Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Pye>Discussion>Untrusted bond creation
GeneralOverview
Findings
Critical (2)
High (1)
Medium (1)
Low (4)
DiscussionUntrusted bond creationMissing constraintsGlob re-export clobberingBond timestampsPotential deadlocks when slashedTest suite
DesignSolo validator bondsStake pools
Audit ResultsAssessment Results

Untrusted bond creation

It is currently unclear whether untrusted users are supposed to be able to make bonds or whether this behavior is intended to be restricted. Malicious users could create bonds with options like issuance dates far in the past / maturity dates far in the future, bonds on stake pools with high fees, or with other issues.

An unsuspecting user depositing SOL into one of these malicious bonds could potentially lose funds.

However, if the Pye front-end application only displays bonds created by Pye admins, this should not be an issue.

Zellic © 2025Back to top ↑