Parity Finance Liquid Staking & Early Purchase

Summary

The audit scope for Parity Finance includes two separate programs: a **Liquid Staking program** and an **Early Purchase program**. ### Liquid Staking program The Parity Finance Liquid Staking program allows users to stake base tokens and receive Liquid Staking Tokens (LSTs) in return. It manages the staking process, LST minting/burning, fee collection, and withdrawals through a time-window mechanism. The program features granular access control with multiple distinct authority roles (Vault, Window, Deposit, Pair, Unseal, Access). In the Parity Finance Liquid Staking program, there were missing functions and vulnerabilities that were identified in the withdrawal and restaking actions. It was not possible to withdraw the base tokens after restaking expired withdrawals, and a malicious user was able to prevent the window authority from closing the withdrawal windows by sending a small amount of funds to the vault of the window. The rest of the vulnerabilities were mostly related to input validation for edge cases. ### Early Purchase program The Parity Finance Early Purchase program facilitates token sales. It allows users to initialize and manage sales and configure parameters like pricing, timing, and supply caps, and optionally use Guardians for early access control or purchase verification. Users can purchase tokens using either SPL tokens or native SOL (via Pyth price feeds) and later redeem their purchased tokens. The Parity Finance Early Purchase program contained several high-severity vulnerabilities that posed significant security risks. The most severe vulnerabilities allowed the theft of sale tokens using invalid receipts as well as prevented the use of critical functions such as redemptions, fee collections. Moreover the program included incorrect token price calculations. Each of these issues could have led to substantial financial losses or loss of trust within the ecosystem. ### Final Fix Review Summary The client has successfully addressed the vast majority of identified vulnerabilities, with fixes demonstrating proactive improvements together with the addition of necessary validations and tests. Test coverage has been improved, particularly for the Early Purchase program, however, a handful of the tests are failing. Overall, the client has shown a strong commitment to enhancing code security and improving test coverage.