< Back to articles

Onre Tokenized (re)Insurance Pools Audit Summary

Audits, Solana, Trident 4 seconds ago

Onre Protocol is a token exchange platform built on Solana that facilitates automated market-making through deterministic pricing mechanisms.

Tokenized (re)insurance pools is a subcomponent of Onre which implements unique offer-based architecture where the protocol owner creates and manages token exchange offers with time-based pricing vectors that simulate APR-based growth.

Onre engaged Ackee Blockchain Security to perform a security review of Onre tokenized (re)insurance pools with a total time donation of 13 engineering days in a period between October 15 and November 3, 2025.

Onre then engaged Ackee Blockchain Security to perform a fix review of the findings from the previous revision between November 13 and November 13, 2025.

Onre then engaged Ackee Blockchain Security to perform a final fix review of the findings from the previous revision between November 21 and November 21, 2025.

METHODOLOGY

The Ackee Blockchain Security auditing process follows a routine series of steps:

  1. Code review
    1. High-level review of the specifications, sources, and instructions provided to us to make sure we understand the project’s size, scope, and functionality.
    2. Detailed manual code review, which is the process of reading the source code line-by-line to identify potential vulnerabilities.We focus mainly on common classes of Solana program vulnerabilities, such as: missing ownership checks, missing signer authorization, signed CPI of unverified programs, cosplay of Solana accounts, missing rent exemption assertion, bump seed canonicalization, incorrect accounts closing, casting truncation, numerical precision errors, arithmetic overflows or underflows.
    3. Comparison of the code and given specifications, ensuring that the program logic correctly implements everything intended.
      1. Review of best practices to improve efficiency, clarity, and maintainability.
  2. Testing and automated analysis
    1. Run client’s tests to ensure that the system works as expected, potentially write missing unit or fuzz tests using our testing framework Trident.
  3. Local deployment + hacking
    1. The programs are deployed locally, and we try to attack the system and break it. There is no specific strategy here, and each project’s attack attempts are unique to its implementation.

We began our review by analyzing the protocol architecture and documentation to understand the offer-based token exchange mechanism and pricing vector implementation. The initial phase focused on mapping the trust model, identifying critical functions, and understanding the dual settlement paths (burn/mint vs vault transfer).

In the second phase, we conducted systematic function-by-function analysis of all core protocol functions. We developed proof-of-concept scenarios for critical vulnerabilities while maintaining active communication with the client to clarify design intentions and discuss findings. During this phase, we paid special attention to:

  • ensuring the fee collection mechanism operated consistently across both settlement paths;
  • validating pricing vector calculations and APR-based growth mathematics;
  • analyzing the approval system for replay attacks and binding issues;
  • detecting Time-of-Check-Time-of-Use (TOCTOU) vulnerabilities in state transitions;
  • ensuring Token-2022 extension compatibility did not introduce attack vectors;
  • validating access controls and RBAC privilege boundaries;
  • examining vault management for potential rug pull vectors; and
  • ensuring proper validation of user inputs and slippage protection.

In the final phase, we categorized findings by severity, documented exploit scenarios, and provided actionable remediation recommendations.

For the fuzzing phase, we used Trident to test the protocol’s behavior under various conditions. We implemented a set of invariants and flows to ensure the protocol’s behavior was correct.

SCOPE

The audit was performed on the commit 27e9fe7 and the scope was the following:

The first fix revision was performed on commit 233b005.

The second fix revision was performed on commit 8b5b78e.

FINDINGS

The classification of a security finding is determined by two sub-ratings: Impact and Likelihood. This two-dimensional rating makes the severity of issues more noise-free, without losing any information. The likelihood factor usually decreases severity of medium issues that would be just acknowledged by the team to infos and warning.

Our review resulted in 17 findings ranging from Medium to Info severity:

Critical severity

No critical severity issues were found.

High severity

No high severity issues were found.

Medium severity

M1: Missing token_program constraint prevents Token-2022 vault withdrawals

M2: Global approver key rotation can cause system-wide approval lockout

M3: Boss unbounded ONyc token minting

M4: Token 2022 is allowed but there is no validation for its extensions in place

Low severity

L1: Unsafe single-step ownership transfer

L2: Boss role hijack via Initialize call frontrun

Warning severity

W1: Inconsistent APY-take_offer model

W2: Vector addition blocked due to incorrect validation logic

W3: Fees are burned instead of being collected

W4: Backdated vector price

W5: Centralization and absence of standard DeFi safeguards

W6: Vector cleanup executes after empty slot check

W7: Deleting active single vector causes DoS

W8: Immediate fee changes enable TOCTOU attacks

W9: Token-2022 transfer fee causes user to receive less token_out

W10: Token-2022 transfer fee on token_in breaks burn path leading to potential DoS

Informational severity

I1: Unnecessary code logic

TRUST MODEL

Onre operates under a fully centralized trust model with the Boss role holding absolute authority over all critical functions.

Boss privileges:

  • Unlimited token minting without caps or restrictions
  • Immediate fee modifications up to 100% without user notification
  • Unrestricted vault withdrawals at any time
  • Instant offer closure and parameter changes
  • Complete control over approval requirements and approver rotation
  • Authority to enable/disable protocol operations via kill switch
  • Ability to add and remove admins

Admin privileges:

  • Activate the kill switch

Users must trust that:

  • The Boss will not mint tokens to devalue holdings
  • Fees will not be manipulated during transaction execution
  • Vault funds will not be withdrawn while offers are active
  • Offer parameters will remain stable during interactions
  • The approver key will not be rotated to invalidate existing approvals

CONCLUSION

Ackee Blockchain Security recommended Onre to:

  • implement slippage protection and timelocks for all parameter changes to prevent TOCTOU risk;
  • add strict validation for Token-2022 extensions, rejecting tokens with dangerous extensions such as permanent delegate, transfer fees, and freeze authority;
  • clarify the design intent for vector timing mechanics and implement consistent validation logic;
  • implement proper two-step ownership transfers with acceptance requirements;
  • introduce counter-balance to Boss role to mitigate single point of failure and issues caused by centralization; and
  • address all remaining identified issues.

Ackee Blockchain Security’s full Onre oracle-less staking audit report can be found here.

We were delighted to audit Onre and look forward to working with them again.

You May Also Like

Audits, Solidity, Wake January 20, 2026
Everstake ETH2 Batch Deposit Contract Audit Summary
Education, Ethereum, Solidity, Tutorial, Uncategorized, Wake January 14, 2026
Wake Debugging Guide
Audits, Solana, Trident January 14, 2026
Kamino Lend Fuzz Tests Summary