Security#
Marinade prioritizes security through audits, open-source code, and transparent operations.
| Security Feature | Status |
|---|---|
| Audits | Neodyme, Kudelski, Ackee |
| Open Source | All programs on GitHub |
| Bug Bounty | Active |
| Multisig | 4/7 for critical operations |
Audit History#
Marinade's smart contracts have been audited by leading security firms:
| Auditor | Date | Scope | Report |
|---|---|---|---|
| Neodyme | 2021 | Liquid Staking Program | View |
| Kudelski Security | 2022 | Full Protocol Review | View |
| Ackee Blockchain | 2022 | Liquid Staking + Governance | View |
Open Source#
All Marinade programs are open source and verifiable:
| Program | Repository |
|---|---|
| Liquid Staking | marinade-finance/liquid-staking-program |
| Voter Stake Registry | marinade-finance/voter-stake-registry |
| Referral Program | marinade-finance/liquid-staking-referral-program |
Risk Disclosure#
Liquid Staking (mSOL)#
| Risk | Description | Mitigation |
|---|---|---|
| Smart Contract | Bugs in staking program | Multiple audits, open source |
| mSOL Depeg | mSOL trades below backing | Liquidity pools, arbitrage |
| Validator Risk | Underperforming validators | PSR protection, diversification |
Native Staking#
| Risk | Description | Mitigation |
|---|---|---|
| Validator Risk | Missed rewards | PSR protection |
| Stake Authority | PDA-controlled | User retains withdraw authority |
| Operational | Bot/API issues | Multisig controls, manual override |
Custody & Control#
Liquid Staking#
- User deposits SOL → Protocol holds it
- User receives mSOL → Tradeable token
- Redemption → Exchange mSOL back to SOL
Native Staking#
- User creates stake account → User owns it
- Stake authority → Marinade PDA (delegation only)
- Withdraw authority → User retains full control
Non-Custodial Native Staking
With native staking, you always retain withdraw authority. Even if Marinade ceased operations, you can withdraw your SOL directly using Solana CLI.
Emergency Procedures#
Native Staking - Manual Withdrawal#
If Marinade's UI is unavailable:
# Find your stake accounts
solana stakes --withdraw-authority YOUR_PUBKEY
# Reclaim stake authority
solana stake-authorize STAKE_ACCOUNT --new-stake-authority YOUR_PUBKEY
# Deactivate
solana deactivate-stake STAKE_ACCOUNT
# Wait one epoch, then withdraw
solana withdraw-stake STAKE_ACCOUNT YOUR_PUBKEY ALL
See Native Staking Manual Unstake for detailed instructions.
Multisig Governance#
Critical protocol operations require multisig approval:
| Operation | Signers Required |
|---|---|
| Program Upgrades | DAO vote |
| Bot Access | 4/7 multisig |
| Emergency Actions | 4/7 multisig |
Bug Bounty#
Marinade maintains a bug bounty program for responsible disclosure:
- Report vulnerabilities to: security@marinade.finance
- Rewards based on severity
- Safe harbor for good-faith researchers
Best Practices#
For Users#
- Verify addresses - Always check contract addresses before interacting
- Use official links - Only access app.marinade.finance directly
- Hardware wallets - Use Ledger for large amounts
- Understand risks - Read this page before staking
For Developers#
- Verify programs - Check program IDs match official docs
- Handle errors - Implement proper error handling
- Test on devnet - Always test integrations first
- Monitor transactions - Watch for unexpected behavior
Incident Response#
Marinade has procedures for security incidents:
- Detection - Monitoring and community reports
- Assessment - Evaluate severity and scope
- Response - Pause affected systems if needed
- Communication - Update community via Discord/Twitter
- Resolution - Fix and post-mortem
FAQ#
Has Marinade ever been hacked?
No. Marinade has been operating since 2021 without any security incidents affecting user funds.
What happens if Marinade shuts down?
- Native staking: You retain withdraw authority and can exit using Solana CLI
- Liquid staking: mSOL remains backed by the stake pool; the protocol is upgradable via DAO governance
How do I verify I'm on the real Marinade site?
Always type app.marinade.finance directly or use a bookmark. Never click links from untrusted sources. The official domain is marinade.finance.
Contact#
- Security Issues: security@marinade.finance
- General Support: Discord
- Updates: @MarinadeFinance
Next Steps#
| Action | Link |
|---|---|
| Start staking | Quickstart |
| Learn about native staking | Native Staking |
| View contracts | Contract Addresses |