Security
Purple Percolator is an open-source perpetual futures engine on Solana. All programs are deployed with verified builds, on-chain security metadata, and formal verification of the risk engine.
Experimental software. Purple.trade is in active development. Trading involves risk of loss. Use at your own risk — no warranties are provided. Never trade more than you can afford to lose.
Bug Bounty
| Severity | Impact | Reward |
|---|---|---|
| Critical | Loss of funds, unauthorized withdrawals, vault drain | Up to 10 SOL |
| High | Position manipulation, oracle price spoofing, margin bypass | Up to 3 SOL |
| Medium | Denial of service, crank manipulation, incorrect liquidation | Up to 1 SOL |
| Low | SDK encoding errors, UI-level issues, information disclosure | Up to 0.1 SOL |
Verified Programs
Purple Percolator
VerifiedPRPLUgjCUxCEzNPP6x7XJVK1WR5XX28Zu8MEyTqvGjFbf68c6359fd0ecb2cf245c19ee0ccf10fcdb42b54f4c81d6772d10e1586b5cadsolanafoundation/solana-verifiable-build:1.18.9Purple Matcher
VerifiedMTCPqs6RWWUPMHhvZnnB6BLAXS86TDpTaxQW7Pa3aDha2d5aef57b91b6895079a138f849471bd58b9fd0ae4a643f1ce069c794dba073solanafoundation/solana-verifiable-build:2.3.0On-Chain security.txt
Both programs embed solana-security-txt in the on-chain binary. This metadata is discoverable directly from Solana explorers.
| name | Purple Percolator |
| project_url | https://purple.trade |
| contacts | tradeonpurple@proton.me |
| policy | https://purple.trade/security |
| source_code | https://github.com/purpletrade/percolator-prog |
| preferred_languages | en |
Verification
- Verified builds — deterministic Docker builds produce identical binaries from source. SHA-256 hashes published in CI.
- OtterSec verified — programs pass OtterSec on-chain verification with green badges on Solscan.
- 143 Kani proofs — the risk engine is formally verified with model checking, not just tests.
- SDK audit — TypeScript SDK verified byte-for-byte against Rust source (21/21 instructions, all account orderings, all encodings).
- Upgrade authority retained — programs can be patched for security fixes via verified builds.
Upgrade Policy
Both programs retain upgrade authority held by a single admin key controlled by the purple.trade team. The Percolator engine is forked upstream from Anatoly Yakovenko's original implementation.
- Solana Foundation Verified Builds — all upgrades use deterministic Docker containers (
solanafoundation/solana-verifiable-build) that produce identical binaries from source. No upgrade is deployed without a matching SHA-256 hash from CI. - Single admin key — upgrade authority is held by one key, not a multisig. This allows rapid response to security incidents. The tradeoff is trust in the team rather than governance delay.
- Upstream tracking — the Percolator program tracks the upstream
percolator-progrepository. Changes are reviewed against the original Rust source before deployment.
Emergency Procedures
The Percolator program includes two admin-only emergency instructions. These exist as circuit breakers — they cannot create value, only pause operations and return funds to users.
ToggleTrading
IX 20Pauses all new trades on a market. Any trade attempt while paused returns error TradingPaused (0xd).
- •Deposits, withdrawals, and account closures remain available — users can always exit
- •Reversible — admin can resume trading once the issue is resolved
- •Used for: oracle malfunction, exploit in progress, protocol upgrade
AdminForceCloseAccount
IX 21Admin-initiated emergency close of a user position. Settles the position at the current oracle price and transfers remaining collateral back to the user's token account.
- •Funds returned to user — collateral is transferred via SPL token transfer from the vault to the user's ATA, not to the admin
- •Conservation invariant — the Kani-proven Conservation property (deposits + insurance = withdrawable + positions) applies to force closes. No value is created or destroyed.
- •On-chain audit trail — every force close increments the
lifetimeForceClosescounter in the engine state, publicly readable on-chain - •Used for: market wind-down, stuck position recovery, slab migration