> ## Documentation Index
> Fetch the complete documentation index at: https://docs.raydium.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Audits

> Audit history per Raydium program — firm, scope, date, report link — plus fix-status tracking and commentary on what audits do and don't cover.

<Info>
  Audits catch some classes of bugs (known attack patterns, access-control mistakes, integer overflow) and miss others (economic design flaws, game-theoretic manipulation, integration bugs with other programs). Raydium's programs have multiple rounds of audits each; this page lists them and discusses what each audit actually verified.
</Info>

## Per-program audit table

| Program                                                  | Auditor                                            | Date    | Report                                                                                                                                                                    |
| -------------------------------------------------------- | -------------------------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Order-book AMM                                           | [Kudelski Security](https://kudelskisecurity.com/) | Q2 2021 | [View](https://github.com/raydium-io/raydium-docs/blob/master/audit/Kudelski%20Q2%202021/Raydium_Audit.pdf)                                                               |
| Concentrated liquidity (CLMM)                            | [OtterSec](https://osec.io/)                       | Q3 2022 | [View](https://github.com/raydium-io/raydium-docs/blob/master/audit/OtterSec%20Q3%202022/Raydium%20concentrated%20liquidity%20%28CLMM%29%20program.pdf)                   |
| Updated order-book AMM                                   | [OtterSec](https://osec.io/)                       | Q3 2022 | [View](https://github.com/raydium-io/raydium-docs/blob/master/audit/OtterSec%20Q3%202022/Raydium%20updated%20order-book%20AMM%20program.pdf)                              |
| Staking                                                  | [OtterSec](https://osec.io/)                       | Q3 2022 | [View](https://github.com/raydium-io/raydium-docs/blob/master/audit/OtterSec%20Q3%202022/Raydium%20staking%20program.pdf)                                                 |
| Order-book AMM & OpenBook migration                      | [MadShield](https://www.madshield.xyz/)            | Q2 2023 | [View](https://github.com/raydium-io/raydium-docs/blob/master/audit/MadSheild%20Q2%202023/Raydium%20updated%20orderbook%20AMM%20program%20%26%20OpenBook%20migration.pdf) |
| Constant-product AMM (CPMM)                              | [MadShield](https://www.madshield.xyz/)            | Q1 2024 | [View](https://github.com/raydium-io/raydium-docs/blob/master/audit/MadShield%20Q1%202024/raydium-cp-swap-v-1.0.0.pdf)                                                    |
| Burn & Earn (liquidity locker)                           | [Halborn](https://www.halborn.com/)                | Q4 2024 | [View](https://github.com/raydium-io/raydium-docs/blob/master/audit/Halborn%20Q4%202024/raydium_liquidity_locking.pdf)                                                    |
| LaunchLab                                                | [Halborn](https://www.halborn.com/)                | Q2 2025 | [View](https://github.com/raydium-io/raydium-docs/blob/master/audit/Halborn%20Q2%202025/raydium_launch.pdf)                                                               |
| CPMM (update)                                            | [Sec3](https://www.sec3.dev/)                      | Q3 2025 | [View](https://github.com/raydium-io/raydium-docs/blob/master/audit/Sec3%20Q3%202025/raydium_cp_swap_pr55.pdf)                                                            |
| CLMM update — Limit Order, Dynamic Fee, Single Asset Fee | [Sec3](https://www.sec3.dev/)                      | Q2 2026 | [View](https://github.com/raydium-io/raydium-docs/tree/master/audit/Sec3%20Q2%202026)                                                                                     |

Members of the [Neodyme](https://neodyme.io/) team have also performed extensive reviews via bug-bounty agreements.

All audit reports for Raydium programs are mirrored under [`github.com/raydium-io/raydium-docs/audit/`](https://github.com/raydium-io/raydium-docs/tree/master/audit). Each auditor also publishes on their own site.

## What audits cover

A typical Raydium audit (\~3–6 weeks, 2 auditors) covers:

* **Access control** — is every privileged operation correctly gated?
* **Arithmetic** — overflows, underflows, rounding direction, fixed-point precision.
* **Account validation** — does every account have the correct owner, mint, authority?
* **Reentrancy-like patterns** — does state update before or after a CPI?
* **PDA derivation** — are seeds consistent across all sites?
* **Error codes and messages** — do error conditions revert cleanly?
* **Code quality** — idiomatic Rust, dead code, unreachable branches.

## What audits don't cover

* **Economic game theory** — e.g. "if I can create 1000 pools for free, can I grief the router?"
* **MEV / ordering** — sandwich attacks, front-running via validator collusion.
* **Off-chain infrastructure** — RPC reliability, indexer correctness, frontend.
* **Integrations with other programs** — bugs that only manifest when composed with specific lending, options, or aggregator contracts.
* **Emergent behaviors over time** — what happens after 10 million positions? Audits look at small-scale test cases.

This is why audit ≠ safety guarantee. Raydium supplements audits with bug bounties, monitoring, and defensive engineering.

## Finding-resolution status

Every audit produces a findings list (critical / high / medium / low / informational), with severity counts and per-finding status (Fixed / Acknowledged / Won't fix). Per-finding breakdowns are not duplicated here — read each report directly via the table above.

## Re-audit after significant changes

When a program ships a significant upgrade (new instruction, new account field, new extension support), Raydium commissions a re-audit. The Sec3 Q3 2025 review of CPMM and the Sec3 Q2 2026 review of CLMM (Limit Order, Dynamic Fee, Single Asset Fee) listed in the table above are both re-audits of this kind.

The re-audit scope is narrower (just the diff), but it's genuinely a re-audit — not just a code review. Reports for re-audits are appended to the primary audit report.

## On-chain verification

The deployed program hash should match the audited code hash. Anyone can verify:

```bash theme={null}
# Pull the deployed program bytecode.
solana program dump <PROGRAM_ID> program.so

# Build the repo at the audited commit.
git clone https://github.com/raydium-io/raydium-cp-swap
cd raydium-cp-swap
git checkout <audited_commit_hash>
anchor build --verifiable

# Compare.
sha256sum program.so target/deploy/raydium_cp_swap.so
```

The Anchor verifiable builds produce deterministic bytecode; hashes should match exactly. If they don't, the deployed program is not the audited one — escalate.

Raydium publishes the expected hashes per deploy in the repo releases section.

## How to read an audit report

A short guide for non-auditors:

1. **Skip to the findings summary** — a table of severity counts. If the "Critical" count is >0 and you see "Open" status, dig in.
2. **Read each finding's description and status.** "Fixed in commit XYZ" means resolved; "Acknowledged" means the team accepted the risk; "Partially fixed" is worth a closer look.
3. **Scan the scope section.** If the audit didn't cover the instruction or account you care about, the absence of findings there isn't evidence of safety.
4. **Skim the auditor's recommendations section.** Often more useful than the findings — surfaces "we couldn't formally prove this but we're uneasy" notes.

## Bug-bounty integration

Audits run pre-deploy; bug bounties run continuously post-deploy. Raydium's bounty program ([`security/disclosure`](/security/disclosure)) covers everything audits do plus:

* Economic attacks that audits don't cover.
* Bugs found in new integrations.
* Implementation bugs in SDKs and off-chain components.

A whitehat finding in the bounty program typically gets paid out faster than waiting for the next audit cycle; incentives are aligned to disclose rapidly. The active program is hosted on Immunefi: [immunefi.com/bug-bounty/raydium/information](https://immunefi.com/bug-bounty/raydium/information/).

## Historical incidents

Raydium's programs have had two notable real-world incidents:

### Pool authority exploit (December 2022)

**What:** AMM v4 pool authority private key was compromised, allowing an attacker to drain several pools.

**Scope:** Operational key management, not a program bug. The audit had not flagged the code since the code was correct; the key management process was the failure.

**Fix:** Multisig migration (all authority roles moved to Squads multisig); additional operational controls.

**Lesson:** Audits don't cover key management. See [`security/admin-and-multisig`](/security/admin-and-multisig).

### OpenBook integration freeze (January 2023)

**What:** An OpenBook program update changed account semantics; AMM v4's MonitorStep crank couldn't settle PnL until an AMM v4 patch shipped.

**Scope:** Integration bug — neither program was wrong in isolation.

**Fix:** AMM v4 patch and coordinated deploy.

**Lesson:** Audits of program A don't catch bugs in program A's integration with program B. The right tool is integration testing + staged rollouts.

## Pointers

* [`security/admin-and-multisig`](/security/admin-and-multisig) — authority structure.
* [`security/attack-vectors`](/security/attack-vectors) — known attack patterns.
* [`security/disclosure`](/security/disclosure) — bug-bounty policy.

Sources:

* Per-program source repositories: [`raydium-amm`](https://github.com/raydium-io/raydium-amm), [`raydium-clmm`](https://github.com/raydium-io/raydium-clmm), [`raydium-cp-swap`](https://github.com/raydium-io/raydium-cp-swap).
* Audit report mirror: [`raydium-docs/audit`](https://github.com/raydium-io/raydium-docs/tree/master/audit).
* Bug-bounty: [Immunefi — Raydium](https://immunefi.com/bug-bounty/raydium/information/).
