Deployed bytecode matches signed release tag

Jito's assessment for RD-F-136 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Solana programs use solana-verify for bytecode-to-source matching. StakeNet documentation confirms: 'can be verified from repository with solana-verify verify-from-repo.' OtterSec audits cite specific commit SHAs. However, comprehensive verification of all deployed programs vs. latest commits is not confirmed from available public evidence. Programmatic verification path exists but completeness is unconfirmed.

Sources #

Docs
Verifying Programs — Solana DocsSolana docs: solana-verify build creates reproducible builds verifiable on-chainretrieved 2026-04-29
GitHub
Jito StakeNet GitHubStakeNet README: solana-verify verify-from-repo command documentedretrieved 2026-04-29

Methodology #

Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol jito factor RD-F-136 score yellow collected_at 2026-04-29 15:50:23