Audit Reports Decoded: What Solana DeFi Audits Actually Tell You
58% of Solana DeFi protocols with $1M+ TVL have no public audit. Meanwhile, the two biggest exploits of 2026 hit protocols that were audited. Both facts are true, and both matter. Here is how to read an audit report like an analyst instead of treating it like a checkbox.
Two Facts That Should Not Coexist
Of the 132 Solana DeFi protocols we track with at least $1M in TVL, 77 have zero public audits on record. That is 58% of the ecosystem holding user funds with no third-party review anyone can read.
At the same time, the two largest Solana exploits of 2026 hit audited protocols. Drift lost $285M in April through a combined oracle and multisig bypass. Loopscale, audited twice before launch, lost $5.8M two weeks after going live.
So audits are simultaneously scarce and insufficient. If that sounds like a contradiction, it is not. It just means most people are asking the wrong question. "Is it audited?" is a yes/no question. The useful question is "what did the audit actually cover, and what happened after?" Answering that requires reading the report. This post is about how.
What an Audit Is, and What It Is Not
A smart contract audit is a time-boxed review of a specific version of a codebase by an external security firm. Auditors read the code, model attack scenarios, run tooling, and produce a report listing findings ranked by severity.
Three words in that definition carry all the weight: time-boxed, specific version.
An audit covers the code as it existed during the engagement, usually a commit hash listed on the first pages of the report. Anything deployed after that commit is unaudited code, even if the protocol's marketing page still says "audited." On Solana, where programs are upgradeable by default, this matters more than on chains where immutability is the norm. A protocol with a single-signer upgrade authority can replace audited code with unaudited code in one transaction.
An audit also has a scope section, and it is the most skipped part of the report. If the lending program was audited but the oracle adapter was not, the report tells you that explicitly. Drift's April exploit ran through oracle manipulation and a multisig weakness, exactly the kind of surface that sits at the edge of, or outside, typical audit scope.
Severity Tiers, Translated
Every report ranks findings. The naming varies slightly by firm, but the structure is consistent:
Critical. An attacker can drain funds or brick the protocol, usually with no special preconditions. If a report shows a critical finding, the only acceptable status is "resolved" with a code fix, verified by the auditor. "Acknowledged" next to a critical finding is a red flag, not a footnote.
High. Loss of funds is possible but requires specific conditions: a particular market state, a privileged role acting maliciously, or a dependency failing. These are the findings that turn into real exploits months later when conditions line up.
Medium. Incorrect behavior that hurts users but does not directly drain the vault. Think reward miscalculations, griefing vectors, or liquidations firing at the wrong threshold.
Low / Informational. Code quality, gas efficiency, deviations from best practice. A report with forty informational findings and zero criticals is a normal, healthy report. Do not be impressed by a low total count; be interested in the distribution.
The single most misleading phrase in DeFi marketing is "audit completed with no critical findings." Check whether high-severity findings existed and how they were closed. Check whether the auditors re-reviewed the fixes. Some reports end with findings marked "acknowledged," which means the team read the finding and shipped anyway.
Who Audits Solana
The firm's name on the cover tells you something about depth. The names that show up repeatedly across serious Solana protocols: OtterSec, Neodyme, Sec3, Zellic, Kudelski Security, Halborn, and Trail of Bits. Certora runs formal verification, a mathematical approach that proves properties of the code rather than sampling for bugs. Kamino is the notable Solana lending protocol that added formal verification on top of conventional audits.
Firm reputation is not decoration. Solana's runtime, account model, and CPI patterns are different enough from the EVM that generalist auditors miss Solana-specific bug classes. A report from a firm with a deep Solana track record covering ten similar protocols is a different signal than a first Solana engagement from an EVM shop.
What the Data Says: Audits vs Outcomes
Here is how audit depth lines up with our Security Scores across a sample of protocols we grade with high confidence:
| Protocol | TVL | Public audits | Score | Grade |
|---|---|---|---|---|
| Marinade | $278M | 3+ audits, SOC2 Type II | 84 | B |
| Jito | $895M | 9 SPL audits + 3 own | 83 | B |
| Kamino Lend | $1.5B | 9 audits + formal verification | 79 | B |
| Orca | $258M | 4 audits + bug bounty | 75 | B |
| Save (ex-Solend) | $77M | 2+ audits | 67 | C |
| Loopscale | $85M | 2 audits | 39 | F |
| Drift | $239M | Audited | 37 | F |
Two things jump out. First, no protocol in our 132-protocol universe scores an A. The distribution tops out at B, with 19 protocols there, 60 at C, 46 at D, and 7 at F. Solana DeFi is young and the grades reflect it.
Second, Loopscale and Drift both had audits and both sit at F. Their scores collapsed because of what happened in production, not what a PDF said before launch. An audit is one input. Track record, admin controls, oracle design, and incident response are the others. Two audits did not save Loopscale because the audits could not price in a protocol going live two weeks after review with novel order-book mechanics and concentrated admin power.
The inverse is also visible. The protocols at the top of the table did not get there on audit count alone. Marinade pairs its audits with a 6-of-13 multisig and three years without an exploit. Jito inherited nine audits from the SPL stake pool standard and added its own. Repetition across independent firms, over years, on stable code: that is what a strong audit posture actually looks like.
The Data Gap Nobody Talks About
A warning about relying on aggregator data. DeFiLlama's audit field, the source most dashboards use, undercounts. Raydium and Jupiter Lend both show zero audits there despite having external reviews confirmed through their own documentation. We flag these with manual research in our dataset.
The gap runs the other direction too. DoubleZero Staked SOL holds $878M with no audits we can verify anywhere. Meteora DLMM runs $287M in TVL with zero audits registered. These are not small experimental protocols; they are top-15 TVL positions on the network. Absence of a public audit does not mean absence of any review, but it means you cannot verify one exists, and unverifiable is the correct default assumption for capital you cannot afford to lose.
A Reading Checklist
Next time a protocol links its audit, spend ten minutes on these six questions before depositing:
- Which commit was audited, and is it what is deployed? If the report predates a major upgrade, the audit describes code that no longer runs.
- What was in scope? Oracle adapters, off-chain keepers, and governance modules are the usual exclusions, and the usual exploit paths.
- How were criticals and highs resolved? "Resolved and verified" beats "acknowledged" every time.
- Who did the review? A firm with Solana depth, or a generalist shop on its first anchor program?
- When was it done? An audit from 18 months and four upgrades ago has mostly expired.
- Is there anything ongoing? Bug bounties and retainer relationships signal a protocol that treats security as a process rather than a launch requirement.
None of this requires reading Rust. Scope, dates, severity tables, and resolution status are all in the first and last pages of every report.
How We Use Audits at yieldwire
Audits feed one factor among ten in our Security Score. We weight who performed them, how many independent firms repeated the work, how old they are, and what happened in production since. That is why a protocol with two audits can score an F and a protocol with zero registered audits can still reach a C on the strength of inherited standards and clean track record.
Every protocol page on yieldwire shows the grade next to the yield, and the risk filter lets you screen pools by score before you ever look at APY. The 8% pool and the 5% pool are not the same product if one of them runs unaudited upgradeable code behind a single signer.
Yield is what you earn for taking risk. Audit reports are one of the few free tools for measuring that risk before you take it. Read them.
This is not financial advice. Yields and scores change; verify current data on yieldwire.xyz/yields before making decisions.
Track all Solana yields in real time
Compare APYs across lending, LP, and liquid staking protocols on the YieldWire dashboard.
Open Dashboard →