Prepared by:
HALBORN
Last Updated 01/14/2026
Date of Engagement: December 16th, 2025 - January 6th, 2026
Summary
100% of all REPORTED Findings have been addressed
All findings
14
Critical
1
High
1
Medium
3
Low
4
Informational
5
Table of Contents
1. Introduction
Splyce engaged Halborn to conduct a security assessment of the nav-oracle and stoken programs from December 16th, 2025 to January 5th, 2026. The security assessment was scoped to the smart contracts provided in the GitHub repository splyce-solana-s-token; commit hashes and further details can be found in the Scope section of this report.
The S-Token program is a tokenized vault system on Solana designed for institutional-grade asset management through a configurable multi-vault architecture. It allows users to deposit underlying SPL tokens and receive proportional share tokens representing ownership in a vault, with support for both public and whitelist-restricted access. The system includes configurable fees, deposit and withdrawal flows with safety limits, indexed withdrawal request queues with cooldowns and penalties, cross-vault share swaps, emergency pause and withdrawal mechanisms, and role-based access control across multiple authorities such as managers, processors, oracles, accountants, and asset managers.
The NAV Oracle program complements the S-Token system by providing secure and authoritative price updates for vaults. Authorized NAV providers submit external asset valuations, which are combined with on-chain vault balances to compute the total Net Asset Value (NAV) and update vault prices via cross-program invocations. The program enforces strict account and ownership validation, uses fixed-point arithmetic for precise price calculations, emits detailed on-chain events for monitoring, and separates authority and provider roles to reduce trust assumptions.
It should be noted that changes made during the remediation phase that do not directly address the identified issues are considered out of scope for this security assessment.
2. Assessment Summary
Halborn was provided 16 days for the engagement and assigned 1 full-time security engineer to review the security of the Solana Program in scope. The engineer is blockchain and smart contract security expert with advanced smart contract hacking skills, and deep knowledge of multiple blockchain protocols.
The purpose of the assessment is to:
Identify potential security issues within the Solana Program.
Ensure that smart contract functionality operates as intended.
In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were mostly addressed by the Splyce team. The main ones were the following:
Defined the swap fee as an explicit field in the vault configuration and request and validate during the vault initialization.Track penalties at the vault level instead of minting shares, applying them via fee calculations.Introduce a mechanism to cancel or update pending proposals before the cooldown period expires.Add a validation in cancel_withdraw and deposit to ensure the provided user token account is the canonical associated token account (ATA) of the user.Add a validation to ensure the calculated total share amount to be minted to the user is greater than 0.
3. SCOPE
- programs/stoken/src/constants.rs
- programs/stoken/src/errors.rs
- programs/stoken/src/events.rs
4. Findings Overview
| Security analysis | Risk level | Remediation |
|---|---|---|
| Lack of validation may result in Users bypassing swap fees payment | Critical | Solved - 01/09/2026 |
| Withdrawal Cancellation Penalty Can Be Exploited to Mint Unbacked Shares | High | Solved - 01/09/2026 |
| Inability to Modify or Cancel Pending Proposals | Medium | Solved - 12/26/2025 |
| Incomplete validation may Allow Bypass of max shares per user | Medium | Solved - 01/13/2026 |
| Missing Output Validation May Lead to Irreversible Loss of User Funds in multiple instructions | Medium | Solved - 01/09/2026 |
| Lack of Two-Step Verification for Critical Role Updates | Low | Solved - 12/22/2025 |
| Risk of front-running during programs initialization | Low | Solved - 01/10/2026 |
| Emergency Withdraw Does Not Update Vault Accounting Leading to Inconsistencies Upon Resuming Operations | Low | Risk Accepted - 01/12/2026 |
| Centralized Trust Assumptions and Missing Safety Validations | Low | Risk Accepted - 01/13/2026 |
| Insufficient Account and Mint Validation in emergency withdraw Instruction | Informational | Acknowledged - 01/12/2026 |
| Missing Source Amount and Balance Validations in swap tokens | Informational | Partially Solved - 01/10/2026 |
| Multiple issues in propose_roles instruction | Informational | Partially Solved - 01/13/2026 |
| Insufficient Parameter Validation in initialize_vault instruction | Informational | Solved - 12/27/2025 |
| Nav provider missing validation during nav oracle initialization | Informational | Solved - 12/22/2025 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
Table of Contents
// Download the full report
S-Token Solana Protocol
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed