Introduction
We express our gratitude to the Telcoin team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
The Peg Stability Vault (PSV) is a Solana program that enables 1:1 token swaps between a stable token and a gem token at parity, minus configurable basis-point fees.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for Telcoin |
| Audited By | Kerem Solmaz; Hamza Sajid |
| Approved By | Ivan Bondar |
| Website | https://telco.in→ |
| Changelog | 19/05/2026 - Preliminary Report |
| 01/06/2026 - Final Report | |
| Platform | Solana |
| Language | Rust |
| Tags | AMM, Fungible Token, Centralization, Upgradable |
| Methodology | https://docs.hacken.io/methodologies/smart-contracts→ |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for Telcoin
- Audited By
- Kerem Solmaz; Hamza Sajid
- Approved By
- Ivan Bondar
- Website
- https://telco.in→
- Changelog
- 19/05/2026 - Preliminary Report
- 01/06/2026 - Final Report
- Platform
- Solana
- Language
- Rust
- Tags
- AMM, Fungible Token, Centralization, Upgradable
Review Scope | |
|---|---|
| Repository | https://github.com/telcoin/solana-psv→ |
| Commit | 2602dc8 |
| 2ac6a33 |
Review Scope
- Repository
- https://github.com/telcoin/solana-psv→
- Commit
- 2602dc8
- 2ac6a33
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Documentation quality
The project provides a comprehensive README covering deployment, architecture, devnet setup, and script usage. An invariant specification document details every security property with enforcement references and test mappings. Inline documentation covers public instruction handlers and key constants, though helper function internals and complex fee calculation logic contain limited explanatory comments.
Code quality
The codebase follows standard Anchor framework patterns and is organized as a single program with a single source file. Dependencies are limited to well-established crates: anchor-lang, anchor-spl, and spl-token-2022. Several access control and input validation issues were identified and reported, along with multiple informational improvements to account structure and event design.
Test coverage
Code coverage of the project can not be measured. However, the test suite includes both Rust-based unit and integration tests and TypeScript integration tests against a local validator.
Test files cover initialization, swaps, fee calculation, rate limiting, admin operations, transfer fees, and vault closure.
Formal coverage metrics were not measured; adding property-based fuzz testing for swap arithmetic and rate limiting edge cases is recommended.
System Overview
The Peg Stability Vault is a Solana program built with the Anchor framework that facilitates 1:1 swaps between two SPL tokens referred to as "stable" and "gem." The vault holds reserves of both tokens and mediates exchanges at a fixed parity rate, collecting configurable basis-point fees on each swap direction. The program supports both classic SPL Token and Token-2022 mints, allowing mixed token program configurations within a single vault.
The vault is initialized by the program upgrade authority, who becomes the initial admin. Initialization creates a Program Derived Address (PDA) seeded by the two mint addresses, along with associated token accounts for both mints owned by the vault PDA. At initialization, the program validates that both mints share the same decimal precision to ensure the 1:1 peg is meaningful at the base denomination level. For Token-2022 mints, the program rejects mints with active transfer fee configurations.
Two primary swap instructions operate the vault. The buy gem instruction accepts stable tokens from the user and returns gem tokens minus an input fee. The sell gem instruction accepts gem tokens and returns stable tokens minus an output fee. Both instructions enforce a minimum output amount parameter for slippage protection. Fee calculation uses ceiling division to ensure the protocol never undercharges, and fees are retained in the vault rather than transferred to a separate address. Whitelisted addresses bypass fee collection entirely.
Rate limiting operates on two levels: a per-swap maximum restricts individual transaction size, and a per-slot cumulative maximum caps total swap volume within a single Solana slot. Both limits are independently configurable and can be disabled by setting them to zero. When the admin updates rate limit parameters, slot tracking state resets to prevent stale accounting from blocking swaps under new configurations.
The program implements role-based access control with four distinct roles. The admin and treasury roles use a two-step propose-and-accept transfer pattern to prevent accidental reassignment. The pauser and unpauser roles are set directly by the admin. An emergency pause mechanism blocks all swap instructions while allowing administrative operations and treasury withdrawals to continue. Vault closure requires the vault to be paused and all whitelist entries removed; remaining token balances are automatically swept to treasury-designated accounts before the vault PDA is closed.
Privileged roles
Admin (Vault): The admin role is set at vault initialization and must match the program upgrade authority. The admin can configure input and output fee rates up to a hardcoded 10% cap, set per-swap and per-slot rate limits, manage the fee exemption whitelist, assign pauser and unpauser addresses, propose admin and treasury transfers, and close the vault. Compromise of the admin key would allow fee manipulation up to the cap, disabling rate limits, whitelisting arbitrary addresses for fee-free swaps, and shutting down the vault by pausing and closing it. No multisig or timelock protects this role.
Treasury (Vault): The treasury role can withdraw any amount of either token from the vault reserves to a designated recipient account. The treasury address is set at initialization and transferable via the two-step propose-and-accept pattern. Compromise of the treasury key would allow draining all vault reserves. No multisig or timelock protects this role.
Pauser (Vault): The pauser can halt all swap operations by activating the pause state. While paused, no user can execute buy or sell instructions. Misuse would result in a denial-of-service for all vault users. The pauser address is assigned directly by the admin.
Unpauser (Vault): The unpauser can restore swap operations by deactivating the pause state. The unpauser address is assigned directly by the admin. If the unpauser key is lost while the vault is paused, swap operations cannot resume unless the admin assigns a new unpauser.
Upgrade Authority (Program): The Solana BPF loader upgrade authority can replace the program binary at any time. The initialization instruction enforces that the initial admin matches the upgrade authority, but the upgrade authority retains independent ability to deploy new program logic regardless of vault state. A compromised upgrade authority could deploy a malicious implementation that bypasses all access controls and drains vault reserves.
Potential Risks
Dependency on Unaudited External Libraries: The program depends on anchor-lang (v1.0.2) and anchor-spl (v1.0.2) for program structure, account validation, and cross-program invocation, and on spl-token-2022 (v8) for Token-2022 extension state parsing. While these crates are widely used within the Solana ecosystem and have undergone prior review, the specific versions integrated have not been independently verified as part of this engagement. Any vulnerabilities in these dependencies would directly affect vault initialization, swap execution, and token transfer operations.
Single Points of Failure and Control: The admin address in the vault account controls fee configuration, rate limit parameters, whitelist management, pauser and unpauser assignment, role transfers, and vault closure. This address is a single signer with no multisig requirement, timelock delay, or governance mechanism constraining its actions. Compromise of this key would grant full administrative control over all vault parameters and the ability to shut down the vault permanently.
Administrative Key Control Risks: The treasury role can withdraw the entire reserve balance of both stable and gem tokens from the vault at any time, including while the vault is paused. The admin and treasury roles are held by separate addresses, but neither is protected by a multisig or timelock. The two-step transfer pattern for admin and treasury roles mitigates accidental reassignment but does not limit the operational powers of the current holder.
Flexibility and Risk in Contract Upgrades: The solana-psv program is deployed through the BPF loader upgradeable mechanism, allowing the upgrade authority to replace the program binary at any time. The initialization instruction ties the initial admin to the upgrade authority, but subsequent admin transfers do not affect the upgrade authority. A compromised upgrade authority could deploy new program logic that bypasses all access control checks, fee enforcement, and rate limiting, enabling unrestricted withdrawal of vault reserves without authorization.
Absence of Upgrade Window Constraints: The BPF loader upgrade mechanism executes immediately upon the upgrade authority's transaction with no mandatory delay, announcement period, or on-chain governance vote. Users have no opportunity to review proposed program changes or withdraw their assets from the vault before new logic takes effect, increasing the risk of undetected malicious upgrades affecting all active vaults.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2026-1704 | Cross-Clear In Role Acceptance Handlers Silently Cancels Unrelated Pending Transfer | fixed | Medium | |
| F-2026-1704 | Missing Cancel Path For Pending Role Transfers Leave Stale Authority Active | accepted | Low | |
| F-2026-1704 | Missing Vault PDA Rejection For Pauser And Unpauser In Initialization Results In Temporary Block | fixed | Low | |
| F-2026-1703 | Incomplete Token-2022 Extension Validation in initialize Leads to Vault Reserve Drain | accepted | Low | |
| F-2026-1704 | Manual Account Space Calculation Instead Of Anchor InitSpace Derive Macro | accepted | Observation | |
| F-2026-1715 | Unnecessary Account Inputs in Pubkey-Only Flows Increase Transaction Size | accepted | Observation | |
| F-2026-1714 | Missing Whitelisted Account per Vault Enumeration Support | fixed | Observation | |
| F-2026-1708 | Unconditional Slot Limit Setter Allows Resetting Per-Slot Budget During Active Window | accepted | Observation |
Appendix 1. Definitions
Severities
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.
Potential Risks
The "Potential Risks" section identifies issues that are not direct security vulnerabilities but could still affect the project’s performance, reliability, or user trust. These risks arise from design choices, architectural decisions, or operational practices that, while not immediately exploitable, may lead to problems under certain conditions. Additionally, potential risks can impact the quality of the audit itself, as they may involve external factors or components beyond the scope of the audit, leading to incomplete assessments or oversight of key areas. This section aims to provide a broader perspective on factors that could affect the project's long-term security, functionality, and the comprehensiveness of the audit findings.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/telcoin/solana-psv→ |
| Commit | 2602dc8d6807f07b6f8b3dc3b3033158d1f7be07 |
| Final commit | 2ac6a334fa6c5832e6402d2e00213ea27af8b801 |
| Whitepaper | N/A |
| Requirements | README.md |
| Technical Requirements | README.md, invariants.md |
Scope Details
- Repository
- https://github.com/telcoin/solana-psv→
- Commit
- 2602dc8d6807f07b6f8b3dc3b3033158d1f7be07
- Final commit
- 2ac6a334fa6c5832e6402d2e00213ea27af8b801
- Whitepaper
- N/A
- Requirements
- README.md
- Technical Requirements
- README.md, invariants.md
Assets in Scope
Appendix 3. Additional Valuables
Additional Recommendations
The smart contracts in the scope of this audit could benefit from the introduction of automatic emergency actions for critical activities, such as unauthorized operations like ownership changes or proxy upgrades, as well as unexpected fund manipulations, including large withdrawals or minting events. Adding such mechanisms would enable the protocol to react automatically to unusual activity, ensuring that the contract remains secure and functions as intended.
To improve functionality, these emergency actions could be designed to trigger under specific conditions, such as:
Detecting changes to ownership or critical permissions.
Monitoring large or unexpected transactions and minting events.
Pausing operations when irregularities are identified.
These enhancements would provide an added layer of security, making the contract more robust and better equipped to handle unexpected situations while maintaining smooth operations.
Frameworks and Methodologies
This security assessment was conducted in alignment with recognised penetration testing standards, methodologies and guidelines, including the NIST SP 800-115 – Technical Guide to Information Security Testing and Assessment →, and the Penetration Testing Execution Standard (PTES) →, These assets provide a structured foundation for planning, executing, and documenting technical evaluations such as vulnerability assessments, exploitation activities, and security code reviews. Hacken’s internal penetration testing methodology extends these principles to Web2 and Web3 environments to ensure consistency, repeatability, and verifiable outcomes.