Omnipair is a decentralized, oracle-less spot and margin trading hyperstructure for permissionless, isolated-collateral markets on Solana. Oracle-less lending lends pool liquidity to borrowers and enables leveraged trading of long-tail assets without whitelists, external oracles, or centralized risk controls.
Omnipair engaged Ackee Blockchain Security to perform fuzz testing of Omnipair oracle-less lending with a total time donation of 9 engineering days in a period between November 6 and November 21, 2025.
METHODOLOGY
We began our review by familiarizing ourselves with the protocol’s interface and structure. This included understanding the instructions, accounts passed as instruction parameters, and inputs to the instructions.
The next part was dedicated to writing simple fuzz tests to familiarize ourselves with instructions more deeply, to create a simple benchmark for which parts might be more difficult to fuzz, and to understand the whole flow of the scope. This included writing fuzz tests for:
- account initialization instructions;
- operations on initialized accounts;
- protocol state modifications; and
- final execution paths.
After the initial part, we started to implement complex fuzz tests dedicated to the protocol’s main logic. This included:
- creating independent fuzz tests for distinct protocol components;
- implementing invariant checks; and
- creating instruction flows to test user workflows.
SCOPE
The fuzz testing was performed on commit 4ddef2a and the scope was the following:
- Omnipair oracle-less lending protocol, excluding external dependencies.
FINDINGS
The classification of a security finding is determined by two sub-ratings: Impact and Likelihood. This two-dimensional rating makes the severity of issues more noise-free, without losing any information. The likelihood factor usually decreases severity of medium issues that would be just acknowledged by the team to infos and warning.
Our review resulted in 5 findings ranging from High to Warning severity:
Critical severity
No critical severity issues were found.
High severity
H1: Pair initialization accepts unvetted mints allowing malicious authorities and extensions
Medium severity
M1: Initialize does not support Token-2022
Low severity
No low severity issues were found.
Warning severity
W1: View instructions accept unbound accounts for rate model and user position
W2: Initialize accepts self-pair without distinct token check
W3: CommonAdjustPosition context accepts non-canonical pair-owned token vaults
Informational severity
No informational severity issues were found.
CONCLUSION
Ackee Blockchain Security recommended Omnipair to:
- investigate the findings and their severity;
- read and review the complete audit report;
- harden account validation and token handling (Token‑2022, fees, mint/extension restrictions); and
- address all identified issues.
Ackee Blockchain Security’s full Omnipair oracle-less lending audit report can be found here.
We were delighted to audit Omnipair and look forward to working with the team again.
