Solana Auditing and Security Resources

A collection of resources to study Solana smart contract security, auditing, and exploits.

Foundations 📚

• Armani Sealevel Attacks and How to avoid them in Anchor
  • Summary Thread by pencilflip - use Anchor attributes, constraints and types, it will make your life easier!
• Armani Tips on Developing Secure Solana Programs
  • Be wary of UncheckedAccount and AccountInfo - check them properly!
• CMichel How to become a smart contract auditor
  • Targeted at ETH folks but contains general advice
• DeFi MOOC samczsun Practical Smart Contract Security
  • Great intro to smart contract security that provides an overview of a large surface area of attacks. Mostly ETH-based but also covers a cross-chain BTC/ETH exploit, and contains lots of concepts that carry over to Solana
• Kudelski Solana Program Security
  • A high-level overview of ownership and data validation
• Neodyme Common Pitfalls
  • Check owner, check signer, check account data, be careful of integer over/underflow, verify invoke_signed(), and use Anchor (unless you have a good reason not to), e.g. account confusions are prevented in Anchor by implicitly assigning each #[account] a type with an 8-byte identifier
• Neodyme Solana Security Workshop Exercises and Solutions
  • Corresponding exercises to the common pitfalls mentioned in the blog post
• Neodyme Thinking Like An Attacker Workshop Recording
  • A quick rundown of the PoC framework and an explanation of Level 0 of the challenge
• OtterSec Solana from an Auditor’s perspective
  • A bottoms-up introduction to Solana's Execution and Programming Model from a security perspective
• Sec3 Arithmetic Overflow and Underflow
  • Don't use +, - , /, * operations, check arithmetic operations for overflow and underflow!
• Sec3 How to Audit Part 1: A Systematic Approach
  • A high-level overview of common attack surfaces and questions to ask as an auditor
• Sec3 How to Audit Part 2: using automated tools to find vulnerabilities
  • An outline of tools that can automatically scan your code for vulnerabilities, unsafe Rust, and spelling. More security tools are needed!
• Sec3 How to Audit Part 3: Penetration Testing
  • How to execute a proof of concept for an attack with Neodyme's PoC framework
• Sec3 How to Audit Part 4: Anchor
  • How Anchor's #[program] , #[derive(Accounts)] and #[account]work under-the-hood
• Sec3 Owner and Signer Check
  • Check the owner and check the signer! Use #[account] and Signer<'info> to prevent this
• Solend Auditing Workshop
  • Known attacks from ETH and how they carry over to Solana + auditing methodology
• Trail of Bits DeFi Security Success Stories
  • ETH-focused but broadly applicable advice on securing systems in DeFi
• Zellic The Vulnerabilities You’ll Write With Anchor
  • A subset of common vulnerabilities you'll come across in Anchor programs

Exploits 🪦

• CASH Hack Summary Thread (samczsun)
  • Establish a root of trust!
• CASH Hack — What’s the Vulnerability (Sec3)
  • Check input accounts!
• Cope Roulette (Arrowana)
  • Neat way to exploit reverting transactions
• Detecting Simulation in a Solana Program (Opcodes)
  • Goes into how transaction simulation works and the purpose of the bank - Sec3 also has a great overview of the bank module
• How to freely borrow all the TVL from the Jet Protocol (Jayne)
  • A fairly uncommon vulerability due to an unintended use of break
• How to Become a Millionaire, 0.000001 BTC at a Time (Neodyme)
  • An innocent-looking rounding error that put $2.6bn at risk. If in doubt, use floor (or ceil depending on direction) instead of round
  • Context on Neodyme Exploit by Solend
• New Integer Overflow Bug Discovered in Solana rBPF (BlockSec)
  • Use checked_add(), checked_div(), checked_mul(), checked_pow, checked_sub or saturating_add(), saturating_mul(), saturating_pow(), saturating_sub()! → read relevant Sec3 blog post
• Schrodinger’s NFT, An Incinerator SPL Token program, and The Royal Flush Attack (Solens) (similar to samczsun explanation of combining attacks)
  • Chaining small exploits to create a significant exploit. Watch samczsun's explanation of exploit chaining
• Smashing the Candy Machine for fun and profit! (Solens)
  • Check unchecked accounts properly! There is a reason why Anchor requires UncheckedAccount to have /// CHECK documentation. The fix came down to 1 line of Anchor code: #[account(zero)] vs #[account(zero)]
• Solana Stake Pool: A Semantic Inconsistency Vulnerability (Sec3)
  • Shows how to build a proof of concept with Neodyme’s Poc Framework. Also highlights how previously audited code (Stake Pool audits linked in audits section below) can contain vulnerabilities
• Solend Malicious Lending Market Incident Report (Rooter)
  • Read Kudelski's blog post on Solana Program Security to understand the exploit
• SPL Token Program Approve Instruction (Hana)
  • Sneaky way to revoke Solana token approvals
• The $200m Bluff: Cheating Oracles on Solana (OtterSec)
  • How to move an AMM price to manipulate an oracle and exploit a lending protocol. Use fair pricing for LP tokens and TWAPs where possible! Drift has examples of oracle guardrails that aim to prevent these types of attacks
• Wormhole Hack Summary Thread (samczsun)
  • Check/validate your input accounts anon!
• Wormhole Hack TLDR (Halborn)
  • When chaining delegations of signature verifications, make sure it leads to proper verifications!
• Wormhole Hack Quick Analysis (Kudelski)
  • Validate unmodified, reference-only accounts!
• Wormhole Post-Mortem Analysis (Entropy)
  • Analyzing the input accounts to fake the SignatureSet

PoCs for Discovered Vulnerabilities 💡

• Cashio Exploit (PNM)
• Jet Governance (OtterSec)
• Port Max Withdraw Bug (nojob)
• SPL Token-Lending (Neodyme)

Audits and Code Reviews 🔒

• Aldrin (Kudelski)
• [Audius](https://assets.website-files.com/6024b69839b1b755528798ea/6201872afb297b3955e303aa_Audius%20-%20Security%20Assessment%2