DeFi Protocol CI Lacks Critical Dependency Audits, Exposing User Funds to Supply Chain Risk

A critical security gap has been identified in the continuous integration (CI) pipeline of a DeFi protocol handling user funds. The pipeline currently lacks any automated dependency vulnerability scanning, including `pnpm audit` for JavaScript/TypeScript packages and `cargo audit` for Rust programs, leaving the codebase exposed to unmonitored supply chain attacks. This absence of basic Software Composition Analysis (SCA) and Static/Dynamic Application Security Testing (SAST/DAST) directly contradicts a high-severity finding (H-7) from a recent production readiness audit dated April 6, 2026.

The protocol's dependencies include packages from smaller organizations with notable governance histories, specifically `@mrgnlabs/marginfi-client-v2` and the widely used `@coral-xyz/anchor` framework. These dependencies warrant heightened scrutiny but are not being automatically monitored for newly disclosed vulnerabilities. The urgency of this oversight is amplified by the recent, catastrophic $285 million hack of the Drift protocol on April 1, 2026, which underscored the existential risks of insufficient supply chain vigilance in the DeFi sector.

To remediate this critical exposure, acceptance criteria mandate the immediate integration of `pnpm audit` configured to fail on high or critical severity vulnerabilities, and `cargo audit` for the Solana Anchor program. The CI must also install the `cargo-audit` tool and should consider adding comprehensive Rust CI coverage, including Anchor builds and tests, where none currently exists. This fix represents a foundational security control that is currently missing for a financial application responsible for user capital.