Is Sanctum Safe

Are LSTs Safe?

Most LSTs that Sanctum support use a version of the SPL stake pool program. Multiple security firms have audited the stake pool program nine times to ensure total safety of funds. So far it has controlled 1B+ dollars of value over more than two years, with no exploits found. Of course, just because a contract has not been exploited in the past does not mean it will never ever be exploited in the future, but it is clear that the stake pool program is one of the safest programs in the world.

We also support the Marinade and Lido programs, which are also battle-tested and have undergone multiple audits.

Who controls the LSTs?

We have launched many new LSTs; some have asked who controls these. The individual projects do not control the LSTs. Rather, it is controlled by a multisig.

The upgrade authority of Sanctum’s LSTs is currently held by a 10-member multisig. All members are highly reputable actors in the space: Jito, Jupiter, Laine, Mango, MRGN, Solblaze, and Sanctum. Any changes to the LST program will have to be approved by a majority vote from this multisig. No single party can unilaterally change the program. We plan to significantly grow the size of the multisig and eventually freeze the program.

The day-to-day management of the LSTs is currently held by Sanctum. This management authority is in charge of setting up the LSTs and staking the deposited SOL. Please that the management authority cannot steal your funds, even if compromised. It is possible for the management authority to raise fees, however the program is designed that fee changes are capped and happen with ample warning, so you can withdraw your SOL before any changes take effect: see here for details. We plan to use Jito’s Stakenet to perform this delegation in the future.

“Depeg” risk

This is a risk often misunderstood by many. People often think of depegs like a bank run: you deposit money in the bank, the bank lends out your money, those loans default, and the bank does not have the money to pay you. However, this is not possible in the case of an LST. Unlike on Ethereum (which has withdrawal queues), LSTs on Solana are designed such that you can always get your staked SOL immediately, no matter what.

How is it possible for the price of an LST to fall below par then? This reflects a very strong (sometimes irrational…) preference for immediate liquidity. For example, when a whale sells a very large amount of mSOL without caring about slippage. This is a self-resolving problem, in that large depegs are often arbitraged back to par in a matter of minutes, and will not affect the majority of LST holders – their SOL is still there. Rather, this is of most concern for people using LSTs as collateral on borrow-lend protocols, as they may get liquidated. This should hopefully be mitigated as liquidity gets deeper (infinity! reserve! router!) and oracle structures on borrow-lend protocols become more robust.