Omnipair is Solana’s decentralized, oracle-less spot and margin trading hyperarchitecture for permissionless, isolated collateral markets. Oracle-free lending lends pooled liquidity to borrowers and enables leveraged trading of long-tail assets without whitelists, external oracles, or centralized risk controls.
Omnipair partnered with Ackee Blockchain Security and donated a total of 9 days of engineering time between November 6 and November 21, 2025 to conduct fuzz testing of Omnipair oracle-less lending.
methodology
We began our review by familiarizing ourselves with the interface and structure of the protocol. This included understanding the instructions, the accounts passed as instruction parameters, and the inputs to the instructions.
The next part was dedicated to getting more deeply familiar with the instructions, creating simple benchmarks for parts that might be more difficult to fuzz, and writing simple fuzz tests to understand the overall flow of the scope. This includes writing fuzzy tests for:
- Account reset instructions;
- Actions for wiped accounts
- modify protocol state; and
- Final execution path.
After the initial part, we started implementing complex fuzz tests solely for the basic logic of the protocol. These include:
- Generate independent fuzzy tests for distinct protocol components.
- Implement invariant checking; and
- Create instruction flows to test user workflows
range
Fuzz testing was performed at commit time. 4ddef2a The range is as follows:
- Omnipair oracle-less lending protocol excluding external dependencies.
The classification of security findings is determined by two subscales: Impact and Probability. This two-dimensional rating provides a more noise-free view of the severity of the problem without loss of information. The probability factor reduces the severity of intermediate issues that the team typically recognizes as information and warnings.
Here are the results of our review: 5 items found From high to warning severity:
critical severity
No critical severity issues were found.
Severity High
H1: Pair initialization allows unverified mint, which allows for malicious authentication and expansion.
medium severity
M1: Initialization does not support Token-2022.
low severity
No low-severity issues were found.
warning severity
W1: View instructions allow unbound accounts for rate model and user location.
W2: Initialize Allows self-pairing without separate token confirmation.
W3: CommonAdjustPosition The context allows for non-standard pair-owned token storage.
Information Severity
Information No severity issues were found.
conclusion
Ackee Blockchain Security recommends Omnipair for the following purposes:
- Investigate the findings and their severity.
- Read and review the entire audit report.
- Strengthens account verification and token processing (Token‑2022, fees, issuance/extension limits). and
- Address any identified issues.
Ackee Blockchain Security’s full Omnipair oracleless loan audit report can be found here.
We were delighted to audit Omnipair and look forward to working with the team again.