Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Pinocchio and p-token
GeneralOverview
Findings
Critical (1)
High (3)
Medium (1)
Low (3)
Informational (1)
DiscussionNew off-chain implementation of impl_sysvar_get may return different ProgramErrorMissing unsafe in validate_owner functionMissing mut in Pinocchio testsAccounting error in batched instructionsUsage of magic numbers in various locationsThe invoke_signed function now enforces account orderLess robust Pubkey definitionStatically compute max_digits in log macroMessage difference in process_initialize_immutable_ownerThe withdraw_excess_lamports function does not prevent self-transfersThe Default trait implementation for Rent sysvar differs from solana-program
Audit ResultsAssessment Results
Anza Technology, Inc.
June 30, 2025
Pinocchio and p-token
Findings Impact LevelCount
Critical1
High3
Medium1
Low3
Informational1
CriticalHighMediumLowInformational
Prepared by
Nathanial LattimerEngineer[email protected]
Maik RobertEngineer[email protected]
Avraham WeinstockEngineer[email protected]
About

Anza Technology, Inc. contributed the following description of Pinocchio and p-token:

Pinocchio is a zero-dependency library to create Solana programs in Rust. It takes advantage of the way SVM loaders serialize the program input parameters into a byte array that is then passed to the program's entrypoint to define zero-copy types to read the input. Since the communication between a program and SVM loader is done via a byte array, Pinocchio defines its own types to mitigate dependency issues.

p-token is a reimplementation of the SPL Token program using Pinocchio. The purpose is to have an implementation that optimizes the compute units, while being fully compatible with the original implementation — i.e., support the exact same instruction and account layouts as SPL Token, byte for byte.

Executive Summary

Zellic conducted a security assessment for Anza Technology, Inc. from May 27th to June 16th, 2025. During this engagement, Zellic reviewed Pinocchio and p-token's code for security vulnerabilities, design issues, and general weaknesses in security posture.

Zellic © 2025Back to top ↑