Kora
solana-paymaster-service
Critical / High
Medium
Low / Informative
Report files
Audit lifecycle
Public reports represent completed engagements with finalized deliverables.
Completed
Scheduled
Scope, timeline, and review plan were agreed.
Completed
In Progress
Manual review and verification work were carried out.
Current stage
Completed
The engagement wrapped with a published final report.
Executive Summary
High-level assessment and conclusions
A concise overview of the audit scope, core findings, and the key outcomes from the engagement.
The Solana Foundation engaged Runtime Verification, Inc. to audit the Kora protocol and its infrastructure. The audit aimed to review the Rust-based business logic and implementation to identify potential malfunctions or security vulnerabilities.
Kora is a Solana paymaster service enabling fee abstraction and gasless transactions, allowing users to pay fees in tokens other than SOL. Operators cover network fees in SOL and receive alternative tokens in return. The system includes a Rust-based JSON-RPC server, multi-signer pool support, configurable pricing, and fine-grained access control via allowlists and fee payer policies.
Conducted over eight weeks, September 3rd to October 29th, the audit included a design review, manual code review, threat modeling, fuzz testing, and automated static analysis to assess security-critical invariants and identify potential vulnerabilities and code quality issues.
Reports
Download the audit artifacts
Access the published PDF deliverables associated with this engagement.
PDF report 1
Kora.pdf
Download the published report for this engagement.