I spoke to a Solana project (Cyfrin does Solana work now!) about their codebase, and we asked them why they kept a piece of their codebase out of scope for an audit.

Their answer:

“We plan to keep it closed sourced so the security needs are less.”

1. Without a security review, you’re just delaying the hackers to break down your project and find holes. Relying on obscurity should never be your entire security plan!

2. It seems this is a trend across Solana projects. This needs to change!

Also closed sourced contracts have issues regardless, but that’s for another day…