On-chain activity
Accretion Auditing Service
Accretion Audit Service analyzes Solana protocol code for security vulnerabilities and technical issues. The service includes source code review, vulnerability assessment, and documentation analysis. Audit reports detail identified security concerns with technical explanations. Development teams receive findings through a structured review process that includes initial assessment, code analysis, and final recommendations.
Accretion
Accretion is a boutique security audit firm that audits Solana programs, and nothing else. Founded in January 2025 by Robert Reith — better known as r0bre in the ecosystem — the firm was built around a deliberate counter-thesis: at a moment when most security firms were generalizing across EVM, SVM, and Move chains, Accretion committed exclusively to the Solana Virtual Machine. The reasoning is blunt: Solana's runtime is different enough from other environments that cross-chain generalism produces surface-level coverage. Specialization is the product.
Core Mechanism
Every Accretion engagement is a manual security review of on-chain Solana programs. The firm covers the full surface area specific to SVM development: CPI (cross-program invocation) flows, account validation logic, PDA (program-derived address) derivation and ownership checks, runtime quirks, and Anchor framework nuances. Clients receive a written report cataloguing all findings by severity, a remediation review pass, six months of post-audit support, and 24/7 emergency response for critical issues that surface after publication.
The workflow is intentionally lean. Lead times run two to four weeks from engagement start to final report. The team does not operate a bug-bounty platform or offer automated scanning as a standalone product — the value proposition is researcher judgment applied to complex protocol logic.
Track Record
Since launch, Accretion has completed more than 60 audits covering protocols with over $2 billion in total value locked. Across those engagements the team has documented more than 130 high or critical severity findings, averaging roughly 2.3 per audit. The firm's own framing on this number is pointed: they routinely find critical bugs in code that other firms have already reviewed.
Public audit reports on GitHub cover engagements for Light Protocol, MetaDAO, Marginfi, Ellipsis, Realms, Sanctum, Metaplex, Jupiter, the Solana Foundation, and several newer protocols including Privacy Cash (ZK-based private transfers), Swig, Lazorkit, and RevTec V2. The reports span Anchor, native Solana, Pinocchio, and Jiminy frameworks.
Notable Security Research
Before Accretion launched as a firm, Reith's most consequential public contribution was breaking Solana's verified build system — twice. In 2023 he demonstrated that the Anchor verified build flow could be subverted via Rust's build.rs build-script execution: a malicious repository could embed the actual on-chain binary and substitute it at compile time, producing matching hashes and a fraudulent verified badge. In 2024 he exploited the successor system by combining that same build-time execution vector with a missing authorization check — anyone could submit verification metadata for any program they did not control. Accretion demonstrated this by getting the official Solana Explorer to display a green Program Source Verified badge for a repository they controlled that had nothing to do with the program it claimed to verify. The authorization flaw was patched; the underlying build-script execution issue remains inherent to Rust's build model.
The team publishes ongoing Solana security research through the Accretion Substack and blog. Highlights include a deep-dive on hidden IDL instructions in Anchor programs and how they can be abused, and a 100 Daily Solana Tips series authored by Reith covering both development and auditing techniques.
Team
Accretion operates with three full-time researchers:
Robert Reith (CEO / Lead Researcher) spent four years auditing Solana programs before founding Accretion, including a prior half-year on Polkadot. His background is in offensive web and application security, and he competes in CTF (capture-the-flag) competitions. He focuses on runtime internals and original security research.
Niklas Brymko (Security Researcher) brings a background in binary exploitation and reverse engineering. He has spent over a year auditing Solana DeFi protocols and earned a bug bounty on the SPL Token-2022 program.
Mahdi Rostami (Senior Researcher) previously held the top position on the Hats Finance bug-bounty leaderboard. He has two years of Solana-focused auditing experience alongside prior EVM and cross-chain work, with a specialization in DeFi protocol mechanics.
The firm hires only when demand outpaces capacity, and only from candidates with verifiable security output — bug-bounty rankings, CTF results, or published tooling.
Tokens and Assets
Accretion is a service business. It has no protocol token, on-chain treasury, governance mechanism, or liquidity pools.
Solana Ecosystem Fit
Smart contract security is a persistent bottleneck in Solana's growth. Exploits and critical bugs have drained hundreds of millions of dollars from the ecosystem since 2021. Accretion's narrow focus addresses a real gap: SVM-specific attack surfaces — particularly around CPI reentrancy patterns, account confusion bugs, and PDA ownership checks — differ materially from those in EVM, and firms that audit both environments often miss SVM-idiomatic vulnerabilities. By concentrating entirely on Solana, Accretion builds and retains the accumulated runtime knowledge required to catch bugs that survive generalist review. Its client list — which spans the Solana Foundation, Metaplex, Jupiter, Marginfi, Sanctum, and MetaDAO — reflects early trust from some of the most security-sensitive protocols in the ecosystem.
Contents
Note: inclusion in Solana Compass directory does not indicate a recommendation or endorsement of this project, its token(s) or its products. Data sourced with thanks from The Grid to aid in building these pages.Solana Token Markets
