Q1 2026 Security & Compliance Report44 incidents, $482M in losses, insights from 11 industry leaders.
Read the report

Audit name:

[SCA] Telcoin | Solana PSV | May2026

Date:

Jun 2, 2026

Table of Content

Introduction
Audit Summary
System Overview
Potential Risks
Findings
Appendix 1. Definitions
Appendix 2. Scope
Appendix 3. Additional Valuables
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Telcoin team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

The Peg Stability Vault (PSV) is a Solana program that enables 1:1 token swaps between a stable token and a gem token at parity, minus configurable basis-point fees.

Document

NameSmart Contract Code Review and Security Analysis Report for Telcoin
Audited ByKerem Solmaz; Hamza Sajid
Approved ByIvan Bondar
Websitehttps://telco.in
Changelog19/05/2026 - Preliminary Report
01/06/2026 - Final Report
PlatformSolana
LanguageRust
TagsAMM, Fungible Token, Centralization, Upgradable
Methodologyhttps://docs.hacken.io/methodologies/smart-contracts
  • Document

    Name
    Smart Contract Code Review and Security Analysis Report for Telcoin
    Audited By
    Kerem Solmaz; Hamza Sajid
    Approved By
    Ivan Bondar
    Changelog
    19/05/2026 - Preliminary Report
    01/06/2026 - Final Report
    Platform
    Solana
    Language
    Rust
    Tags
    AMM, Fungible Token, Centralization, Upgradable

Review Scope

Repositoryhttps://github.com/telcoin/solana-psv
Commit2602dc8
2ac6a33

Audit Summary

8Total Findings
3Resolved
5Accepted
0Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

The project provides a comprehensive README covering deployment, architecture, devnet setup, and script usage. An invariant specification document details every security property with enforcement references and test mappings. Inline documentation covers public instruction handlers and key constants, though helper function internals and complex fee calculation logic contain limited explanatory comments.

Code quality

The codebase follows standard Anchor framework patterns and is organized as a single program with a single source file. Dependencies are limited to well-established crates: anchor-lang, anchor-spl, and spl-token-2022. Several access control and input validation issues were identified and reported, along with multiple informational improvements to account structure and event design.

Test coverage

Code coverage of the project can not be measured. However, the test suite includes both Rust-based unit and integration tests and TypeScript integration tests against a local validator.

  • Test files cover initialization, swaps, fee calculation, rate limiting, admin operations, transfer fees, and vault closure.

  • Formal coverage metrics were not measured; adding property-based fuzz testing for swap arithmetic and rate limiting edge cases is recommended.

System Overview

The Peg Stability Vault is a Solana program built with the Anchor framework that facilitates 1:1 swaps between two SPL tokens referred to as "stable" and "gem." The vault holds reserves of both tokens and mediates exchanges at a fixed parity rate, collecting configurable basis-point fees on each swap direction. The program supports both classic SPL Token and Token-2022 mints, allowing mixed token program configurations within a single vault.

The vault is initialized by the program upgrade authority, who becomes the initial admin. Initialization creates a Program Derived Address (PDA) seeded by the two mint addresses, along with associated token accounts for both mints owned by the vault PDA. At initialization, the program validates that both mints share the same decimal precision to ensure the 1:1 peg is meaningful at the base denomination level. For Token-2022 mints, the program rejects mints with active transfer fee configurations.

Two primary swap instructions operate the vault. The buy gem instruction accepts stable tokens from the user and returns gem tokens minus an input fee. The sell gem instruction accepts gem tokens and returns stable tokens minus an output fee. Both instructions enforce a minimum output amount parameter for slippage protection. Fee calculation uses ceiling division to ensure the protocol never undercharges, and fees are retained in the vault rather than transferred to a separate address. Whitelisted addresses bypass fee collection entirely.

Rate limiting operates on two levels: a per-swap maximum restricts individual transaction size, and a per-slot cumulative maximum caps total swap volume within a single Solana slot. Both limits are independently configurable and can be disabled by setting them to zero. When the admin updates rate limit parameters, slot tracking state resets to prevent stale accounting from blocking swaps under new configurations.

The program implements role-based access control with four distinct roles. The admin and treasury roles use a two-step propose-and-accept transfer pattern to prevent accidental reassignment. The pauser and unpauser roles are set directly by the admin. An emergency pause mechanism blocks all swap instructions while allowing administrative operations and treasury withdrawals to continue. Vault closure requires the vault to be paused and all whitelist entries removed; remaining token balances are automatically swept to treasury-designated accounts before the vault PDA is closed.

Privileged roles

  • Admin (Vault): The admin role is set at vault initialization and must match the program upgrade authority. The admin can configure input and output fee rates up to a hardcoded 10% cap, set per-swap and per-slot rate limits, manage the fee exemption whitelist, assign pauser and unpauser addresses, propose admin and treasury transfers, and close the vault. Compromise of the admin key would allow fee manipulation up to the cap, disabling rate limits, whitelisting arbitrary addresses for fee-free swaps, and shutting down the vault by pausing and closing it. No multisig or timelock protects this role.

  • Treasury (Vault): The treasury role can withdraw any amount of either token from the vault reserves to a designated recipient account. The treasury address is set at initialization and transferable via the two-step propose-and-accept pattern. Compromise of the treasury key would allow draining all vault reserves. No multisig or timelock protects this role.

  • Pauser (Vault): The pauser can halt all swap operations by activating the pause state. While paused, no user can execute buy or sell instructions. Misuse would result in a denial-of-service for all vault users. The pauser address is assigned directly by the admin.

  • Unpauser (Vault): The unpauser can restore swap operations by deactivating the pause state. The unpauser address is assigned directly by the admin. If the unpauser key is lost while the vault is paused, swap operations cannot resume unless the admin assigns a new unpauser.

  • Upgrade Authority (Program): The Solana BPF loader upgrade authority can replace the program binary at any time. The initialization instruction enforces that the initial admin matches the upgrade authority, but the upgrade authority retains independent ability to deploy new program logic regardless of vault state. A compromised upgrade authority could deploy a malicious implementation that bypasses all access controls and drains vault reserves.

Potential Risks

Dependency on Unaudited External Libraries: The program depends on anchor-lang (v1.0.2) and anchor-spl (v1.0.2) for program structure, account validation, and cross-program invocation, and on spl-token-2022 (v8) for Token-2022 extension state parsing. While these crates are widely used within the Solana ecosystem and have undergone prior review, the specific versions integrated have not been independently verified as part of this engagement. Any vulnerabilities in these dependencies would directly affect vault initialization, swap execution, and token transfer operations.

Single Points of Failure and Control: The admin address in the vault account controls fee configuration, rate limit parameters, whitelist management, pauser and unpauser assignment, role transfers, and vault closure. This address is a single signer with no multisig requirement, timelock delay, or governance mechanism constraining its actions. Compromise of this key would grant full administrative control over all vault parameters and the ability to shut down the vault permanently.

Administrative Key Control Risks: The treasury role can withdraw the entire reserve balance of both stable and gem tokens from the vault at any time, including while the vault is paused. The admin and treasury roles are held by separate addresses, but neither is protected by a multisig or timelock. The two-step transfer pattern for admin and treasury roles mitigates accidental reassignment but does not limit the operational powers of the current holder.

Flexibility and Risk in Contract Upgrades: The solana-psv program is deployed through the BPF loader upgradeable mechanism, allowing the upgrade authority to replace the program binary at any time. The initialization instruction ties the initial admin to the upgrade authority, but subsequent admin transfers do not affect the upgrade authority. A compromised upgrade authority could deploy new program logic that bypasses all access control checks, fee enforcement, and rate limiting, enabling unrestricted withdrawal of vault reserves without authorization.

Absence of Upgrade Window Constraints: The BPF loader upgrade mechanism executes immediately upon the upgrade authority's transaction with no mandatory delay, announcement period, or on-chain governance vote. Users have no opportunity to review proposed program changes or withdraw their assets from the vault before new logic takes effect, increasing the risk of undetected malicious upgrades affecting all active vaults.

Findings

Code
Title
Status
Severity
F-2026-1704Cross-Clear In Role Acceptance Handlers Silently Cancels Unrelated Pending Transfer
fixed

Medium
F-2026-1704Missing Cancel Path For Pending Role Transfers Leave Stale Authority Active
accepted

Low
F-2026-1704Missing Vault PDA Rejection For Pauser And Unpauser In Initialization Results In Temporary Block
fixed

Low
F-2026-1703Incomplete Token-2022 Extension Validation in initialize Leads to Vault Reserve Drain
accepted

Low
F-2026-1704Manual Account Space Calculation Instead Of Anchor InitSpace Derive Macro
accepted

Observation
F-2026-1715Unnecessary Account Inputs in Pubkey-Only Flows Increase Transaction Size
accepted

Observation
F-2026-1714Missing Whitelisted Account per Vault Enumeration Support
fixed

Observation
F-2026-1708Unconditional Slot Limit Setter Allows Resetting Per-Slot Budget During Active Window
accepted

Observation
1-8 of 8 findings

Identify vulnerabilities in your smart contracts.

Appendix 1. Definitions

Severities

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

Reference on how risk scoring is done is available through the repository in our Github organization:

Severity

Description

Critical
Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

High
High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

Medium
Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

Low
Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.
  • Severity

    Critical

    Description

    Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    Severity

    High

    Description

    High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Severity

    Medium

    Description

    Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Severity

    Low

    Description

    Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.

Potential Risks

The "Potential Risks" section identifies issues that are not direct security vulnerabilities but could still affect the project’s performance, reliability, or user trust. These risks arise from design choices, architectural decisions, or operational practices that, while not immediately exploitable, may lead to problems under certain conditions. Additionally, potential risks can impact the quality of the audit itself, as they may involve external factors or components beyond the scope of the audit, leading to incomplete assessments or oversight of key areas. This section aims to provide a broader perspective on factors that could affect the project's long-term security, functionality, and the comprehensiveness of the audit findings.

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

Scope Details

Repositoryhttps://github.com/telcoin/solana-psv
Commit2602dc8d6807f07b6f8b3dc3b3033158d1f7be07
Final commit2ac6a334fa6c5832e6402d2e00213ea27af8b801
WhitepaperN/A
RequirementsREADME.md
Technical RequirementsREADME.md, invariants.md
  • Scope Details

    Commit
    2602dc8d6807f07b6f8b3dc3b3033158d1f7be07
    Final commit
    2ac6a334fa6c5832e6402d2e00213ea27af8b801
    Whitepaper
    N/A
    Requirements
    README.md
    Technical Requirements
    README.md, invariants.md

Assets in Scope

programs
solana-psv
src
lib.rs - programs › solana-psv › src › lib.rs

Appendix 3. Additional Valuables

Additional Recommendations

The smart contracts in the scope of this audit could benefit from the introduction of automatic emergency actions for critical activities, such as unauthorized operations like ownership changes or proxy upgrades, as well as unexpected fund manipulations, including large withdrawals or minting events. Adding such mechanisms would enable the protocol to react automatically to unusual activity, ensuring that the contract remains secure and functions as intended.

To improve functionality, these emergency actions could be designed to trigger under specific conditions, such as:

  • Detecting changes to ownership or critical permissions.

  • Monitoring large or unexpected transactions and minting events.

  • Pausing operations when irregularities are identified.

These enhancements would provide an added layer of security, making the contract more robust and better equipped to handle unexpected situations while maintaining smooth operations.

Frameworks and Methodologies

This security assessment was conducted in alignment with recognised penetration testing standards, methodologies and guidelines, including the NIST SP 800-115 – Technical Guide to Information Security Testing and Assessment , and the Penetration Testing Execution Standard (PTES) , These assets provide a structured foundation for planning, executing, and documenting technical evaluations such as vulnerability assessments, exploitation activities, and security code reviews. Hacken’s internal penetration testing methodology extends these principles to Web2 and Web3 environments to ensure consistency, repeatability, and verifiable outcomes.

Disclaimer