Omnipair is a decentralized, oracle-less spot and margin trading hyperstructure for permissionless, isolated-collateral markets on Solana. Oracle-less lending lends pool liquidity to borrowers and enables leveraged trading of long-tail assets without whitelists, external oracles, or centralized risk controls.<\/p>\n
Omnipair<\/a> engaged Ackee Blockchain Security to perform fuzz testing of Omnipair oracle-less lending with a total time donation of 9 engineering days in a period between November 6 and November 21, 2025.<\/p>\n We began our review by familiarizing ourselves with the protocol\u2019s interface and structure. This included understanding the instructions, accounts passed as instruction parameters, and inputs to the instructions.<\/p>\n The next part was dedicated to writing simple fuzz tests to familiarize ourselves with instructions more deeply, to create a simple benchmark for which parts might be more difficult to fuzz, and to understand the whole flow of the scope. This included writing fuzz tests for:<\/p>\n After the initial part, we started to implement complex fuzz tests dedicated to the protocol\u2019s main logic. This included:<\/p>\n The fuzz testing was performed on commit The classification of a security finding is determined by two sub-ratings: Impact and Likelihood. This two-dimensional rating makes the severity of issues more noise-free, without losing any information. The likelihood factor usually decreases severity of medium issues that would be just acknowledged by the team to infos and warning.<\/p>\n Our review resulted in 5 findings<\/strong> ranging from High to Warning severity:<\/p>\n No critical severity issues were found.<\/p>\n H1: Pair initialization accepts unvetted mints allowing malicious authorities and extensions<\/p>\n M1: Initialize does not support Token-2022<\/p>\n No low severity issues were found.<\/p>\n W1: View instructions accept unbound accounts for rate model and user position<\/p>\n W2: W3: No informational severity issues were found.<\/p>\nMETHODOLOGY<\/span><\/h2>\n
\n
\n
SCOPE<\/span><\/h2>\n
4ddef2a<\/code> and the scope was the following:<\/p>\n\n
FINDINGS<\/span><\/h2>\n
Critical severity<\/h3>\n
High severity<\/h3>\n
Medium severity<\/h3>\n
Low severity<\/h3>\n
Warning severity<\/h3>\n
Initialize<\/code> accepts self-pair without distinct token check<\/p>\nCommonAdjustPosition<\/code> context accepts non-canonical pair-owned token vaults<\/p>\nInformational severity<\/h3>\n
CONCLUSION<\/span><\/h2>\n