Fair Casino · Smart Contract Security AssessmentFair Casino Client Hub

Fair Casino Solana Vault Program

Zealynx audited the Fair Casino Solana vault program, a non-custodial token custody and withdrawal-management system using PDA-based vaults, Ed25519 signature verification via instruction introspection, replay protection, and two-step authority transfers. The two-week review identified 5 issues including 1 High (initialization frontrunning enabling complete vault takeover) and 1 Medium (missing token account constraints). All findings were fixed and verified.

SolanaRustSmart Contract Code Review2026-01-19Zealynx methodology
Total findings
5
5 fixed
Critical
00
High
01
Medium
01
Low + Info
03
02

Scope

1 file · 280 SLOC
Initial commit
955864f390f5
Platform
Solana · Rust
Methodology
Zealynx audit methodology
File
solana-program/lib.rs
03

Findings

click any row for the full write-up
Severity
ID
Finding
Status
highF-2026-0001Missing caller authorization in initialize_vault allows initialization frontrunning leading to complete vault takeoverFixedmediumF-2026-0002Missing token account constraints leads to potential mint confusion and unauthorized token transfersFixedlowF-2026-0003Single-step authority transfer without confirmation risks permanent loss of vault control on operator errorFixedlowF-2026-0004Missing signature instruction index validation in Ed25519 verification patternFixedlowF-2026-0005Missing cancellation mechanism for pending transfers leads to operational inflexibilityFixed
04

Key Findings

  • Missing vault initialization authorization enables complete takeover. The initialize_vault function does not validate the caller's identity, allowing anyone to become the vault authority. Since Solana programs require manual initialization, an attacker who frontruns the legitimate deployment can gain complete control over the vault including all administrative operations and user deposits with no recovery mechanism.
  • Missing token account constraints leads to potential unauthorized transfers. The ProcessWithdrawal instruction context fails to validate critical properties of the token accounts used in withdrawal operations. Specifically, vault_token_account and recipient_token_account lack constraints verifying ownership and mint matching, creating opportunities for confusion attacks and potential transfers of unintended token types.
  • Single-step authority transfer risks permanent loss of control. The vault implements authority transfer functions that immediately transfer control in a single transaction without requiring confirmation from the new authority. A single typographical error during authority transfer can result in permanent loss of vault control and all deposited funds with no recovery mechanism.
05

Team & approval

Lead Auditor
Carlos (Bloqarl)
@TheBlockChainer
Auditor
Stephen
@derastephh
06

Disclaimer

This audit is not an endorsement and does not constitute investment advice. Zealynx reviewed the codebase at the commits listed in section 02 over the engagement window. Findings are limited to issues identified within that scope and do not preclude the existence of other vulnerabilities. Subsequent code changes are not covered by this report unless the engagement is explicitly extended.

Download PDF (17p)
ZEALYNX SECURITY · published 2026-01-19
5 findings · Rust

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx