The Neon EVM is a tool that allows Ethereum-like transactions to be processed on Solana, taking full advantage of the functionality native to Solana, including the ability to execute transactions in parallel. As such, the Neon EVM allows dApps to operate with the low gas fees, high transaction speed, and high throughput of Solana, while also offering access to the growing Solana market.

Neon Labs engaged Ackee Blockchain to review and audit their Neon EVM contract between September 26 and November 4, 2022. The entire audit process was conducted with a total time commitment of 33 engineering days. We now publish a summary of our results.


The beginning of the audit was dedicated to understanding the Neon EVM program.

Reviewing the specifications, sources, and instructions provided to us is essential to ensure we understand the project’s size, scope, and functionality. This is followed by a detailed manual code review, which is the process of reading the source code line by line to identify potential vulnerabilities. 

When the code review is complete, we run client’s tests to ensure the system works as expected and potentially write missing unit or fuzzy tests using our testing framework Trident. We also deploy programs locally and try to attack and break the system. 


We audited commit eeed4c4fd55e09d30a6a7ae4253a31bdd0bb7a35 of the neonlabsorg/neon-evm repository and commit 49bd848e08502010f6d5f31aa5cea4dac65eaad7 neonlabsorg/evm repository.

During the security review, we paid particular attention to the following questions:

  • Is the correctness of the custom EVM ensured?
  • Do the program correctly use dependencies or other programs they rely on (e.g., SPL dependencies)?
  • Is the code vulnerable to any form of unintended manipulation?


Here we present our findings.

Critical severity 

No critical severity issues were found.

High severity 

No high severity issues were found.

Medium severity

M1: Selfdestruct early evaluation

M2: The emulation of the spl_associated_token_program will not work

Low severity

L1: Precompiled ecrecover behaves incorrectly

Warning severity 

W1: Differences in the system program emulation

Informational severity 

I1: Redundant account check

I2: Unnecessary owner check

I3: Unnecessary instruction argument

I4: Unnecessary holder owner validation


Our review resulted in 8 findings ranging from Informational to Medium severity.

Since this was not a classic Solana program, two auditors were involved in the audit – one Solana auditor who checked the evm_loader and one Ethereum auditor who verified the implementation of the EVM itself.

We recommended Neon Labs to:

  • address all reported issues.

Update: On November 1, 2022, Neon Labs provided an updated codebase that addresses the reported issues. All of the findings were fixed, except I4. A detailed discussion of the exact status of each issue can be found in the the report.


Ackee Blockchain’s full Neon EVM contract audit report with a more detailed description of all findings and recommendations can be found here.


We were delighted to audit Neon Labs and look forward to working with them again.