Solana's restaking ecosystem has exploded. Jito (Re)staking, Sanctum, and Marinade are funneling billions in SOL through Node Consensus Networks (NCNs) — extending the economic security of staked assets to external protocols. Capital efficiency is up. Yield is up. And the attack surface? It's grown faster than anyone's audited it.
If you're building, auditing, or restaking on Solana in 2026, here's everything you need to understand about the security risks that restaking introduces — and the defensive patterns that can mitigate them.
What Makes Restaking Different From Staking
In traditional Solana staking, you delegate SOL to a validator. Your risk is straightforward: validator performance and network inflation. The validator misbehaves or goes offline — you earn less. That's about it, since Solana has historically relied on "social slashing" (community-driven, manual penalty).
Restaking changes the game. Now your staked SOL (or LSTs like JitoSOL, mSOL) secures additional protocols — NCNs — each with their own rules, their own slashing conditions, and their own smart contract risk. You're no longer exposed to one trust domain. You're exposed to many, simultaneously.
Traditional Staking:
SOL → Validator → Network Consensus
Risk: Validator performance only
Restaking:
SOL → LST (JitoSOL) → Vault → NCN_A + NCN_B + NCN_C
Risk: Validator + Vault contract + NCN_A rules + NCN_B rules + NCN_C rules
Slashing: Compounding across all NCNs
This is the risk multiplication problem: each additional NCN you secure adds a new, independent vector for asset loss.
The 5 Critical Risk Vectors in Solana Restaking
1. Compounding Slashing Risk
Each NCN defines its own slashing conditions. When programmatic slashing arrives on Solana (and it's coming — Helius has published the roadmap), restakers face a novel problem: correlated slashing across multiple NCNs.
Consider this scenario:
- You restake 1,000 SOL across 3 NCNs
- NCN_A slashes 5% for oracle downtime
- NCN_B slashes 10% for incorrect attestation
- NCN_C slashes 3% for missed heartbeat
Total exposure: 18% — from three independent events that can happen simultaneously.
The risk isn't just additive. A single infrastructure outage (cloud provider failure, network partition) can trigger slashing across every NCN your operator participates in.
Defense pattern:
// Vault-level slashing cap implementation
pub struct VaultConfig {
pub max_cumulative_slash_bps: u16, // e.g., 1000 = 10%
pub slash_cooldown_epochs: u64, // Min epochs between slashes
pub ncn_slash_limits: HashMap<Pubkey, u16>, // Per-NCN caps
}
// Before processing a slash instruction:
fn validate_slash(vault: &VaultConfig, ncn: &Pubkey, slash_bps: u16) -> Result<()> {
let current_cumulative = get_cumulative_slashes(vault)?;
require!(
current_cumulative + slash_bps <= vault.max_cumulative_slash_bps,
ErrorCode::SlashCapExceeded
);
let ncn_limit = vault.ncn_slash_limits.get(ncn)
.unwrap_or(&vault.max_cumulative_slash_bps);
require!(slash_bps <= *ncn_limit, ErrorCode::NcnSlashCapExceeded);
let last_slash_epoch = get_last_slash_epoch(vault, ncn)?;
let current_epoch = Clock::get()?.epoch;
require!(
current_epoch >= last_slash_epoch + vault.slash_cooldown_epochs,
ErrorCode::SlashCooldownActive
);
Ok(())
}
2. Vault Receipt Token (VRT) Depegging
Jito's restaking architecture introduces VRTs — tokens representing your restaked position. These are composable: you can use VRTs in DeFi (lending, liquidity provision). But VRTs don't always trade at NAV.
The depegging attack surface:
- Delayed redemption windows — If vault withdrawals have a delay (common for security), VRT market price can diverge from underlying value during volatile periods
- NCN slashing events — A slash reduces the underlying collateral but VRT supply remains constant, creating instant depeg
- Oracle staleness — If DeFi protocols price VRTs using stale oracle data, attackers can borrow against overvalued VRTs
This mirrors the Lido stETH depeg dynamics from Ethereum, but with additional NCN-specific risk layers.
Defense pattern for DeFi protocols integrating VRTs:
// Don't trust VRT price at face value
fn get_safe_vrt_value(vrt_mint: &Pubkey, oracle_price: u64) -> Result<u64> {
// 1. Check underlying vault health
let vault_state = get_vault_state(vrt_mint)?;
let backing_ratio = vault_state.total_underlying
.checked_mul(PRECISION)?
.checked_div(vault_state.total_vrt_supply)?;
// 2. Apply haircut if backing ratio < 1.0
let effective_ratio = std::cmp::min(backing_ratio, PRECISION);
// 3. Check for recent slashing events (don't trust backing if slash just happened)
if vault_state.last_slash_epoch >= Clock::get()?.epoch.saturating_sub(2) {
// Apply additional 10% safety margin post-slash
return Ok(oracle_price
.checked_mul(effective_ratio)?
.checked_div(PRECISION)?
.checked_mul(90)?
.checked_div(100)?);
}
Ok(oracle_price.checked_mul(effective_ratio)?.checked_div(PRECISION)?)
}
3. NCN Operator Collusion
NCNs often require a quorum of operators to reach consensus. If the NCN's operator set is small or insufficiently diverse, collusion becomes feasible.
Attack scenario:
- NCN has 5 operators, requires 3/5 consensus
- 3 operators collude to approve a malicious state transition
- Restaked assets are at risk because the NCN's "security" was the collateral
Unlike Ethereum's EigenLayer, where AVS operator sets often inherit from a large validator pool, Solana NCN operator sets can be small and permissioned. This makes the Sybil resistance of the NCN operator selection critical.
What auditors should check:
- Minimum operator count requirements
- Operator diversity requirements (not all on same cloud provider)
- Time-lock on operator set changes
- Whether operator registration requires stake (skin in the game)
- Whether consensus threshold is configurable and what the governance process looks like
4. Cross-Program Invocation (CPI) Depth in Restaking Composability
Solana's CPI depth limit is 4. Restaking architectures can hit this fast:
User TX → Vault Program → Restaking Program → NCN Program → Token Program
(depth 0) (depth 1) (depth 2) (depth 3)
That's already depth 3. If the NCN program needs to interact with an oracle or another program, you're at the limit. This creates pressure to:
- Flatten architectures — combining logic into fewer programs (increases code complexity and audit surface)
- Use instruction introspection — checking previous instructions instead of CPI (we've covered why this is dangerous in a previous article)
- Split into multiple transactions — introducing atomicity gaps that attackers can exploit
The security trap: When developers hit CPI depth limits, they often make security-compromising architectural decisions. During audits, always check whether CPI depth constraints forced unsafe design patterns.
5. Withdrawal Race Conditions
Restaking withdrawal flows are multi-step:
- User requests withdrawal from vault
- Vault unstakes from NCN(s)
- NCN unbonding period passes
- Funds return to vault
- User claims withdrawal
Between steps 2 and 4, a slashing event can reduce the amount available. If the withdrawal accounting doesn't handle this correctly, you get either:
- Griefing: Early withdrawers get full amounts, late withdrawers get less (bank run dynamics)
- Stuck funds: Withdrawal claims exceed available balance, blocking all withdrawals
Secure withdrawal pattern:
pub struct WithdrawalTicket {
pub user: Pubkey,
pub requested_amount: u64,
pub share_of_pool: u64, // Store as share, not absolute amount
pub request_epoch: u64,
pub claimable_epoch: u64,
}
// When claiming, calculate based on current pool state
fn claim_withdrawal(ticket: &WithdrawalTicket, vault: &VaultState) -> Result<u64> {
require!(
Clock::get()?.epoch >= ticket.claimable_epoch,
ErrorCode::NotYetClaimable
);
// Pro-rata based on pool state at claim time
// This handles slashing that occurred during unbonding
let claimable = vault.available_balance
.checked_mul(ticket.share_of_pool)?
.checked_div(vault.total_pending_shares)?;
// Never more than originally requested
Ok(std::cmp::min(claimable, ticket.requested_amount))
}
The Restaking Security Checklist for Auditors
Before signing off on any Solana restaking integration, verify:
Vault Security
- [ ] Vault authority is a multisig or governance-controlled
- [ ] Deposit/withdrawal caps exist and are enforced
- [ ] Share-based accounting (not absolute amounts) for all position tracking
- [ ] Emergency pause functionality exists
- [ ] Upgrade authority is time-locked or revoked
NCN Integration
- [ ] Each NCN's slashing conditions are clearly defined and bounded
- [ ] Cumulative slashing across all NCNs has a hard cap
- [ ] Operator set has minimum diversity requirements
- [ ] NCN operator registration includes meaningful stake requirements
- [ ] Consensus thresholds cannot be changed without time-lock
Token Safety
- [ ] VRT minting/burning follows strict underlying ratio
- [ ] No rebasing mechanics that could cause rounding exploits
- [ ] Token-2022 extensions (if used) are reviewed for transfer hook interactions
- [ ] VRT oracle integrations include staleness and depeg circuit breakers
Withdrawal Integrity
- [ ] Withdrawal claims use pro-rata share calculations
- [ ] Unbonding periods account for potential slashing during the wait
- [ ] No bank-run dynamics possible (first-come-first-served on limited funds)
- [ ] Claim function handles edge case where available < total_claims
Governance & Access Control
- [ ] Admin functions have time-locks appropriate to impact severity
- [ ] Fee parameter changes are bounded and gradual
- [ ] NCN whitelisting has a clear vetting process
- [ ] Emergency functions exist but are constrained (pause, not drain)
Real-World Precedents: Lessons From EigenLayer
Solana restaking is younger than Ethereum's EigenLayer ecosystem, but the parallels are instructive:
EigenLayer's operator centralization problem — In early EigenLayer, a small number of professional operators ran the majority of AVSs. A single operator failure could cascade across dozens of services. Solana NCN builders should enforce operator diversity from day one.
The Lido stETH depeg of 2022 — When stETH traded at 6% below ETH, protocols using stETH as collateral at 1:1 peg faced bad debt. VRTs on Solana will face identical dynamics. Any protocol accepting VRTs must use real-time pricing, not assumed peg.
Nomad bridge hack ($190M) — A broken merkle root verification allowed anyone to drain the bridge. In restaking, the equivalent is a broken proof verification in NCN state transitions. If the NCN's consensus proof can be forged, the slashing/reward mechanism is meaningless.
The Road Ahead: Programmatic Slashing Changes Everything
Solana's current "social slashing" model means that validator penalties are decided by community governance — slow, manual, and imprecise. The move to programmatic slashing (on-chain, automated, deterministic) will fundamentally change the risk profile of restaking:
- Slashing becomes instant — No more weeks of governance deliberation. Bad behavior gets penalized in the next epoch.
- Composability with slashing — DeFi protocols can read slashing state on-chain and adjust collateral requirements in real-time.
- NCN-specific slashing programs — Each NCN will deploy its own slashing logic, which means each one is an independent audit target.
For restakers, this means: the era of "staking is safe" is over. Every NCN you opt into is a bet on both the protocol's security AND the correctness of its slashing implementation.
Conclusion
Solana restaking is one of the most exciting developments in the ecosystem — and one of the most dangerous if security doesn't keep pace with adoption. The risk multiplication of staking across multiple NCNs, the VRT depeg surface, withdrawal race conditions, and the approaching programmatic slashing era create a security landscape that demands rigorous auditing and defensive engineering.
If you're building a restaking vault, NCN, or any protocol that integrates restaked assets: treat every trust boundary as a potential exploit path. The TVL is real. The risks are real. Audit accordingly.
This article is part of a security best practices series covering DeFi attack surfaces on both EVM and Solana. Follow for weekly deep-dives into smart contract vulnerabilities, audit methodologies, and defense patterns.
Top comments (0)