Solana Governance Audits
Review of DAOs, voting systems, multisigs, and proposal-execution programs.
Governance and multisig programs hold authority over everything they control, so the risk isn't just a fund drain, it's fairness and power. Can a participant gain more votes, more influence, or more control than they should? We've audited futarchy markets, token-weighted DAOs, multisigs, and the proposal-execution layer that turns a decision into an on-chain action.
A governance bug isn't a fund drain. It's a takeover.
Most Solana audits ask "can an attacker steal funds today?" Governance audits ask something subtler: can someone end up with more votes, more influence, or more control than they should? Sometimes that is an outright takeover, a subverted proposal handing an attacker upgrade authority over every program the DAO governs. Just as often it is quieter, a participant who found a nuance in the implementation that lets them tilt outcomes in their favour.
So we read governance as an incentive system, not just a state machine. Who is allowed to propose, who is allowed to vote, how voting weight is computed at each snapshot, and how a passing decision becomes an on-chain action. At each stage we ask what a self-interested participant could do that the designers did not intend: snapshot manipulation, double-voting, replayed proposals, execution-time argument tampering, or simply a rule that rewards behaviour the protocol never meant to reward.
On the execution side we read every CPI the governance program makes. The vote may be honest, but if the executed instruction lets the proposal author swap in their own account at execution time, the vote's integrity is meaningless. This is where most of the highest-severity governance findings we have disclosed have lived.
This applies well beyond classic DAOs. Token-weighted and trading-based governance, multisigs, and anywhere authority is shared all raise the same questions, including what happens when a member is compromised or simply acts in bad faith. Token-weighted systems are only as secure as the cost of acquiring enough weight at the snapshot, which is often far lower than teams expect once borrow-and-vote paths exist; a multisig is only as secure as its weakest signer. We flag these explicitly even when they are not strictly code bugs, because protocols routinely under-estimate them.
What we cover
The surface area of a typical engagement.Proposal lifecycle
Creation eligibility, voting window, quorum, vote-count integrity, and proposal-state transitions.
Voting power & delegation
How weight is computed at snapshot, delegation, vote-escrow / lock-up math, double-vote prevention.
Execution & multisig authority
What a passed proposal or multisig is allowed to do; how privileged CPIs are constrained; signer-set and threshold integrity.
Incentives & fairness
Can any participant gain more votes, influence, or control than they should? Borrow-and-vote, bribery, compromised signers, and advantages hidden in the implementation.
How we work
Threat-model the lifecycle
We map every state transition (draft, active, succeeded, executed) and the authority required at each step.
Read the execution path twice
Each proposal type's executor is read in isolation, then again with attacker-controlled arguments substituted.
Cost-of-takeover model
For token-weighted systems, we compute the practical cost (including borrow paths) of reaching quorum.
Report with severity by class
Findings ranked by impact on protocol authority, not just funds in flight.
Selected engagements
Governance and voting systems we've reviewed end-to-end.
Ready to audit your protocol?
Submit your protocol for review and we'll respond within 24 hours. Our researchers have prevented 50+ critical exploits across the Solana ecosystem.
Accretion Labs Pte. Ltd.
65 Chulia Street, #46-00 OCBC Centre
Singapore 049513
Singapore
UEN 202502288W