Xyber Sale Solana Program - Xyber

1. Introduction

Xyber engaged Halborn to conduct a security assessment on their xyber-sale program beginning on February 5th, 2026 and ending on February 9th, 2026. The security assessment was scoped to the smart contracts provided in the GitHub repository xyber-ico-solana, commit hashes, and further details can be found in the Scope section of this report.

The Xyber team is releasing a Solana program for conducting an ICO (Initial Coin Offering) of the XYBER token. The program manages the full lifecycle of the token sale, including initialization, round configuration, bucket-based token allocation, SOL and quote asset deposits, deterministic and priceless vesting schedules, token claiming with burn mechanics, and fund withdrawals by the admin.

2. Assessment Summary

Halborn was provided 3 business days for the engagement and assigned one full-time security engineer to review the security of the Solana Programs in scope. The engineer is a blockchain and smart contract security expert with advanced smart contract hacking skills, and deep knowledge of multiple blockchain protocols.

The purpose of the assessment is to:

• Identify potential security issues within the Solana Program.

• Ensure that smart contract functionality operates as intended.

In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were addressed by the Xyber team. The main ones were the following:

• Validate bucket vesting type before accepting deposits or creating deterministic vesting configs to prevent funds lock

• Replace set_inner with individual field assignments in setup_bucket to preserve accounting state on re-initialization

• Validate base_period_index bounds in vesting plan setup to prevent panics or silent zero allocations

• Implement two-step ownership transfer for the multisig role to prevent irreversible loss of program control

• Validate time parameters in round setup to prevent misconfigured rounds

• Handle equal claim and burn ratios explicitly in remainder distribution to prevent silent burn bias

• Validate base_mint against a hardcoded address to prevent configuration of an incorrect ICO token

• Validate price and exponent parameters in quote mint configuration to prevent temporal denial of service

• Centralize all PDA seed strings in the constants module to prevent typos and ensure consistency

3. Test Approach and Methodology

Halborn performed a combination of manual review and security testing based on scripts to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of this assessment. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques help enhance coverage of the code and can quickly identify items that do not follow the security best practices. The following phases and associated tools were used during the assessment:

• Research into architecture and purpose.

• Differences analysis using GitLens to have a proper view of the differences between the mentioned commits

• Graphing out functionality and programs logic/connectivity/functions along with state changes