The Solana Foundation engaged Runtime Verification, Inc. to audit the Kora protocol and its infrastructure. The audit aimed to review the Rust-based business logic and implementation to identify potential malfunctions or security vulnerabilities.

Kora is a Solana paymaster service enabling fee abstraction and gasless transactions, allowing users to pay fees in tokens other than SOL. Operators cover network fees in SOL and receive alternative tokens in return. The system includes a Rust-based JSON-RPC server, multi-signer pool support, configurable pricing, and fine-grained access control via allowlists and fee payer policies.

Conducted over eight weeks, September 3rd to October 29th, the audit included a design review, manual code review, threat modeling, fuzz testing, and automated static analysis to assess security-critical invariants and identify potential vulnerabilities and code quality issues.