# Security & Audits

Tessera's on-chain programs undergo independent security assessments before mainnet deployment. This page summarizes completed audits and ongoing security practices.

***

### Accretion Labs Audit (January 2026)

Accretion Labs conducted a full security assessment of both the Token Program and the Referral Program.

| Property    | Value                                                                                                                              |
| ----------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| Auditor     | [Accretion Labs](https://accretion.xyz/)                                                                                           |
| Report ID   | A25TES1                                                                                                                            |
| Completed   | January 19, 2026                                                                                                                   |
| Scope       | Token Program (`TESQvsR4TmYxiroPPQgZpVRoSFG8pru4fsYr67iv6kf`) and Referral Program (`TESMgr3q4s1CK5nGz7bmkbMQBQeSt8N9wpZjTDWm2cY`) |
| Full Report | [Download PDF](https://cdn.tesseralab.co/tessera/2025-accretion-tessera-token-and-referral-audit-A25TES1.pdf)                      |

#### Findings Summary

The assessment identified 30 findings across all severity levels. No critical or high-severity vulnerabilities were found.

| Severity      | Count |
| ------------- | ----- |
| Critical      | 0     |
| High          | 0     |
| Medium        | 9     |
| Low           | 11    |
| Informational | 10    |

Of the 30 findings, 17 were fixed prior to mainnet deployment. The remaining items were assessed as low-impact or accepted risk and marked as acknowledged.

#### Key Areas Reviewed

* Access control and admin privilege management
* Arithmetic safety and overflow protection
* Token-2022 extension integration (transfer fees, metadata)
* Referral chain integrity and immutability
* Multisig compatibility for authority operations
* Program initialization security

#### Outcome

The code implements a comprehensive referral system with tiered fees and token management functionality using the Anchor framework. The audit confirmed that no exploitable vulnerabilities exist in the deployed programs. The Tessera team addressed the majority of findings across all severity levels.

***

### Ongoing Security Practices

* **Institutional custody:** Program upgrade authority is held by a Fireblocks wallet with enterprise-grade key management.
* **Proof of Reserve:** Token supply is independently verified via Chainlink PoR. See [Proof-of-Reserve (PoR)](https://docs.tessera.pe/technicals/proof-of-reserve-por) for details.
* **On-chain transparency:** All program addresses and token mints are publicly verifiable. See [On-Chain Programs](https://docs.tessera.pe/technicals/on-chain-programs) for addresses and explorer links.