Prepared by:
HALBORN
Last Updated 08/15/2025
Date of Engagement: June 30th, 2025 - July 25th, 2025
100% of all REPORTED Findings have been addressed
All findings
14
Critical
0
High
0
Medium
2
Low
4
Informational
8
Rain Protocol engaged Halborn to conduct a security assessment of the bank and defi-lending programs from June 30th to July 25th, 2025. The security assessment was scoped to the smart contracts provided in the GitHub repository rain-v2, commit hashes and further details can be found in the Scope section of this report.
Rain Protocol is a modular lending platform composed of two programs Bank and Defi-Lending. The Bank program enables users to create either shared or personal banks, where liquidity providers (LPs) can deposit funds that are either borrowed by lending pools or delegated to MarginFi Protocol. The Defi-Lending program provides the core lending mechanism for facilitating loans, repayments, loan extensions, and liquidations through the use of pools. It also enables borrowers to repay their loans by selling collateral directly for the borrowed amount. A distinctive feature of the protocol is its time based liquidation model, where loans are liquidated strictly based on their expiration time, rather than the supplied collateral simplifying the liquidation logic.
Halborn was provided 4 weeks for the engagement and assigned 3 full-time security engineers to review the security of the Solana Programs in scope. The engineers are blockchain and smart contract security experts with advanced smart contract hacking skills, and deep knowledge of multiple blockchain protocols.
The purpose of the assessment is to:
Identify potential security issues within the Solana Program.
Ensure that smart contract functionality operates as intended.
In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were mostly addressed by the Rain Protocol team. The main ones were the following:
Introduce a prior validation of the 'is_compounding_enabled' flag from the pool configuration before invoking 'pool.new_loan' in extend_loan.
Iterate over the provided 'currency' vector during pool creation and explicitly validate each entry by calling the 'is_correct' method.
Provide the corresponding bank's token program to the 'repay' CPI call.
Reorder the logic in deposit function in the vault to perform the validation before modifying the 'deposited' field ensuring the unlimited deposit case is still allowed.
Add a validation in 'check_swap_instruction' to ensure the provided destination token account to the swap matches the 'quote_vault'.
Add a validation to forbid delegate operations in shared banks.
Halborn performed a combination of a manual review of the source code and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of the program assessment. While manual testing is recommended to uncover flaws in business logic, processes, and implementation; automated testing techniques help enhance coverage of programs and can quickly identify items that do not follow security best practices.
The following phases and associated tools were used throughout the term of the assessment:
Research into the architecture, purpose, and use of the platform.
Manual program source code review to identify business logic issues.
Mapping out possible attack vectors.
Thorough assessment of safety and usage of critical Rust variables and functions in scope that could lead to arithmetic vulnerabilities.
Scanning dependencies for known vulnerabilities (cargo audit).
Local runtime testing (anchor test).
| EXPLOITABILITY METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Attack Origin (AO) | Arbitrary (AO:A) Specific (AO:S) | 1 0.2 |
| Attack Cost (AC) | Low (AC:L) Medium (AC:M) High (AC:H) | 1 0.67 0.33 |
| Attack Complexity (AX) | Low (AX:L) Medium (AX:M) High (AX:H) | 1 0.67 0.33 |
| IMPACT METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Confidentiality (C) | None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C) | 0 0.25 0.5 0.75 1 |
| Integrity (I) | None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C) | 0 0.25 0.5 0.75 1 |
| Availability (A) | None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C) | 0 0.25 0.5 0.75 1 |
| Deposit (D) | None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C) | 0 0.25 0.5 0.75 1 |
| Yield (Y) | None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C) | 0 0.25 0.5 0.75 1 |
| SEVERITY COEFFICIENT () | COEFFICIENT VALUE | NUMERICAL VALUE |
|---|---|---|
| Reversibility () | None (R:N) Partial (R:P) Full (R:F) | 1 0.5 0.25 |
| Scope () | Changed (S:C) Unchanged (S:U) | 1.25 1 |
| Severity | Score Value Range |
|---|---|
| Critical | 9 - 10 |
| High | 7 - 8.9 |
| Medium | 4.5 - 6.9 |
| Low | 2 - 4.4 |
| Informational | 0 - 1.9 |
Critical
0
High
0
Medium
2
Low
4
Informational
8
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| Exposure validation may overestimate available liquidity due to included unavailable interest | Medium | Solved - 07/31/2025 |
| Lack of validation of the vector currencies during pool creation | Medium | Solved - 08/01/2025 |
| Inconsistent Token Program Alignment Can Break Liquidations | Low | Solved - 07/31/2025 |
| Max deposit enforcement may fail due to early state mutation | Low | Solved - 07/31/2025 |
| Missing validation of swap destination token account may lead to loan loss | Low | Partially Solved - 07/31/2025 |
| Allowing delegation in shared banks may lead to withdrawal abuse and unfair loss distribution | Low | Solved - 07/31/2025 |
| Lack of validation for token 2022 extensions | Informational | Acknowledged - 08/06/2025 |
| Multiple missing validations could lead to program panic | Informational | Solved - 07/31/2025 |
| Missing validation on withdrawal window during vault update can block withdrawals | Informational | Solved - 07/31/2025 |
| Missing validation in config updates can block new pool creation | Informational | Solved - 07/31/2025 |
| Incomplete validation during admins and managers addition | Informational | Solved - 07/31/2025 |
| Unnecessary Account included in margin_swap_standalone Instruction | Informational | Acknowledged - 08/01/2025 |
| Fee account not enforced as canonical associated token account | Informational | Acknowledged - 08/01/2025 |
| Unused quote field adds redundancy in quote struct | Informational | Acknowledged - 08/01/2025 |
//Medium
//Medium
//Low
//Low
//Low
//Low
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Rain v2
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
