Fair Labs
Fair Casino is an online gaming platform built on a non-custodial architecture: user deposits sit in a Program Derived Address (PDA) controlled vault on Solana, and the platform processes authorized withdrawals through Ed25519 signature verification. The TypeScript backend coordinates the off-chain side, handling deposits, atomic balance mutations with idempotency guarantees, provably-fair game outcomes via commit-reveal, and withdrawal authorization with challenge signing. Visit fair.lol.
Engagement history
Jan 2026 → Jan 2026All engagements
Fair Casino Core Pentest
Zealynx audited the Fair Casino TypeScript backend services and frontend verification utilities. The fourteen-day review covered critical money flows (deposits, withdrawals, atomic balance mutations) and the provably-fair game integrity surface (commit-reveal cryptography, seed derivation, server-side game state). Thirteen issues were identified: four High (wallet auth DoS via unstable challenge endpoint; deposit credited to wrong user via sender inference fallback; provably-fair guarantees weakened when client omits seed; server can choose serverSeed after seeing clientSeed), six Medium (mostly around WebSocket subscription enforcement, input validation, and verification consistency), and three Low. All findings were fixed by Fair Casino and verified by Zealynx.
Fair Casino Swap Pentest
Zealynx ran a four-day follow-on phase covering the Fair Casino SOL→FAIR swap flow (Jupiter DEX integration, quote retrieval, unsigned-transaction building, and the client-side fairSwapSafety allowlist). Two High severity issues were identified, both in the WebSocket layer the frontend uses to confirm swap and deposit completion: the UI trusted balance_update events as authoritative without server-truth confirmation (enabling UI balance spoofing), and deposit_confirmed events could be spoofed client-side (causing false deposit confirmations). Both findings were fixed by Fair Casino and verified by Zealynx.
Fair Casino Solana Vault Program
Zealynx audited the Fair Casino Solana vault program, a non-custodial token custody and withdrawal-management system using PDA-based vaults, Ed25519 signature verification via instruction introspection, replay protection, and two-step authority transfers. The two-week review identified 5 issues including 1 High (initialization frontrunning enabling complete vault takeover) and 1 Medium (missing token account constraints). All findings were fixed and verified.
Why this page exists
When someone asks “is Fair Labs really audited?”, this is the page to send them. Every engagement we’ve delivered, in one place, with the artifacts.