programs. High but not abnormal for a multi-product protocol in active development. RD-F-139 yellow Post-audit code changes without re-audit [★] Multiple post-audit deployments identified: (a) StakeNet Steward: OtterSec audit at commit f4ea93a, deployed July 2024; (b) Restaking + Vault Programs: audited at specific commits by OtterSec/Offside/Certora Oct 2024; (c) TipRouter NCN: Certora audit Jan 2025, then production deployment; (d) JIP-16 (TDA v2, March 2025) proposes code changes — specific audit coverage for this upgrade not confirmed. Per-release OtterSec reviews for validator client are informal ongoing reviews, not full re-audits. Cannot confirm all deployed versions are covered by specific audit reports without direct on-chain bytecode verification. RD-F-142 yellow Storage-layout collision risk across upgrades Solana Anchor programs use discriminators and explicit account layouts rather than EVM storage slots — less susceptible to slot-collision. Data account upgrades require careful migration. No storage layout collision incidents documented. Cannot fully assess without source diff analysis of upgrade versions. RD-F-146 yellow New contract deploys in last 30 days Active development with ongoing deployments. TipRouter NCN recently in production (2025). JIP-16 (TDA v2) proposed March 2025. JIP-28 (BAM acceleration) and JIP-24 (fee routing) in 2025. Multiple new program deployments and upgrades in last 90 days — elevated fresh attack surface from active development. RD-F-143 n/a Reinitializable implementation (no _disableInitializers) [★] Not applicable. Jito uses Solana BPF/Anchor programs, not EVM proxy contracts. The _disableInitializers() OpenZeppelin pattern does not apply. Anchor's #[account(init)] constraint prevents double-initialization of data accounts. The EVM reinitializer attack vector (proxy takeover via re-init) does not exist in the Solana program model. RD-F-144 n/a CREATE2 factory permits same-address redeploy Not applicable. Solana programs use BPFLoaderUpgradeable, not CREATE2. Program IDs are stable; upgrade authority controls bytecode at same program ID. Permissionless redeploy to same address is not possible — requires upgrade authority (Squads multisig) approval. RD-F-168 n/a Stale-approval exposure on deprecated router Not applicable. Solana uses account ownership model, not ERC-20 approval model. No EVM-style token approvals on deprecated routers exist. JitoSOL staked assets are in SPL accounts owned by the stake pool — not approval-based. No deprecated router contracts with stale user approvals identified.
RD-F-138 green Hot-patch deploys without timelock (last 30 days) No confirmed hot-patches in last 30 days without timelock. DAO proposals involving code changes go through 3-day voting + 2-day delay process. No emergency code deploy in last 30d documented. Security Council has bypass authority but no documented use in last 30 days.
RD-F-140 green Fix-merged-but-not-deployed gap No documented case of a known vulnerability with PR merged but not deployed. Programs follow standard release tag to deploy workflow. No incidents of fix-merged-not-deployed gap identified in Jito's public repositories.
RD-F-141 green Test-mode parameters in deploy No evidence of test-mode parameters in production. StakeNet decentralization required 3-month bug bounty milestone without critical vulnerabilities before handover — indicates production parameters are clean. No test oracle, infinite allowances, or admin-as-deployer in production configs documented.
RD-F-145 green Deployed bytecode reproducibility Jito explicitly uses solana-verify build for reproducible builds. StakeNet README documents verification command. This is a positive indicator; reproducible builds are part of Jito's security posture.
RD-F-185 green Bridge rate-limiter / chain-pause as positive mitigant Wormhole NTT bridge for JitoSOL (Arbitrum): NTT framework implements rate-limiting on both source and destination chains per Wormhole documentation — transfers exceeding capacity are queued. Primary TVS ($877M) is on Solana (not bridge-based). Bridge rate-limiter applies to cross-chain JitoSOL token only. Solana network has validator-level pause capability (historical precedent exists). Positive mitigant for bridge surface.
Cross-chain & bridge Green 0 12 of 12
RD-F-150 gray Bridge validator co-hosting Wormhole guardian set includes institutional operators (Jump Crypto, Certus One, Everstake, Figment, others). Full ASN / datacenter co-hosting analysis not completed within time budget. Insufficient evidence to confirm or deny >30% single-datacenter concentration. RD-F-154 n/a Default bytes32(0) acceptable as valid root [★ CRITICAL] NOT_APPLICABLE — architecture-specific exclusion. Wormhole uses ECDSA guardian signature quorum (13-of-19), not Merkle root acceptance. The Nomad $190M bug class (bytes32(0) as default-accepted Merkle root) does not apply to Wormhole's signature-based VAA architecture. F154 ★: not_applicable (not a pass/fail — this vulnerability class is architecturally absent). RD-F-155 gray Bridge validator-set rotation recency Guardian set rotation recency not confirmed from public sources within assessment time budget. GuardianSetUpdated event log on Ethereum mainnet Wormhole core contract not enumerated. The guardian set appears stable at 19 members per documentation but last rotation date is unknown. RD-F-156 gray Bridge uses same key custody for >30% validators Key custodian concentration for Wormhole guardians not determinable from public OSINT within time budget. Known operators include Jump Crypto and institutional validators, but ASN/custodian analysis not completed. RD-F-157 gray Bridge TVL per validator ratio Bridged JitoSOL TVL on Arbitrum not separately quantified (DefiLlama shows 100% of $877M on Solana; EVM-side token supply not enumerated). Under worst-case assumption (100% bridged): $877M / 19 guardians = ~$46M per guardian (green threshold <$50M). Actual EVM bridge TVL is likely a small fraction. Gray due to missing EVM bridged TVL data. RD-F-179 n/a LayerZero OFT DVN config (count, threshold, diversity) NOT_APPLICABLE. Jito uses Wormhole NTT (not LayerZero OFT) for its EVM token bridge. Data cache confirms layerzero.present: false. F179 applies only to LayerZero OFT integrations per taxonomy definition. Use F148/F149 for Wormhole bridge assessment.
RD-F-147 green Protocol has bridge surface Yes — Jito Foundation operates a Wormhole NTT-based bridge for JitoSOL token (Solana → Arbitrum) and a Wormhole Queries-based StakePoolRate oracle cross-chain relay. Both constitute bridge surface. Profile §7 flags has_bridge_surface: true.
RD-F-148 green Bridge validator count (M) Wormhole guardian set: 19 validators. This is the canonical shared infrastructure. 19 is a strong validator count — significantly above the 5–7 range that characterizes vulnerable bridges.
RD-F-149 green Bridge validator threshold (k-of-M) 13-of-19 supermajority threshold. This exceeds simple majority (≥10). Green per taxonomy: threshold >= ceil(M/2)+1. No single-guardian approval risk. For governance actions, two-thirds supermajority (>=13) required.
RD-F-151 green Bridge ecrecover checks result ≠ address(0) [★ CRITICAL] GREEN. Wormhole Messages.sol verifySignatures() explicitly checks: require(signatory != address(0), 'ecrecover failed with signature'). Code comment: 'ecrecover returns 0 for invalid signatures. We explicitly require valid signatures to avoid unexpected behaviour due to the default storage slot value also being 0.' This check was added post the Feb 2022 Wormhole exploit. F151 ★: GREEN.
RD-F-152 green Bridge binds message to srcChainId Wormhole VAA structure includes emitter_chain as part of unique indexing tuple (emitter_chain, emitter_address, sequence). StakePoolRate.sol validates chain_id == Solana (chain ID 1) in updatePool() logic. Chain binding is enforced.
RD-F-153 green Bridge tracks nonce-consumed mapping Wormhole uses (emitter_chain, emitter_address, sequence) tuple uniqueness and VAA digest-based replay protection. Sequence is auto-incrementing per emitter. Digest (double-keccak256 of VAA body) can be checked against consumed set. Wormhole EVM core contract implements this replay prevention.
Threat intelligence & recon Green 11 8 of 8
RD-F-161 yellow Protocol-impersonator domain registered (typosquat) Active typosquat domain confirmed: jito-network.org — registered 2023-12-31, ScamAdviser trust score 0/100 ('Very Likely Unsafe'), hidden ownership (Privacy Protect LLC, all contact info redacted), hosted Finland/Hetzner. Jito issued phishing warning (X @jito_sol status/1859676916044779919, November 2024) confirming fake email campaign. Fake staking guide at sites.google.com/view/jito-network/home also active. Multiple impersonation surfaces confirmed. Official domain jito.network is uncompromised. Meets the yellow threshold: impersonator domain active within last 90 days (registered 2023-12-31, still active 2026-04-29). RD-F-159 n/a Attacker wallet pre-strike probe (low-gas failing txs) Solana 'mempool' is a short-lived TPU pipeline; failing-transaction reconnaissance pattern is different from EVM mempool probe behavior. No threat-actor low-priority transaction probing detected on Jito programs from available public sources. Requires Solana-specific mempool monitoring feed. v1-deferred. RD-F-162 n/a Known-exploit-template selector deployed by any address No known Jito-specific exploit template exists (no prior Jito program exploits documented). No Solana BPF programs with instruction discriminator patterns matching Jito-class LST exploits detected in public sources. Without a prior Jito-targeting exploit, there is no exploit template to seed the pattern library. v1-deferred signal. RD-F-163 gray Avg attacker reconnaissance time for peer-class protocols Analytical benchmark for Solana LST/staking protocol class. Drift exploit (UNC4736/DPRK, 2026-04-01) demonstrated 6-month social engineering reconnaissance targeting privileged access in a Solana protocol. USPD-class 78-day on-chain reconnaissance average is less applicable to Solana (no EVM mempool probe patterns). No Jito-specific on-chain reconnaissance signals detected. This factor is an analytical benchmark, not a real-time signal for a specific current threat. Gray because it is M-only curation without a current-protocol-specific observable. RD-F-164 n/a Leaked credential on paste/sentry site Jito operates off-chain infrastructure (block engine, BAM nodes, relayer, Merkle upload service, jitosol-wormhole-updater); leaked API keys or node credentials could be material. No public paste-site or credential dump referencing Jito infrastructure endpoints found via available public sources. Requires specialized paste/credential-dump monitoring feeds not available for T-10 static assessment. v1-deferred. RD-F-165 n/a Protocol social channel has scam-coordinator flag Jito has active Discord/Telegram community. General phishing activity documented (phishing emails, jito-network.org, fake staking guides) but no specific Discord/Telegram channel admin flagged on any public scam-coordinator watchlist. Curator social watchlist required for definitive assessment. v1-deferred.
RD-F-158 green Known-threat-actor cluster has touched protocol Drift Protocol exploit (2026-04-01, UNC4736/DPRK, $285M): JitoSOL tokens ($3.6M) among 18 asset types drained from Drift. DPRK wallets interacted with Drift Protocol contracts, NOT with Jito program addresses (Jito4APyf642JPZPx3hGc6WWJ8zPKtRbRs4P815Awbb, T1pyyaTNZsKv2WcRAB8oVnk93mLJw2XzjtVYqCsaHqt, 4R3gSG8BpU4t19KYj8CfnbtRpnT8gtk4dvTHxVRwc2r7). Signal requires interaction with Jito's own protocol contracts. The Drift exploit targeted Drift's privileged access (SC compromise via 6-month social engineering), not Jito programs. Doxxed Jito founders (Lucas Bruder, Zanyar Sherwani) show no DPRK affiliation. T-09 v1 phase-2 advisory signal.
RD-F-160 green GitHub malicious-dependency incident touching protocol deps No GitHub Security Advisory (GHSA) flagged against jito-foundation repositories or their Rust dependencies as of 2026-04-29 from available public sources. The August 2024 Agave/Jito rBPF vulnerability (CALL_REG misalignment) was a client-level zero-day, not a supply-chain dependency compromise; patched in 72 hours. jito-solana tracks upstream Agave continuously. data cache: security_md_present=true, changelog_present=true. No malicious-dependency advisory identified.
Tooling / compiler / AI Green 0 5 of 5
RD-F-170 green Solc version used (known-bug versions flagged) Jito's on-chain programs use Rust (not Solidity). Rust 1.93.1 pinned in jito-solana rust-toolchain.toml — stable, not on known critical compiler bug list. Peripheral EVM contracts (StakePoolRate.sol, NTT token) use Foundry with no explicit solc version pin (defaults to latest stable). Primary TVS programs are Rust/SBF; Solidity compiler bugs are immaterial to the $877M TVS.
RD-F-171 green Bytecode similarity to audited upstream with behavior deviation jito-solana is a declared fork of Agave with documented MEV additions — fully transparent, explicitly audited, no undisclosed behavioral deviation. Restaking and TipRouter are original designs. No AI-copy-risk pattern (high similarity with undisclosed deviation) identified.
RD-F-172 green Repo shows AI-tool co-authorship in critical files No AI-tool co-authorship (GitHub Copilot, ChatGPT Code Interpreter) commit trailers identified in jito-foundation critical program files. Standard Rust/Anchor development patterns used. No evidence of AI-generated code in security-critical paths.
RD-F-173 green Team self-disclosure of AI-generated Solidity No team disclosure of AI-generated Rust or Solidity in security-critical production code found in Jito blog, documentation, or public announcements. Search returned no Jito-specific AI code disclosure.
RD-F-174 green Dependency tree uses EOL Solidity version Rust 1.93.1 (jito-solana) is a supported stable release, not EOL. Anchor 0.31.1 is current. Peripheral EVM contracts use Foundry default solc (latest stable). No EOL language version identified in primary programs.
Response & disclosure hygiene Green 8 4 of 4
RD-F-176 yellow Disclosure SLA public No quantified acknowledgment-time SLA published. JIP-5 references 'strict responsible disclosure guidelines' without specifying a timeline. Immunefi program page for Jito does not list a Jito-specific acknowledgment SLA. Yellow = SLA not published with a quantified timeline. Disclosure channel exists (F175 green) so red (no channel) is not applicable.
RD-F-175 green Disclosure channel exists Active public disclosure channel via Immunefi (https://immunefi.com/bug-bounty/jito/information/). Live since 2024-08-28, managed by Asymmetric Research. Covers 8 in-scope asset classes. jito-solana SECURITY.md directs to Immunefi. JIP-5 DAO proposal passed establishing program with 3-of-5 multisig fund control. Active monitoring inferred from Asymmetric Research management agreement. Channel existence and structural monitoring satisfy green condition.
RD-F-177 green Prior known-ignored disclosure No evidence of a prior vulnerability disclosure being reported to Jito and ignored before exploitation. No exploits exist, so no post-mortem could document a 'received-but-not-actioned' disclosure. Web search for 'Jito ignored disclosure vulnerability' returned no such articles. Green = no evidence of ignored disclosure.
RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory published against Jito's on-chain programs. GitHub Security Advisories for jito-foundation/jito-solana, jito-foundation/stakenet, and jito-foundation/restaking all return 'There aren't any published security advisories.' NVD/CVE search returned no Jito DeFi protocol advisories. OtterSec BAM client audit (Sep 2025 draft) documented high-risk findings but these are audit-report findings, not published CVEs or GHSAs. Green = no advisory issued.
rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol jito