SPSF v0.1 / DRAFT
Solana Protocol Security Framework
An open standard for protocol operational security on Solana.
Why this exists
Smart contract audits verify code at a point in time. They say nothing about who holds upgrade keys, what happens when an oracle goes stale, or whether anyone has an incident response plan.
Most DeFi losses come from operational failures, not code bugs.
SPSF is adapted from CSA STAR (207 controls, 17 domains for cloud), compressed into 38 controls built for onchain protocols. The output is a public, machine-readable trust page instead of a private report behind an NDA.
How it compares
| SOC 2 | CSA STAR | SPSF | |
|---|---|---|---|
| Designed for | Enterprise SaaS | Cloud providers | Solana protocols |
| Controls | 5 trust categories | 207 across 17 domains | 38 across 8 domains |
| Maturity | Type I / Type II | Level 1 / 2 / 3 | Bronze / Silver / Gold |
| Assessment | CPA firm (required) | Self to third-party | Self to third-party |
| Output | Private report (NDA) | Public registry | Public trust page |
| Scope | Availability, privacy | Cloud infrastructure | Keys, upgrades, treasury |
What users should know about any protocol
| Question | Bronze | Silver | Gold |
|---|---|---|---|
| Who holds upgrade authority? | Addresses published | 3-of-5 + HSMs | 4-of-7 distributed |
| What's the upgrade timelock? | ≥24 hours | ≥48h + public queue | ≥72h + notifications |
| What are the oracle dependencies? | Listed publicly | Fallback configured | Circuit breakers |
| What if there's a security incident? | Contacts documented | Formal IRP | 24/7 + annual drills |
| Can the team mint unlimited tokens? | Multisig or renounced | + Timelock + cap | Programmatic only |
| What if a dependency fails? | Documented | Graceful degradation | Auto-fallback |
8 Domains, 38 Controls
Click any domain to expand its controls inline.
Trust Page
The primary output. A machine-readable YAML/JSON document consumed by wallets, aggregators, and security tools. Each field maps to a control.
spsf_version: "0.1"
protocol:
name: "ExampleDEX"
program_ids:
- address: "ExDEX...7nKp"
verified_build: true # PSA-04
spsf_tier: "silver" # overall achieved tier
spsf_verification: "third-party" # OtterSec, 2026-03-01
authorities:
upgrade_authority:
type: "multisig" # KMA-01
multisig:
threshold: 3
signers: 5
provider: "Squads v4" # KMA-02: silver
timelock:
delay_hours: 48 # KMA-03: silver
mint_authority:
type: "renounced" # TTM-02: gold
dependencies:
oracles:
- provider: "Pyth Network"
fallback: "Switchboard" # DCM-02: silver
circuit_breaker: true # DCM-02: gold
audits:
- auditor: "OtterSec"
date: "2026-02-15"
version: "v2.1.0"
report_url: "https://..."
findings:
critical: 0, high: 0 # PSA-02: silver
bug_bounty:
active: true
platform: "Immunefi"
max_payout: "$500,000" # PSA-03: silver+
incident_response:
plan_published: true # IRR-01
pause_mechanism: true # IRR-02Getting started
- 1.Assess your current posture. Review the 38 controls. See where you land across Bronze, Silver, and Gold.
- 2.Target Bronze first. Every Bronze requirement is achievable by a small team in days.
- 3.Publish a trust page. Generate YAML/JSON and host it publicly. That's the whole thing.
- 4.Level up over time. Silver requires third-party verification. Gold requires continuous monitoring.
Who this is for
Make opsec the new audit.
Draft v0.1. Published by the team behind Poll.fun for ecosystem feedback.