Reach out for an audit or to learn more about Macro
or Message on Telegram

Superstate A-7

Security Audit

May 5th, 2025

Version 1.0.0

Presented by 0xMacro

Table of Contents

Introduction

This document includes the results of the security audit for Superstate's smart contract code as found in the section titled ‘Source Code’. The security audit was performed by the Macro security team from April 5th to April 8th, 2025.

The purpose of this audit is to review the source code of certain Superstate Solidity contracts, and provide feedback on the design, architecture, and quality of the source code with an emphasis on validating the correctness and security of the software in its entirety.

Disclaimer: While Macro’s review is comprehensive and has surfaced some changes that should be made to the source code, this audit should not solely be relied upon for security, as no single audit is guaranteed to catch all possible bugs.

Overall Assessment

The following is an aggregation of issues found by the Macro Audit team:

Severity Count Acknowledged Won't Do Addressed
Critical 2 - - 2
High 1 - - 1
Low 3 1 - 2
Code Quality 4 1 - 3

Superstate was quick to respond to these issues.

Specification

Our understanding of the specification was based on the following sources:

Trust Model, Assumptions, and Accepted Risks (TMAAR)

The Allowlist Program allows for token burning by leveraging the PermanentDelegate Token Extension and assigning the Admin Authority to the Allowlist Program itself. While this design grants significant control to Superstate, they are trusted to act in the best interests of users. As outlined in the design document:

Superstate must be able to forcibly burn tokens held by an address. This would only be done in seizure (i.e. via court order) or customer support scenarios (reconstitution) , and would not be done if the tokens were held in a DeFi protocol. Similar functionality exists on ETH with our private fund tokens.

Source Code

The following source code was reviewed during the audit:

Specifically, we audited the following contracts within this repository:

Source Code SHA256
api/src/address.rs

ff2f4fc800048d4075dbd3c9ea0dc7ba69e84b52845fa33ac14e4f19354c676b
api/src/instruction.rs

3b40bf513bf3e845d5691fdd4a04fb65aa0575a5940b376c573488169e53f898
api/src/lib.rs

1369a473734280b7656720d34f7f9062787e5388e68de77fa6fb78757586ae0c
program/src/lib.rs

e090b8811820e2941af8694df200c3251d6bed4052e5b4fc9c45569857aa6273
program/src/allowlist/entrypoint.rs

d36f999fefb6f2fd4740f0c99e9f80a613314c3883c9eacf28e0958ecc76d845
program/src/allowlist/error.rs

f1fd80de42ae4e83e584450fc5f0c6e7a526b7ca7d596336d14e70baccdac82c
program/src/allowlist/mod.rs

89981ccb188748fb7c6489948bab41da42cb440bf75407eed552250018d4b902
program/src/allowlist/processor.rs

c27e0636411888c5e863e222ef862f8ec51e2e3f3d5c05d697517178e64edb2e
program/src/allowlist/state.rs

2b6b2a9ee8fa6b9cf3e4741339b0f23fc382b47f9faf2a2af8d78bb1c8c3c4c8
program/src/allowlist/tools/account.rs

c915b7870f037f758025c4706159b41a6eae0e532f7889cd1d9b1b183f672053
program/src/allowlist/tools/mod.rs

c3934dc434fc44d460ca9182cc33953336b1f96d18f31faa3d54ee12e12a4753

Note: This document contains an audit solely of the Solidity contracts listed above. Specifically, the audit pertains only to the contracts themselves, and does not pertain to any other programs or scripts, including deployment scripts.

Issue Descriptions and Recommendations

Click on an issue to jump to it, or scroll down to see them all.

Security Level Reference

We quantify issues in three parts:

  1. The high/medium/low/spec-breaking impact of the issue:
    • How bad things can get (for a vulnerability)
    • The significance of an improvement (for a code quality issue)
    • The amount of gas saved (for a gas optimization)
  2. The high/medium/low likelihood of the issue:
    • How likely is the issue to occur (for a vulnerability)
  3. The overall critical/high/medium/low severity of the issue.

This third part – the severity level – is a summary of how much consideration the client should give to fixing the issue. We assign severity according to the table of guidelines below:

Severity Description
(C-x)
Critical

We recommend the client must fix the issue, no matter what, because not fixing would mean significant funds/assets WILL be lost.
(H-x)
High

We recommend the client must address the issue, no matter what, because not fixing would be very bad, or some funds/assets will be lost, or the code’s behavior is against the provided spec.
(M-x)
Medium

We recommend the client to seriously consider fixing the issue, as the implications of not fixing the issue are severe enough to impact the project significantly, albiet not in an existential manner.
(L-x)
Low

The risk is small, unlikely, or may not relevant to the project in a meaningful way.

Whether or not the project wants to develop a fix is up to the goals and needs of the project.
(Q-x)
Code Quality

The issue identified does not pose any obvious risk, but fixing could improve overall code quality, on-chain composability, developer ergonomics, or even certain aspects of protocol design.
(I-x)
Informational

Warnings and things to keep in mind when operating the protocol. No immediate action required.
(G-x)
Gas Optimizations

The presented optimization suggestion would save an amount of gas significant enough, in our opinion, to be worth the development cost of implementing it.

Issue Details

C-1

Missing ownership validation in PublicAllowedAccount account

Topic
Account Validation
Status
Fixed
Impact
High
Likelihood
High

The process_thaw() function in @program/src/allowlist/processor.rs contains a critical vulnerability where it fails to properly validate the Program Derived Address (PDA) of the public allowed account. This oversight allows an attacker to bypass the frozen account restrictions by providing a maliciously crafted account.

The root cause lies in the validation logic for the public allowed account PDA. While the code checks if the account data can be deserialized into a PublicAllowedAccount structure, it does not verify that the provided account is owned by the program. This means an attacker can create an account outside the program with valid PublicAllowedAccount data at any address and use it to bypass the frozen account restrictions.

As a result, any frozen token account can be thawed by its owner, which defeats the entire purpose of the program.

Remediations to Consider

While the root cause is the missing ownership validation of the PublicAllowedAccount account, the better fix is to derive the expected PDA address using the same seeds as when the account was created and verify that the provided account matches this address. Validating the owner field in the PublicAllowedAccount account will not be needed in this case.

pub fn process_thaw(accounts: &[AccountInfo], program_id: &Pubkey) -> ProgramResult {
    ...

    if *is_private_instrument_mint {
        ...
    } else {
+      let (allowed_account_pda, _) = get_public_allowed_account_pda(user_account_info.key, program_id);
+      if allowed_account_pda != *user_public_allowed_account_pda.key {
+           return Err(AllowlistError::IncorrectAllowedAccountPda.into());
+       }

        // check for public instruments
        if let Ok(public_account_data) = &user_public_allowed_account_pda.data.try_borrow_mut()
        {
-           if let Ok(public_allowed_account) =
-               borsh::from_slice::< PublicAllowedAccount>(public_account_data)
-            {
-               if public_allowed_account.owner == user_associated_token_account.base.owner {
-                   user_is_allowed = true;
-               }
-           }

+           if borsh::from_slice::< PublicAllowedAccount>(public_account_data).is_ok(){
+               user_is_allowed = true;
+           }
        }
    }

    if !user_is_allowed {
        return Err(AllowlistError::UserNotAllowed.into());
    }

    ...
}

Reference: src/allowlist/processor.rs#L290-L411

C-2

Missing validations in PrivateAllowedAccount account

Topic
Account Validation
Status
Fixed
Impact
High
Likelihood
High

The process_thaw() function in @program/src/allowlist/processor.rs contains a critical vulnerability where it fails to properly validate the Program Derived Address (PDA) of the private allowed account. This oversight allows an attacker to bypass the frozen account restrictions by providing a maliciously crafted account.

The root cause lies in the validation logic for the private allowed account PDA. It stems from two separate missing validations, causing two different impacts:

  1. Similar to the C-1 issue, the PrivateAllowedAccount account is missing validation to verify that the provided account is owned by the program. This means an attacker can create an account outside the program with valid PrivateAllowedAccount data at any address and use it to bypass the frozen account restrictions. As a result, any frozen token account can be thawed by its owner, which defeats the entire purpose of the program.
  2. Additionally, the PrivateAllowedAccount account is missing validation to check that the mint field of the account matches the mint_info account provided. This means that an attacker can use a PrivateAllowedAccount from another token to bypass the restriction. As a result, attackers who are allowed for only one private instrument can thaw their token account for any private instrument.

Remediations to Consider

While the root cause is the missing ownership validation of the PrivateAllowedAccount account, the better fix is to derive the expected PDA address using the same seeds as when the account was created and verify that the provided account matches this address. Validating the owner field in the PrivateAllowedAccount account will not be needed in this case.

pub fn process_thaw(accounts: &[AccountInfo], program_id: &Pubkey) -> ProgramResult {
  ...

  if *is_private_instrument_mint {

    +       let (allowed_account_pda, _) = get_private_allowed_account_pda(user_account_info.key, mint_info.key, program_id);
    +       if allowed_account_pda != *user_private_allowed_account_pda.key {
    +           return Err(AllowlistError::IncorrectAllowedAccountPda.into());
    +       }
    
    -       if let Ok(private_allowed_account) = borsh::from_slice::< PrivateAllowedAccount>(
    -           &user_private_allowed_account_pda.data.borrow_mut(),
    -       ) {
    -           if private_allowed_account.owner == user_associated_token_account.base.owner {
    -               user_is_allowed = true;
    -           }
    -       }
    
    +       if borsh::from_slice::< PrivateAllowedAccount>(&user_private_allowed_account_pda.data.borrow_mut()).is_ok() {
    +           user_is_allowed = true;
    +       }

  ...
}

Reference: src/allowlist/processor.rs#L290-L411

H-1

Frontrunning attack on PDA account creation leads to DOS

Topic
Account Creation
Status
Fixed
Impact
High
Likelihood
Medium

The create_pda_account() function in allowlist/tools/account.rs contains a vulnerability in its account creation logic that can be exploited through frontrunning. The function attempts to create PDA accounts for private allowlists, public allowed accounts, and private allowed accounts, but fails to properly handle cases where a malicious user donates to an uninitialized account.

pub fn create_pda_account<'a>(
    payer: &AccountInfo<'a>,
    rent: &Rent,
    space: usize,
    owner: &Pubkey,
    system_program: &AccountInfo<'a>,
    new_pda_account: &AccountInfo<'a>,
    new_pda_signer_seeds: &[&[u8]],
) -> ProgramResult {
    ...
    if new_pda_account.data_is_empty() && new_pda_account.lamports() == 0 {
        ...
    } else if new_pda_account.owner != system_program.key {
        ...
    } else {
        invoke_signed(
            &system_instruction::transfer(payer.key, new_pda_account.key, lamports_required),
            &[
                payer.clone(),
                new_pda_account.clone(),
                system_program.clone(),
            ],
            &[new_pda_signer_seeds],
        )?;
        invoke_signed(
            &system_instruction::assign(new_pda_account.key, owner),
            &[
                payer.clone(),
                new_pda_account.clone(),
                system_program.clone(),
            ],
            &[new_pda_signer_seeds],
        )?;
    }

Reference: src/allowlist/tools/account.rs#L9-L68

The root cause lies in the conditional logic of create_pda_account(). When a PDA account is empty and has zero lamports, it correctly creates a new account. However, if a malicious user frontruns the transaction by donating lamports to an uninitialized account (with zero lamports but non-empty data), the function enters the else branch. This branch only transfers lamports and reassigns ownership, but crucially misses the account allocation step. As a result, the transaction fails when attempting to write data to the account, effectively causing a Denial of Service (DOS) attack.

As a result, malicious users can prevent the creation of essential accounts, disrupting the entire allowlist system's functionality.

Remediations to Consider Consider using best practices when creating a PDA like the Associated Token Account program

L-1

Freezing accounts is missing proper validation for user_account_info

Topic
Validation
Status
Fixed
Impact
Low
Likelihood
Low

The process_admin_freeze() function in @program/src/allowlist/processor.rs does not adequately validate the user_account_info parameter. This omission may result in incorrect behavior, such as freezing an unintended account if an admin supplies a user_account_info that does not correspond to the owner of the associated token account.(user_associated_token_account_info).

Remediation to Consider

Add a check to verify that user_account_info matches the owner of the user_associated_token_account, similar to the validation in the process_admin_burn function.

L-2

Frontrunning vulnerability in admin initialization

Topic
Frontrun
Status
Acknowledged
Impact
Medium
Likelihood
Low

The process_initialize_admin_authority() function in src/allowlist/processor.rs contains a frontrunning vulnerability in the admin initialization process. The function allows any user to become the initial admin authority of the program by being the first to call this function after program deployment.

The root cause lies in the lack of a predefined initial authority or a constant signer requirement. Currently, the function only verifies that the initial_admin_authority is a signer, but does not validate against any predefined authority. This means that any malicious actor can frontrun the legitimate admin initialization transaction and claim the admin role. As a result, the protocol will have to redeploy the program.

Remediations to Consider

The most secure solution would be to hardcode the initial admin authority in the program. This ensures that only the intended authority can initialize the admin state.

L-3

Missing token validation in private allowlist initialization

Topic
Sanity Check
Status
Fixed
Impact
High
Likelihood
Low

The process_add_private_allowlist() function in src/allowlist/processor.rs fails to validate critical properties of the mint token account before adding it to the private allowlist. This oversight could lead to the program accepting invalid or maliciously configured tokens, potentially breaking core security assumptions.

The root cause lies in the function's account validation logic, where it only checks basic account properties but omits crucial token-specific validations. Specifically, the function should verify:

  1. The mint account's owner is the Token-2022 program
  2. The mint account can be properly parsed as a PodAccount
  3. The mint has required extensions configured:
    • ImmutableOwner to prevent ownership changes
    • DefaultAccountState with frozen as default state
    • PermanentDelegate with the allowlist program as delegatee
    • ScaledUiAmount

Without these sanity checks, an admin can potentially allow flawed tokens which could lead to broken behavior. For example, if the allowed token doesn't have the ImmutableOwner extension, an attacker could thaw their token account and transfer ownership to another address, breaking the program's security model.

Remediations to Consider

Consider adding these validations to the process_add_private_allowlist() function. Note that with the current account design, public instruments cannot have these validations added unless they are checked every time a user attempts to thaw their account.

Q-1

Unnecessary program_id in PDA seeds

Topic
Redundant logic
Status
Fixed
Quality Impact
Low

The codebase contains several PDA derivation functions that include the program_id in their seeds unnecessarily. This occurs in multiple functions including get_private_allowlist_pda(), get_public_allowed_account_pda(), get_private_allowed_account_pda(), and get_admin_pda().

When deriving a PDA using Pubkey::find_program_address(), the program_id is automatically included in the hash calculation by the runtime. Therefore, explicitly including it in the seeds array is redundant and does not provide any additional security or functionality.

Consider removing the program_id from the seeds array in all PDA derivation functions to reduce storage costs and improve code clarity while maintaining the same security guarantees.

Q-2

PDA bump calculation inefficiency in admin authority derivation

Topic
Redundant logic
Status
Acknowledged
Quality Impact
Low

The program recalculates the canonical bump seed for derived accounts on every invocation, resulting in unnecessary CU consumption.

A canonical bump is the highest valid bump seed (0-255) that, when combined with other seeds, produces a valid PDA that lies off the ed25519 curve. The find_program_address() function iterates through possible bump seeds to find this value. While this calculation is necessary during account creation, recalculating it for existing PDAs is inefficient.

Consider storing the canonical bump in the account's data structure and reusing it for subsequent derivations.

Q-3

Redundant signer validation in admin authority update

Topic
Redundant logic
Status
Fixed
Quality Impact
Low

The process_update_admin_authority() function contains redundant signer validation checks. The function first explicitly checks if current_admin_authority_info is a signer, then calls validate_admin_authority() which performs the same check again. While not a security risk, these duplicate checks should be eliminated to improve code efficiency and maintainability. Consider removing the initial explicit signer check since validate_admin_authority() already performs this validation.

Q-4

Unnecessary data clearing in account deletion

Topic
Redundant logic
Status
Fixed
Quality Impact
Low

The remove_pda_account() function in @program/src/allowlist/tools/account.rs includes an unnecessary step of clearing account data before deletion. This operation is redundant.

This finding is supported by examining best practices from major Solana projects like Token_2022 implementation and Anchor implementation. Both implementations follow the inverse steps of account creation without explicitly clearing data, focusing instead on the essential steps of transferring lamports, reassigning ownership, and reallocating size.

Consider following the best practices provided above to fix the issue.

Disclaimer

Macro makes no warranties, either express, implied, statutory, or otherwise, with respect to the services or deliverables provided in this report, and Macro specifically disclaims all implied warranties of merchantability, fitness for a particular purpose, noninfringement and those arising from a course of dealing, usage or trade with respect thereto, and all such warranties are hereby excluded to the fullest extent permitted by law.

Macro will not be liable for any lost profits, business, contracts, revenue, goodwill, production, anticipated savings, loss of data, or costs of procurement of substitute goods or services or for any claim or demand by any other party. In no event will Macro be liable for consequential, incidental, special, indirect, or exemplary damages arising out of this agreement or any work statement, however caused and (to the fullest extent permitted by law) under any theory of liability (including negligence), even if Macro has been advised of the possibility of such damages.

The scope of this report and review is limited to a review of only the code presented by the Superstate team and only the source code Macro notes as being within the scope of Macro’s review within this report. This report does not include an audit of the deployment scripts used to deploy the Solidity contracts in the repository corresponding to this audit. Specifically, for the avoidance of doubt, this report does not constitute investment advice, is not intended to be relied upon as investment advice, is not an endorsement of this project or team, and it is not a guarantee as to the absolute security of the project. In this report you may through hypertext or other computer links, gain access to websites operated by persons other than Macro. Such hyperlinks are provided for your reference and convenience only, and are the exclusive responsibility of such websites’ owners. You agree that Macro is not responsible for the content or operation of such websites, and that Macro shall have no liability to your or any other person or entity for the use of third party websites. Macro assumes no responsibility for the use of third party software and shall have no liability whatsoever to any person or entity for the accuracy or completeness of any outcome generated by such software.