Security model

BazaarFi's trust story is simple: the program holds the assets, and the program has no owner-controlled escape hatches. The protocol authority can pause new activity as a circuit breaker, but it can never touch escrowed assets, redirect settlements, or block a maker from reclaiming their own property.

What the program verifies

  • Ownership and authority — every deposit and settlement checks token account ownership, mint match, and amounts via transfer_checked. Spoofed or substituted accounts fail account validation.
  • NFT authenticity — an "NFT" must be a mint with supply 1 and 0 decimals. Collection verification status is read from on-chain metadata and displayed everywhere, so unverified lookalikes are visually obvious.
  • Token-2022 extension gating — mints with transfer hooks, non-zero transfer fees, or permanent delegates are rejected outright. These extensions can siphon value or claw back tokens after settlement; the program refuses to escrow or request them.
  • Status guards — each instruction requires an exact trade status, making double-settlement, settle-after-cancel, and replay structurally impossible. A completed trade can never settle again because the vaults are closed and the status is terminal.
  • On-chain expiry — deadlines are checked against the cluster clock inside the program. A stale UI cannot let anyone accept an expired trade.
  • Checked arithmetic — all lamport and token math uses overflow-checked operations; any overflow aborts the transaction.
  • Canonical PDAs — trade accounts and vaults derive from canonical bumps, preventing account substitution and re-initialization attacks.

What BazaarFi cannot do

  • Move, freeze, or redirect escrowed assets.
  • Change a trade's terms after creation.
  • Accept a trade on anyone's behalf.
  • Prevent a maker from cancelling and reclaiming.

Your keys never leave your wallet. Every action is a transaction you sign, and the confirmation dialogs enumerate exactly what enters and leaves your wallet before you sign.

Testing

The program ships with a security-focused test suite covering fake-NFT rejection, forbidden Token-2022 extensions on both sides of a trade, spoofed vault and treasury accounts, self-trading, private-trade enforcement, double deposits, incomplete-escrow activation, expiry cranks, pause behavior, and full settlement accounting for every asset class.