HACKING NEWS

Onre Tokenized Pool Audit Summary

By 6 Mins Read
Onre Tokenized Pool Audit Summary

The Onre Protocol is a token exchange platform built on Solana that facilitates automated market making through a deterministic pricing mechanism.

Tokenized (Re)Insurance Pool is a sub-component of Onre that implements a unique offer-based architecture where protocol owners create and manage token exchange offers using time-based pricing vectors simulating APR-based growth.

Onre collaborated with Ackee Blockchain Security, donating a total of 13 engineering days from October 15 to November 3, 2025 to conduct a security review of the Onre tokenized (re)insurance pool.

Onre then worked with Ackee Blockchain Security to conduct a revision review of the results of the previous revision between November 13, 2025 and November 13, 2025.

Onre then worked with Ackee Blockchain Security to conduct a final revision review of the results of the previous revision between November 21, 2025 and November 21, 2025.

methodology

The Ackee blockchain security audit process follows a routine series of steps:

  1. Code review
    1. We review provided specifications, sources, and guidance at a high level to ensure a clear understanding of the size, scope, and functionality of the project.
    2. Detailed manual code review, the process of reading source code line by line to identify potential vulnerabilities. We mainly focus on common types of Solana program vulnerabilities, such as missing ownership verification, missing signer authentication, signed CPI from unverified program, Solana account cosplay, missing rent exemption claim, bump seed normalization, incorrect account closure, casting truncation, numeric precision error, and arithmetic overflow or underflow.
    3. Compare your code with the given specifications to ensure that your program logic correctly implements everything you intend.
      1. Review best practices to improve efficiency, clarity, and maintainability.
  2. Testing and Automated Analysis
    1. You can run client tests to ensure that your system works as expected, and you can also write missing unit or fuzz tests using the testing framework Trident.
  3. Local Deployment + Hacking
    1. The program is distributed locally and attempts to attack and destroy your system. There is no specific strategy here, and each project’s attack attempts will vary depending on its implementation.

We began our review by analyzing the protocol architecture and documentation to understand the proposal-based token exchange mechanism and pricing vector implementation. The initial phase focused on mapping the trust model, identifying critical features, and understanding dual payment paths (burn/mint vs. vault transfer).

In the second step, we performed a systematic function-by-function analysis of all core protocol features. We developed a proof-of-concept scenario for a critical vulnerability while maintaining active communication with the customer to clarify design intent and discuss results. At this stage we paid special attention to the following:

  • Ensures that fee collection mechanisms operate consistently across both settlement pathways.
  • Calculate price vector and verify APR based growth math
  • We analyze authorization systems for replay attacks and binding problems.
  • Detects Time-of-Check-Time-of-Use (TOCTOU) vulnerabilities in state transitions.
  • Ensuring Token-2022 extension compatibility ensures that no attack vectors arise.
  • Validate access control and RBAC permission boundaries.
  • Investigate reservoir management for potential lug tension vectors. and
  • Ensures proper validation of user input and avoids slippage.

The final step categorized findings by severity, documented exploit scenarios, and provided actionable remediation recommendations.

In the fuzzing phase, we used Trident to test the behavior of the protocol under various conditions. We implemented a set of invariants and flows to ensure that the protocol behaves correctly.

range

An audit has been performed on the commit. 27e9fe7 The range is as follows:

The first revision was performed on commit. 233b005.

The second revision was performed on commit. 8b5b78e.

Findings

The classification of security findings is determined by two subscales: Impact and Probability. This two-dimensional rating provides a more noise-free view of the severity of the problem without loss of information. The probability factor reduces the severity of intermediate issues that the team typically recognizes as information and warnings.

Here are the results of our review: 17 survey results Severity levels range from moderate to informational.

critical severity

No critical severity issues were found.

Severity High

No high severity issues were found.

medium severity

M1: Missing token_program constraint prevents Token-2022 vault withdrawal.

M2: Global approver key rotation may result in system-wide approval lockout.

M3: Boss Unlimited ONyc Token Issuance

M4: Token 2022 is accepted, but there is no validation for that extension.

low severity

L1: Insecure single-step ownership transfer

L2: Via taking over the boss role Initialize Front run call

warning severity

W1: Inconsistent APY-take_offer model

W2: Vector append blocked due to incorrect validation logic.

W3: Fees are not collected and are burned.

W4: Retroactive vector prices

W5: Absence of centralization and standard DeFi safeguards

W6: Vector cleanup is run after checking for empty slots.

W7: Deleting an active single vector causes DoS

W8: TOCTOU attack possible with instantaneous fee change

W9: Token-2022 transfer fees will reduce the amount users receive. token_out

W10: Token-2022 transfer fee token_in Block burn path leading to potential DoS

Information Severity

I1: Unnecessary code logic

trust model

Onre operates on a fully centralized trust model. Boss A role that has absolute authority over all important functions.

Boss Perks:

  • Unlimited token issuance without limits or limits
  • Up to 100% instant commission modification without user notification
  • Unlimited vault withdrawals available at any time
  • Instant end of offer and change of parameters
  • Complete control over approval requirements and approver rotation
  • Permission to enable/disable protocol behavior via kill switch
  • Ability to add and remove administrators

Administrator privileges:

Users must trust:

  • BOSS does not issue tokens to devalue its holdings.
  • Fees are not manipulated during transaction execution.
  • Vault funds will not be withdrawn while the offer is active.
  • The proposal parameters remain stable during the interaction.
  • Approver keys are not rotated to invalidate existing approvals.

conclusion

Ackee Blockchain Security recommends Onre:

  • To prevent TOCTOU risks, we implement anti-slip and time locking for every parameter change.
  • Token-2022 adds strict validation for extensions and rejects tokens containing dangerous extensions such as persistent delegates, transfer fees, and freeze permissions.
  • Clarify the design intent for vector timing mechanisms and implement consistent verification logic.
  • Implement appropriate two-step transfer of ownership in accordance with approval requirements.
  • Introduce balance into the boss role to alleviate problems caused by single points of failure and centralization. and
  • Address any remaining identified issues.

Ackee Blockchain Security’s full Onre Oracles staking audit report can be found here.

We were pleased to thank Onre and look forward to working with him again.

Share.

Related Posts

Add A Comment

Comments are closed.