Kamino Lend Fuzz Test Summary

Kamino Lend is a decentralized lending platform deployed on the Solana blockchain that allows users to lend and borrow assets with flexible terms and interest rates.

Kamino worked with Ackee Blockchain Security and donated a total of 6 days of engineering time between January 20 and January 30, 2025 to conduct fuzz testing focused on the Kamino Lend protocol. No manual code review was performed.

Kamino then partnered with Ackee Blockchain Security to conduct a second round of fuzz testing of the Kamino Lend protocol, donating a total of 15 days of engineering time between June 23 and July 28, 2025.

Revision 2.1 reviews revisions to findings from previous revisions.

methodology

The fuzz testing followed a systematic approach:

1. Code and architecture analysis
   1. 1. A high-level review of the Solana program specification, Rust source, and command handler to understand the size, scope, and functionality of the program.
      2. Analysis of Solana program entry points to identify command processors, account verification logic, and critical operations.
      3. Compares the Rust implementation with the given specification to ensure that the program logic correctly implements everything intended.
2. Fuzz testing with Trident
   1. Interface Analysis
      1. Detailed examination of Solana command handlers and their account parameters
      2. Identify program-derived addresses (PDAs), account ownership, and inter-program calling patterns
      3. Mapping account state transitions and Solana runtime data flow
   2. Early behavioral exploration
      1. Writing a simple Trident fuzz test to observe the execution of Solana program commands.
      2. Understanding Account Verification Constraints and Solana Runtime Limitations
      3. Identify unexpected program behavior, panics, or extreme cases in command processing
   3. immutable definition
      1. Create immutables based on expected Solana program properties and account state requirements
      2. Define security-critical conditions for verifying account ownership, balance constraints, and permissions
      3. Setting assertions for account state consistency and program derived address integrity
   4. Complex stateful fuzz testing
      1. Writing complex Trident fuzz tests that model stateful interactions across multiple Solana instructions.
      2. Test transaction sequence and impact on account status and program data
      3. Exploring interdependencies between command handlers and interprogram calls
   5. Extended fuzz testing campaign
      1. We run an extended Trident fuzz testing campaign to explore all edge cases of command execution.
      2. Allows the fuzzer to explore deep account state combinations and program execution paths
      3. Maximize Rust code coverage and Solana command handler path navigation
   6. Dashboard Analysis
      1. Continuous analysis of the Trident fuzz test dashboard throughout the process
      2. Monitor program panics, command failures, and Rust code coverage metrics
      3. Identify patterns that indicate potential Solana program vulnerabilities or runtime issues
3. Vulnerability Assessment
   1. Classification of discovered Solana program issues based on severity and impact on protocol security
   2. Develop proof-of-concept transaction sequences for important discoveries
   3. Recommendations for Rust code modifications based on Trident fuzz test results

range

Fuzz testing was performed at commit time. 829c1f3 The range is as follows:

• Camino loan excluding external dependencies.

A second fuzz test was performed on the commit. fe1ad10 The scope of coverage has been expanded and includes:

• Camino loan excluding external dependencies.

A third fuzz test was performed on the specified commits. 4c58439, 89a6a81and 542ffdb each. Results reported in previous revisions have been revised. Find full details, including Kamino’s approval, in the full audit report linked below.

Findings

The classification of security findings is determined by two subscales: Impact and Probability. This two-dimensional rating provides a more noise-free view of the severity of the problem without loss of information. The probability factor reduces the severity of intermediate issues that the team typically recognizes as information and warnings.

Here are the results of our review: 8 findings Warning and Informational Severity:

critical severity

No critical severity issues were found.

Severity High

No high severity issues were found.

medium severity

No medium severity issues were found.

low severity

No low-severity issues were found.

warning severity

W1: WithdrawObligationColternalV2 withdrawal overflow

W2: RepayAndWithdrawAndRedeemV2 minus overflow

W3: Unhandled panic

W4: Borrowing limit excludes fees for verifying the borrowed amount.

W5: Liquidation instruction causes panic due to unwrapping of None value.

W6: Withdrawal obligation collateral instruction canceled due to invariant owner.

W7: Causes panic because the instruction divides by 0 when the deposited value is 0.

Information Severity

I1: Unused code

conclusion

Ackee Blockchain Security recommended Kamino:

• • Investigate the findings and severity of the problem.
  • Read and review the entire audit report. and
  • Address any identified issues.

Ackee Blockchain Security’s full Kamino Lend fuzzing report can be found here.

We were delighted to appreciate Kamino and look forward to working together again.