# Security & Audits

Tessera's on-chain programs undergo independent security assessments before mainnet deployment. This page summarizes completed audits and ongoing security practices.

***

### Accretion Labs Audit (January 2026)

Accretion Labs conducted a full security assessment of both the Token Program and the Referral Program.

| Property    | Value                                                                                                                              |
| ----------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| Auditor     | [Accretion Labs](https://accretion.xyz/)                                                                                           |
| Report ID   | A25TES1                                                                                                                            |
| Completed   | January 19, 2026                                                                                                                   |
| Scope       | Token Program (`TESQvsR4TmYxiroPPQgZpVRoSFG8pru4fsYr67iv6kf`) and Referral Program (`TESMgr3q4s1CK5nGz7bmkbMQBQeSt8N9wpZjTDWm2cY`) |
| Full Report | [Download PDF](https://cdn.tesseralab.co/tessera/2025-accretion-tessera-token-and-referral-audit-A25TES1.pdf)                      |

#### Findings Summary

The assessment identified 30 findings across all severity levels. No critical or high-severity vulnerabilities were found.

| Severity      | Count |
| ------------- | ----- |
| Critical      | 0     |
| High          | 0     |
| Medium        | 9     |
| Low           | 11    |
| Informational | 10    |

Of the 30 findings, 17 were fixed prior to mainnet deployment. The remaining items were assessed as low-impact or accepted risk and marked as acknowledged.

#### Key Areas Reviewed

* Access control and admin privilege management
* Arithmetic safety and overflow protection
* Token-2022 extension integration (transfer fees, metadata)
* Referral chain integrity and immutability
* Multisig compatibility for authority operations
* Program initialization security

#### Outcome

The code implements a comprehensive referral system with tiered fees and token management functionality using the Anchor framework. The audit confirmed that no exploitable vulnerabilities exist in the deployed programs. The Tessera team addressed the majority of findings across all severity levels.

***

### Ongoing Security Practices

* **Institutional custody:** Program upgrade authority is held by a Fireblocks wallet with enterprise-grade key management.
* **Proof of Reserve:** Token supply is independently verified via Chainlink PoR. See [Proof-of-Reserve (PoR)](/technicals/proof-of-reserve-por.md) for details.
* **On-chain transparency:** All program addresses and token mints are publicly verifiable. See [On-Chain Programs](/technicals/on-chain-programs.md) for addresses and explorer links.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tessera.pe/technicals/security-audits.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.