Why We Take it Slow — Security First

Marinade recently blew past $300M in TVL and is nearing 3M SOL staked.

While it might seem like rapid growth — and it certainly is — let’s take a closer look.

To make sure everything is working as expected, we placed a hard cap on the maximum amount of SOL that can be staked and have slowly raising it, step by step. Each time, we check several parts of the system.

In the following graph, we can see that most of the time it only took a day or two until the raised cap was reached again.

This is some massive demand for mSOL!

So how exactly do we make sure that the funds are kept safe?

Risks

When staking SOL with a stake pool, there are basically two main risks:

1. The stake pool manager acts maliciously and steals your funds
2. The stake pool program is exploited

This is the blockchain space, so 100% security would be a false promise. Also, some events, like the recent network congestion, are a bit of out our control.

Now let’s go through all the measures that Marinade has taken to minimize the chances of both stake pool manager and stake pool program exploits, or any other issues happening.

Based on the Solana Stake Pool Program

The reference Solana stake pool program is non-custodial as you can see from the stake pool program documentation:

One of the primary aims of the stake pool program is to always allow pool token holders to withdraw their funds at any time.
… [details of the stake pool design] …
… In this way, a user’s funds are never at risk, and always redeemable.

In February, when we were still very early in our development, we decided to implement our own custom version of the Solana stake pool program rewritten in the Anchor framework to make it more robust and secure and to introduce our own liquidity pool to enable immediate SOL unstakes and not be solely dependent on external markets.

This has turned out to be a huge advantage.

The Audits — Not One, But Three

Back in July, while still on devnet, we asked the Solana Foundation for recommendations of auditors who know ins and outs of protocols running on Solana. They introduced us to the Neodyme team (previously called ALLES! One), who reviewed most of the major protocols and even came up with a summary article: Solana Smart Contracts: Common Pitfalls and How to Avoid Them.

We passed their code review with no critical issues found, and after confirming this with another set of white-hat hackers we decided it was a green light for us to go to mainnet.

During our first week on mainnet, we started another audit with Ackee Blockchain and passed yet again with no critical issues by the end of August.

And this time we’re going through a third and final level of security audits with Kudelski Security.

To top it off, we’ve also invited all our ecosystem partners into our code to have some of them do the peer-review themselves. Think of it like having CTOs of all the top Solana projects look into our code to make sure we didn’t miss anything.

We think this is the most reliable way to ensure the highest level of security for Marinade.

Once we are done with the final audit, we plan to share all of the audit reports and open source all of Marinade’s code.

Anyone Can Turn the Crank

Inspired by Serum’s fully non-custodial architecture, we built Marinade to be non-custodial as well. In Marinade, most of the behind-the-scenes magic—such as delegating the stake, computing rewards, updating mSOL/SOL price — is executed by a set of actions run by a bot.

We made sure that the Marinade program is completely permissionless so that anybody can run the bot and “turn the crank”. The Anchor IDL of our program is released mainly for integration purposes, but can also be used to call specific parts of the program from the outside.

The Governance Run by Solana Ecosystem

One of the most critical parts of any Solana program is the program’s upgrade authority. A malicious party coming into possession of upgrade keys can change the program and gain full custody of the funds.

Because of this, there is no single full-admin key that would be able to act as an upgrade authority to prevent a single point of failure. Until we achieve full DAO governance, these important decisions are executed via so-called multisig contracts requiring multiple keys to sign a transaction before it can be executed.

The multisig solution serves as a good middle ground between a single person that could act as the administrator and a DAO program (token holders) that could act as the administrator:

• Reduces points of trust by including multiple parties, it makes the decision execution more decentralized
• Speed of execution for edge cases like bug-fixes and the program needed to be patched, where achieving consensus on-chain would be too slow

At Marinade, we’re using Serum Multisig program.

The Marinade program upgrade authority is governed by a multisig needing 6 out of 11 signatures to execute a transaction. The keys are distributed to some of the most reputable parties in the Solana ecosystem:

• Raydium
• Saber
• Serum
• Mercurial finance
• Orca
• Alameda Research
• Triton.one
• Miton C
• Marinade, 3 votes

Programmatic and Transparent Delegation Strategy

While most eyes are on unlocking liquidity and using a double-dip strategy (staking rewards automatically compounded to mSOL and using that mSOL in DeFi), it’s still important to ask what the underlying mSOL token represents — to know exactly what happens with your staked SOL.

When SOL gets staked with Marinade, it follows an algorithmic delegation strategy to spread the stake around.

Marinade delegates to not just one or two validators but hundreds of them while skipping the biggest ones that are able to collectively halt the network — effectively improving the Nakamoto coefficient, the number of entities required to compromise at least one essential subsystem.

Back in February 2021 when we started, there were 11 top validators that could collectively halt the network. Today, the group is made of 20 validators, and we’ll do our best to increase this number even further.

It’s worth mentioning that Marinade does not run its own validator to stay completely objective in its delegation strategy.

The Road to Fully Becoming a DAO

Without any investors on board, it’s only the team and a healthy organic community contributing to Marinade that sets the foundation for the Marinade DAO.

We’re a 100% community and product-driven project, so we live up to what we shared back in June:

The idea is to spread the ownership of Marinade around as much as possible. This also results in more decentralized, secure operations.

To support this, we already put some measures in place and some are about to be introduced (e.g. a per-account stake limit strategy, total stake limit, thinking about other contributors beyond the scope of providing liquidity).

With the coming MNDE launch, we’re starting a new era bringing in more chefs and collectively building the best Marinade possible. If you’re already interested, feel free to join us in the kitchen.

Also, Anatoly Yakovenko, the founder of Solana, talked about Marinade, its community, and DAO approach:

Next time, we‘ll look into the specifics of the MNDE launch and the first weeks of MNDE’s liquidity mining in detail. In case you missed it, check out the Introducing MNDE article.

Happy staking!