Fair Labs · Smart Contract Security AssessmentFair Labs Client Hub

Fair Casino Swap Pentest

Zealynx ran a four-day follow-on phase covering the Fair Casino SOL→FAIR swap flow (Jupiter DEX integration, quote retrieval, unsigned-transaction building, and the client-side fairSwapSafety allowlist). Two High severity issues were identified, both in the WebSocket layer the frontend uses to confirm swap and deposit completion: the UI trusted balance_update events as authoritative without server-truth confirmation (enabling UI balance spoofing), and deposit_confirmed events could be spoofed client-side (causing false deposit confirmations). Both findings were fixed by Fair Casino and verified by Zealynx.

TypescriptSmart Contract Code Review2026-01-27Zealynx methodology
Total findings
2
2 fixed
Critical
00
High
02
Medium
00
Low + Info
00
02

Scope

6 files · 1,500 SLOC
Initial commit
61b0800777e7
Platform
- · Typescript
Methodology
Zealynx audit methodology
File
backend/api/fair/quote
backend/api/fair/swap
backend/services/price-feed
frontend/fairSwapSafety
backend/websocket/balance-events
backend/websocket/deposit-events
03

Findings

click any row for the full write-up
Severity
ID
Finding
Status
highF-2026-0001Frontend trusts WebSocket balance_update events as authoritative, enabling UI balance spoofing and state desyncFixedhighF-2026-0002WebSocket deposit_confirmed events can be spoofed client-side, causing false deposit confirmationsFixed
04

Key Findings

  • Frontend trusts WebSocket balance_update events as authoritative, enabling UI balance spoofing (H-01, fixed). The frontend accepted balance_update WebSocket events and updated the displayed balance without validating message authenticity, session binding, or server truth. An attacker intercepting WebSocket traffic could modify newBalance and cause the UI to display fabricated balances, enabling state desynchronization.
  • WebSocket deposit_confirmed events can be spoofed client-side, causing false deposit confirmations (H-02, fixed). The frontend blindly trusted deposit_confirmed WebSocket events and immediately updated UI state (balance, deposit status, notifications) without verifying that the message originated from the trusted server or that the deposit corresponded to an on-chain transaction. Injecting a crafted event with an arbitrary amount triggered false deposit notifications and balance updates.

Both findings were fixed by Fair Casino and verified by Zealynx. The mitigation in both cases makes WebSocket events advisory rather than authoritative: the UI now triggers an authoritative API fetch (GET /api/user/balance, GET /api/deposits/{txHash}) when a relevant event arrives, and updates state only after server truth is confirmed.

05

Team & approval

Lead Auditor
Fernando
@0xMrjory
06

Disclaimer

This audit is not an endorsement and does not constitute investment advice. Zealynx reviewed the codebase at the commits listed in section 02 over the engagement window. Findings are limited to issues identified within that scope and do not preclude the existence of other vulnerabilities. Subsequent code changes are not covered by this report unless the engagement is explicitly extended.

Download PDF (22p)
ZEALYNX SECURITY · published 2026-01-27
2 findings · Typescript