Threat model

The Depository contract is receiving from users and an allocator can sign messages authorizing the withdrawal of funds from the depository. As such the allocator itself has to be trusted to only sign messages if the user’s intent was successfully filled. The contract is not upgradable, meaning that once deployed, the code cannot be changed.

Audits

The Relay Depository contracts written in Solana have been audited by Certora and you can find the audit reports.