Solana Agg Settlement Program - 0x Project

Prepared by:

HALBORN

Last Updated 04/10/2025

Date of Engagement: March 24th, 2025 - March 28th, 2025

Summary

100% of all REPORTED Findings have been addressed

All findings

Critical

High

Medium

Low

Informational

1. Introduction
2. Assessment summary
3. Test approach and methodology
4. Risk methodology
5. Scope
6. Assessment summary & findings overview
7. Findings & Tech Details

7.1 Lack of wsol mint validation
7.2 Lack of amount in validation against sell account balance
7.3 Improper use of expect() after checked arithmetic leading to uncontrolled panics

8. Automated Testing

1. Introduction

ZeroEx engaged Halborn to conduct a security assessment on sol-settler program beginning on March 24th, 2025 and ending on March 28th, 2025. The security assessment was scoped to the smart contracts provided in the GitHub repository sol-settler, commit hashes and further details can be found in the Scope section of this report.

The ZeroEx team is releasing the sol-settler program, an onchain settlement program to support swap routes from an offchain aggregation service.

During the security assessment a new action was added, pumpswap_buy, which allows users to trade tokens directly from liquidity pools without intermediaries through Pump Swap, a decentralized exchange which relies on an automated market maker (AMM) system.

2. Assessment Summary

Halborn was provided 5 days for the engagement and assigned one full-time security engineer to review the security of the Solana Programs in scope. The engineer is a blockchain and smart contract security expert with advanced smart contract hacking skills, and deep knowledge of multiple blockchain protocols.

The purpose of the assessment is to:

Identify potential security issues within the Solana Program.
Ensure that smart contract functionality operates as intended.

In summary, Halborn did not identify any significant security risks. However, some improvements were highlighted that were addressed by the ZeroEx team. The main ones were the following:

Add a check to ensure the provided wsol_mint_account corresponds to the native SOL mint.
Validate that amount_in is not lower than the actual balance of the sell account before processing any actions.
Replace expect() with structured error-handling mechanisms.

3. Test Approach and Methodology

Halborn performed a combination of a manual review of the source code and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of the program assessment. While manual testing is recommended to uncover flaws in business logic, processes, and implementation; automated testing techniques help enhance coverage of programs and can quickly identify items that do not follow security best practices.

The following phases and associated tools were used throughout the term of the assessment:

Research into the architecture, purpose, and use of the platform.
Manual program source code review to identify business logic issues.
Mapping out possible attack vectors
Thorough assessment of safety and usage of critical Rust variables and functions in scope that could lead to arithmetic vulnerabilities.
Scanning dependencies for known vulnerabilities (cargo audit).
Local runtime testing (cargo test)

4. RISK METHODOLOGY

Every vulnerability and issue observed by Halborn is ranked based on two sets of Metrics and a Severity Coefficient. This system is inspired by the industry standard Common Vulnerability Scoring System.

The two Metric sets are: Exploitability and Impact. Exploitability captures the ease and technical means by which vulnerabilities can be exploited and Impact describes the consequences of a successful exploit.

The Severity Coefficients is designed to further refine the accuracy of the ranking with two factors: Reversibility and Scope. These capture the impact of the vulnerability on the environment as well as the number of users and smart contracts affected.

The final score is a value between 0-10 rounded up to 1 decimal place and 10 corresponding to the highest security risk. This provides an objective and accurate rating of the severity of security vulnerabilities in smart contracts.

The system is designed to assist in identifying and prioritizing vulnerabilities based on their level of risk to address the most critical issues in a timely manner.

4.1 EXPLOITABILITY

Attack Origin (AO):

Captures whether the attack requires compromising a specific account.

Attack Cost (AC):

Captures the cost of exploiting the vulnerability incurred by the attacker relative to sending a single transaction on the relevant blockchain. Includes but is not limited to financial and computational cost.

Attack Complexity (AX):

Describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Includes but is not limited to macro situation, available third-party liquidity and regulatory challenges.

Metrics:

EXPLOITABILITY METRIC ( $m_e$ )	METRIC VALUE	NUMERICAL VALUE
Attack Origin (AO)	Arbitrary (AO:A) Specific (AO:S)	1 0.2
Attack Cost (AC)	Low (AC:L) Medium (AC:M) High (AC:H)	1 0.67 0.33
Attack Complexity (AX)	Low (AX:L) Medium (AX:M) High (AX:H)	1 0.67 0.33

Exploitability

E

is calculated using the following formula:

$E = \prod m_e$

4.2 IMPACT

Confidentiality (C):

Measures the impact to the confidentiality of the information resources managed by the contract due to a successfully exploited vulnerability. Confidentiality refers to limiting access to authorized users only.

Integrity (I):

Measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of data stored and/or processed on-chain. Integrity impact directly affecting Deposit or Yield records is excluded.

Availability (A):

Measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. This metric refers to smart contract features and functionality, not state. Availability impact directly affecting Deposit or Yield is excluded.

Deposit (D):

Measures the impact to the deposits made to the contract by either users or owners.

Yield (Y):

Measures the impact to the yield generated by the contract for either users or owners.

Metrics:

IMPACT METRIC ( $m_I$ )	METRIC VALUE	NUMERICAL VALUE
Confidentiality (C)	None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C)	0 0.25 0.5 0.75 1
Integrity (I)	None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C)	0 0.25 0.5 0.75 1
Availability (A)	None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C)	0 0.25 0.5 0.75 1
Deposit (D)	None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C)	0 0.25 0.5 0.75 1
Yield (Y)	None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C)	0 0.25 0.5 0.75 1

Impact

I

is calculated using the following formula:

$I = max(m_I) + \frac{\sum{m_I} - max(m_I)}{4}$

4.3 SEVERITY COEFFICIENT

Reversibility (R):

Describes the share of the exploited vulnerability effects that can be reversed. For upgradeable contracts, assume the contract private key is available.

Scope (S):

Captures whether a vulnerability in one vulnerable contract impacts resources in other contracts.

Metrics:

SEVERITY COEFFICIENT ( $C$ )	COEFFICIENT VALUE	NUMERICAL VALUE
Reversibility ( $r$ )	None (R:N) Partial (R:P) Full (R:F)	1 0.5 0.25
Scope ( $s$ )	Changed (S:C) Unchanged (S:U)	1.25 1

Severity Coefficient

C

is obtained by the following product:

$C = rs$

The Vulnerability Severity Score

S

is obtained by:

$S = min(10, EIC * 10)$

The score is rounded up to 1 decimal places.

Severity	Score Value Range
Critical	9 - 10
High	7 - 8.9
Medium	4.5 - 6.9
Low	2 - 4.4
Informational	0 - 1.9

5. SCOPE

Files and Repository

(a) Repository: sol-settler

(b) Assessed Commit ID: 13410f6

sol-settler-main/program/Cargo.toml
sol-settler-main/program/src/constants.rs
sol-settler-main/program/src/cpi_utils.rs

↓ Expand ↓

Out-of-Scope: Third party dependencies and economic attacks.

Files and Repository

(a) Repository: sol-settler

(b) Assessed Commit ID: 9f33067

program/src/cpi_utils.rs
program/src/dexes/mod.rs
program/src/dexes/pumpswap_amm/accounts.rs

↓ Expand ↓

Out-of-Scope: Third party dependencies and economic attacks.

Remediation Commit ID:

3909555

Out-of-Scope: New features/implementations after the remediation commit IDs.

6. Assessment Summary & Findings Overview

Critical

High

Medium

Low

Informational

Security analysis	Risk level	Remediation Date
Lack of wsol mint validation	Informational	Solved - 04/04/2025
Lack of amount in validation against sell account balance	Informational	Solved - 04/05/2025
Improper use of expect() after checked arithmetic leading to uncontrolled panics	Informational	Solved - 04/05/2025

7. Findings & Tech Details

7.1 Lack of wsol mint validation

Informational

Description

The wrap_sol action is responsible for creating a WSOL (Wrapped SOL) account with the requested amount, including the rent-exempt reserve. To achieve this, it requires multiple accounts, including the wsol_mint_account, which is expected to be used for initialization.

Once the WSOL account is initialized, the process follows these steps:

Debits the originating SOL account (from_account_info) with the requested amount, excluding the SOL reserved for rent exemption.
Credits the newly created WSOL account with the requested amount, also excluding rent.

Although the requested amount is correctly calculated based on amount_in_bps and the balances recorded in intra_program_balances for from_account_info, the program does not validate whether the provided wsol_mint_account actually corresponds to the native SOL mint.

This oversight allows the WSOL account to be initialized with an incorrect mint that may have different decimals. As a result, the computed amount (excluding rent-exempt SOL) used during initialization cannot be transferred to the associated token account. This leads to:

A reduction in the intra_program_balances for from_account_info, reflecting the debited amount.
A final token account balance of zero, making the funds unusable.

processor/actions/wrap_sol.rs

        let wsol_mint_info = &accounts[accounts_offset + 4];

        let intra_program_balance = *intra_program_balances.get(from_account_info.key())?;

        let amount = amount_from_bps(intra_program_balance, amount_in_bps)?;

        let rent = Rent::get()?;

        CreateAccount {
            from: from_account_info,
            to: wsol_account_info,
            lamports: amount
                .checked_add(rent.minimum_balance(pinocchio_token::state::TokenAccount::LEN))
                .ok_or(SolSettlerError::Overflow)?,
            space: pinocchio_token::state::TokenAccount::LEN as u64,
            owner: token_program_info.key(),
        }
        .invoke()?;

        InitializeAccount3 {
            account: wsol_account_info,
            mint: wsol_mint_info,
            owner: from_account_info.key(),
        }
        .invoke()?;

A limitation of the program is that wrapping SOL must be accompanied by an unwrapping operation. However, there is no enforcement to ensure that this condition holds:

If an unwrap operation or any action expecting a valid WSOL account follows, the transaction will fail.
If no unwrap occurs, the debited amount from from_account_info remains locked since the newly created token account cannot be closed using the program’s unwrap instruction. The only way to recover these funds would be through an external token account closure operation.

BVSS

AO:S/AC:L/AX:L/R:N/S:U/C:N/A:L/I:M/D:M/Y:N (1.4)

Recommendation

To address this issue, it is recommended to add a validation to ensure the provided wsol_mint_account corresponds to the native SOL mint.

Remediation Comment

SOLVED: The ZeroEx team solved this issue by adding a validation in:

wrap_sol action, to ensure the provided wsol mint account matches the native mint address.
unwrap_sol action, to ensure the mint associated to the provided wsol account matches the native mint address.

Remediation Hash

https://github.com/0xProject/sol-settler/commit/3909555fad08fcb3e7aad0fd70301d9b8894a8df

7.2 Lack of amount in validation against sell account balance

Informational

Description

The swap_amount_in instruction executes a sequence of actions, each represented as an encoded Cross-Program Invocation (CPI), invoking their respective programs. Each action includes specific parameters encoded within the instruction data, such as amount_in_bps, which helps determine the token amounts involved, along with other execution parameters required for the CPI call.

To efficiently track spendable balances, the program maintains a TokenBalanceCache, which stores token balances (including lamports) available for the program’s use, indexed by each account’s public key. This cached balance is assumed to be nonzero before instruction execution.

The internal balance ledger (intra_program_balances) functions as follows:

Debits balances when tokens are spent.
Credits balances when tokens are received.
Updates occur at the end of each action, after the corresponding CPI execution.

The first entry in intra_program_balances corresponds to the sell account, setting its balance to the provided amount_in value, which represents the spendable amount available for the actions. However, the program does not validate whether amount_in is lower than the actual balance of the sell account.

If amount_in is insufficient relative to the actual balance of the sell account, the instruction will ultimately fail, as at least one action will be unable to execute due to an insufficient token balance. The exact failure point will depend on the amount_in_bps values assigned to each action.

processor/swap_amount_in.rs

 let initial_buy_token_balance = get_token_balance(&accounts[RECEIVING_ACCOUNT_INDEX])?;
    let initial_sell_token_balance = get_token_balance(&accounts[SELL_ACCOUNT_INDEX])?;
    // Start offset at 2 as the first 2 accounts are reserved for the "sell account" and the
    // "receiving account". These accounts must be prepended to the account list as we cannot
    // know where they are in the set of actions (or at the very least it would require overly
    // complex heuristics).
    let mut account_offset: usize = 2;

    // We maintain an internal ledger of token balances (including lamports) available to
    // spend by the program. This internal ledger is debited whenever a token is spent and
    // credited as tokens are received. This credit/debit usually happens at the end of each
    // action after the CPI has been processed.
    let mut intra_program_balances = TokenBalanceCache::new();
    intra_program_balances.insert(*accounts[SELL_ACCOUNT_INDEX].key(), amount_in);

BVSS

AO:S/AC:L/AX:L/R:N/S:U/C:N/A:M/I:N/D:M/Y:N (1.3)

Recommendation

To prevent unexpected failures during execution, it is recommended to validate that amount_in is not lower than the actual balance of the sell account before executing any actions. This ensures that the instruction will not fail mid-execution due to insufficient funds, improving reliability and predictability.

Remediation Comment

SOLVED: The ZeroEx team solved this issue by adding a check to ensure the requested amount in does not exceed the sell account balance.

Remediation Hash

https://github.com/0xProject/sol-settler/commit/3909555fad08fcb3e7aad0fd70301d9b8894a8df

7.3 Improper use of expect() after checked arithmetic leading to uncontrolled panics

Informational

Description

The swap_amount_in instruction and the calculate_token_out_for_sol_in() function utilize expect() immediately after performing checked arithmetic operations. While checked arithmetic functions such as checked_sub are designed to prevent overflows by returning an Option<T>, appending expect() directly forces an immediate panic in case of an overflow, rather than handling the error in a controlled manner.

Using expect() in this context can introduce unnecessary risks and reduce the robustness of the program:

Unexpected Transaction Failures
- If an overflow occurs, expect() will cause the program to panic, leading to an abrupt termination of the instruction.
- This prevents graceful error handling and may result in unintended transaction failures.
Limited Debugging and Error Transparency
- A panic triggered by expect() does not provide structured error handling, making it more difficult to diagnose issues.
- Without meaningful error messages, understanding the cause of a failure may require additional debugging efforts.

processor/swap_amount_in.rs

        let final_sell_token_balance = get_token_balance(&accounts[SELL_ACCOUNT_INDEX])?;
    let final_sell_token_diff = initial_sell_token_balance
        .checked_sub(final_sell_token_balance)
        .expect("overflow");
    if final_sell_token_diff > amount_in {
        return Err(SolSettlerError::MaxAmountInExceeded.into());
    }

    // Assert the amount of tokens received is greater than the minimum expected.
    let final_buy_token_balance = get_token_balance(&accounts[RECEIVING_ACCOUNT_INDEX])?;
    let buy_token_balance_diff = final_buy_token_balance
        .checked_sub(initial_buy_token_balance)
        .expect("overflow");

dexes/pumpfun/accounts.rs

     pub fn calculate_token_out_for_sol_in(&self, amount_in_u128: u128) -> u64 {
        let denominator = u128::from(*self.virtual_sol_reserves())
            .checked_add(amount_in_u128)
            .expect("overflow");
        let ret = u128::from(*self.virtual_token_reserves())
            .checked_mul(amount_in_u128)
            .expect("overflow")
            .checked_div(denominator)
            .expect("overflow");
        u64::try_from(ret).expect("overflow")
    }

BVSS

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)

Recommendation

To address this issue, it is recommended to replace expect() with structured error-handling mechanisms that provide meaningful feedback and prevent abrupt failures.

Remediation Comment

SOLVED: The ZeroEx team solved this issue by replacing expect() with a structured error-handling mechanism as recommended.

Remediation Hash

https://github.com/0xProject/sol-settler/commit/3909555fad08fcb3e7aad0fd70301d9b8894a8df

8. Automated Testing

Static Analysis Report

Description

Halborn used automated security scanners to assist with the detection of well-known security issues and vulnerabilities. Among the tools used was cargo-audit, a security scanner for vulnerabilities reported to the RustSec Advisory Database. All vulnerabilities published in https://crates.io are stored in a repository named The RustSec Advisory Database. cargo audit is a human-readable version of the advisory database which performs a scanning on Cargo.lock. Security Detections are only in scope. All vulnerabilities shown here were already disclosed in the above report. However, to better assist the developers maintaining this code, the reviewers are including the output with the dependencies tree, and this is included in the cargo audit output to better know the dependencies affected by unmaintained and vulnerable crates.

Results

ID	package	Short Description
RUSTSEC-2024-0344	curve25519-dalek	Timing variability in `curve25519-dalek`'s `Scalar29::sub`/`Scalar52::sub`
RUSTSEC-2022-0093	ed25519-dalek	Double Public Key Signing Function Oracle Attack on `ed25519-dalek`
RUSTSEC-2025-0009	ring	Some AES functions may panic when overflow checking is enabled.

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

1. Introduction
2. Assessment summary
3. Test approach and methodology
4. Risk methodology
5. Scope
6. Assessment summary & findings overview
7. Findings & Tech Details

7.1 Lack of wsol mint validation
7.2 Lack of amount in validation against sell account balance
7.3 Improper use of expect() after checked arithmetic leading to uncontrolled panics