Is Socean Safe?
How Socean is commited to safeguard your SOL and to building a stronger stake pool ecosystem on Solana
We’ve gotten a lot of questions on our Discord server since our testnet launch. One of the most-asked is: Can I trust the stake pool? Are my funds safe?
In this article we are very candid about the risks of staking with stake pools. We explain these risks so you are fully informed, what we at Socean have done to minimize them, and show how we’ve contributed to the development of the Solana stake pool program.
Two possible risks
There are two main ways you could lose your SOL when staking with a stake pool:
- [Manager Exploit]: The stake pool manager is/turns evil, and steals your funds.
- [Program Exploit]: The stake pool manager is not evil, but the stake pool program is exploited.
These risks are low but not nonexistent, and different stake pools may have higher or lower risks. At Socean, we have made decisions that entirely eliminate the Manager Exploit, and minimize the risk of a Program Exploit.
Risk 1: Manager Exploit
The first way that you could lose your SOL is if the stake pool manager is/turns evil, and directly steals your funds. This could be a backdoor inserted in the code on purpose, or if the stake pool manager is taken over by someone who is evil.
Before staking with a pool, you must make sure that there is no way for the manager to steal your funds. (This is why closed-source is dangerous; there is no way for you to check).
By design, the Socean stake pool cannot steal your funds. The Solana stake pool program is non-custodial. An evil stake pool manager cannot lock up or steal your funds: you can always get back your SOL. See the stake pool program documentation:
One of the primary aims of the stake pool program is to always allow pool token holders to withdraw their funds at any time.
… [details of the stake pool design] …
… In this way, a user’s funds are never at risk, and always redeemable.
You don’t even need to take the Foundation’s word for it: because the program is fully open-source, you can check that there are no backdoors yourself! You can even verify this by compiling the source code and checking that it matches the on-chain version.
Risk 2: Program exploit
Even if a program will not allow the stake pool manager to steal your funds, there could be some exploit in the stake pool program that allows someone else to steal your funds. Again, you should verify this to your satisfaction before staking with any pool.
The Foundation’s own program was not immune to malicious users either! The Socean team has made the Solana Foundation’s stake pool program better and more secure. Back in May, the Socean team identified several possible issues with the existing stake pool and raised them privately and publicly with the Foundation:
[5:30 PM] jon: Lots of great discussion here! To address a few points that were brought up…
… there are certainly some weaknesses in the current design, no question there!
We discussed this with the Foundation for some time, which led to an improved design:
[6:14 PM] jon: I’ve been thinking about a liquid staking instruction to add to the stake pool program, inspired by @fp | socean.fi and @jon-chuang | socean.fi, and the work in Lido. Here’s the concept …
We then iterated even further and eventually settled on a design that we believe is safe. We play a very active role in developing the stake pool program. Have a look at the Solana Foundation’s stake pool program: you’ll find that ~20% of the stake pool codebase is code contributed by Socean. We’ll be continuing our work on improving the program going forward.
We do all this because contributing to the Foundation’s codebase will lead to the most long-term benefits for everyone. Several other stake pools have chosen to build their own version of the program to maintain their competitive advantage. It’s tempting to keep these changes to ourselves to give ourselves an edge, too. But we know others will also try to run their own pools, and we believe in building a firm foundation of security and reliability that can be shared by everyone.
We would be the first to admit that there could still be exploits that all of us — Socean, the Solana Foundation, and the auditors — did not find. But by choosing to work together with the Solana team, we maximize eyeballs on the code, and minimize the chance of any undiscovered exploits.
We’ve spent months toiling over designs and implementations to best safeguard your SOL. We recommend you do your research and make your own decision about how safe and reliable staking with each stake pool is.
Appendix: on upgradeable programs
Solana programs are upgradable by default with the “upgrade authority” private key.
A malicious party coming into possession of upgrade keys can change the program and gain full custody of your funds. To guard against this, some have suggested that we should make the stake pool program un-upgradable — “freezing” the stake pool program.
However, this comes with a trade-off between two sources of risk.
- “Type 1” risk: You cannot upgrade the program with security improvements and fixes.
- “Type 2” risk: You leave the program upgradable, leaving the possibility of an attacker gaining access to the upgrade key.
Freezing the program makes Type 2s impossible, but greatly increases the probability of a Type 1. It is an industry-standard compromise to break up the upgrade authority into multiple signatures, so that it requires multiple points of failure to gain control to the upgrade authority. We are working on exactly that for our launch.