This is a self-assessment unless an independent audit is linked below. Claims
here are verifiable against the source code and on-chain behavior. Where a
control has not been independently verified, it is marked accordingly.
Security posture
Microset is a non-custodial Solana parimutuel prediction market. The security goals are: (1) users sign every on-chain action; (2) staked SOL moves only by fixed on-chain rules from program-owned vault PDAs; (3) the quick-prediction delegate is bounded by a user-set spend cap; and (4) administrative powers are limited and disclosed.Threat model
| Threat | Mitigation | Status |
|---|---|---|
| Operator drains user funds | Stakes held in program vault PDAs; payouts only by on-chain parimutuel formula | Confirmed by design |
| Malicious program upgrade | Upgrade authority is a single key held by Microset | Confirmed (single key; a multisig would harden this) |
| Unfair resolution | Resolution by config.resolution_authority using real-world sports data (Roanuz) | Confirmed in source |
| Blind-signature phishing | Human-readable sign-in message; explicit transactions | Confirmed by design |
| Quick-prediction key misuse | Delegate bounded by max_lamports cap; revocable; cannot touch main wallet | Confirmed in source |
| Frontend compromise | App served over HTTPS on app.microset.io; backend on Railway | Mitigated |
Smart contract risks reviewed
Access control
Access control
A single global
Config holds authority and resolution_authority. The
authority (a single key held by Microset) can update config and pause; the
resolution authority resolves and voids markets. Markets are created by
Microset’s backend (authority-only in practice).Fund custody & payouts
Fund custody & payouts
Stakes are held in a program-owned vault PDA per market and paid out by the
claim parimutuel formula; native-SOL payouts preserve rent-exemption. No
path lets an operator transfer a user’s main-wallet funds.Quick-prediction delegate
Quick-prediction delegate
The delegate session is funded by the user into an escrow with a
max_lamports
cap and expires_at, is revocable, and unused funds are withdrawable. The
delegate can spend only from that escrow, up to the cap.Fees
Fees
The protocol fee (
protocol_fee_bps) is capped on-chain (InvalidFeeBps) and
is sent to the treasury (3AzAex6f…xn9Cz) on resolution.Application security reviewed
| Area | Notes |
|---|---|
| Wallet / auth | Privy, Solana-only, external wallets; sign-in message → backend JWT |
| Quick-prediction session | On-chain delegate with spend cap, expiry, and revoke (no SPL token delegate) |
| Transaction construction | Built client-side from the program IDL; user signs in-wallet |
| Backend | Node/Express + MongoDB; JWT auth; hosted on Railway; secrets in environment configuration |
| Resolution data | Roanuz Sports API (cricket), via signed webhooks |
| Dependency integrity | Pinned dependency lockfiles across repositories |
Testing summary
- Smart-contract tests: covered by internal testing (happy-path and edge cases such as duplicate market, double claim, non-winner claim, and prediction-after-resolution).
- Static analysis and vulnerability testing performed as part of internal security review.
Security review
Microset has completed internal security audits and vulnerability testing of
the smart contract and application. A third-party audit is a planned next step
that would further strengthen this review.
Known limitations
- The program runs on Solana devnet; a mainnet launch is a planned future step.
- The program upgrade authority is a single key; moving it to a multisig would reduce key-compromise risk.
- A third-party audit is planned (internal audits and vulnerability testing are complete).