Light audit
Devnet review, not a mainnet audit.
This is the current internal review posture for the hackathon/devnet release. It is useful evidence for judges and integrators, but it is not a substitute for an external Solana/Anchor audit before real value.
Controls already in place
| Area | Control |
|---|---|
| Escrow PDA | Derived from agent owner + task hash, with mint stored in the escrow account. |
| Vault | Associated token account owned by the escrow PDA; release/refund transfers are PDA-signed. |
| Attestation | Release and partial release require an Ed25519 instruction before the custody instruction. |
| Merchant registry | Merchant account binds merchant pubkey, attestor pubkey, status, and reputation fields. |
| TTL refund | Refund only works after expiry and returns funds to the agent owner token account. |
| Hosted API | Prepares addresses and relays already-signed transactions; it does not receive wallet or attestor secrets. |
Known devnet limitations
| Risk | Current stance | Mainnet requirement |
|---|---|---|
| Merchant truth | Attestation makes delivery attributable, not magically true. | Merchant policy, KYB, evidence standards, and dispute escalation. |
| Create escrow preflight | Agents can create escrow to any merchant pubkey; release requires a valid registered merchant. | SDK/API should enforce active registry preflight by default for beta merchants. |
| Upgrade authority | Devnet program authority is acceptable for iteration. | Documented multisig/timelock policy before real funds. |
| Public relay | Relay only broadcasts signed transactions. | Rate limits, abuse controls, and transaction allowlist checks. |
| Evidence signing | Evidence packets include digest; API can sign when evidence signer env is configured. | Dedicated signing key, rotation playbook, and public verification docs. |
Mainnet blockers
- External review of
aap-custodyandaap-attestor. - Expanded negative tests for malformed Ed25519 ix, wrong mint, wrong merchant, stale timestamp, and refund edge cases.
- Merchant allowlist and active-registry preflight for the first beta.
- Low-value limits, monitoring, incident response, and upgrade authority policy.
No real-value custody yet
The current deployment is suitable for devnet demo and integration validation. Mainnet beta should start with low limits and an allowlist.