6 Solana common crypto project vulnerabilities
Solana is one of the most popular blockchains today. Many popular meme coins and more complex projects are made on it. Solana provides high transaction speeds and sufficiently low commissions, but it also frequently takes higher technical skills — Solana project development may often require to put up or rent a node or to design a solid backend part.
When it comes to security, Solana has its own peculiarities that should be taken into account when developing projects on this network. That’s why a security audit of a Solana-based project varies from a smart contract audit of a project on, say, Ethereum. Some of the most common security issues of Solana will be discussed in this article.
0. Backend vulnerabilities
This cluster of vulnerabilities will not be described in this article because it is not directly related to Solana itself, but we find this vulnerability type quite important.
When developing projects on Solana, many projects often build an additional backend part. Based on our experience, a significant part of vulnerabilities can be hidden not in the code of smart contracts (to be precise, smart contract is called a program in Solana) themselves, but in the backend part. It is worth keeping in mind that if you use or plan to use backend functionality in your Solana project (generally this applies to any blockchain / crypto project on any network), you need to pay extra attention to the security checks of the backend of your project.
1. Missing ownership check
The owner of an account in Solana is by definition a smart contract (a program). The owner data (public key) is contained in the owner field in the account metadata (AccountInfo::owner). If a smart contract contains functionality that is intended to be available to some specific list of accounts, it is necessary to provide validation of the account owner. Without owner validation, an attacker could add their spoofed account instead of the expected account.
2. Account confusion
A Solana program (smart contract) may have multiple accounts with different types of data for different purposes. It is important to verify that the account data is of the type that the program expects from the account, as an attacker could use the lack of verification for their own purposes.
3. Missing signer check
In smart contract design in general, it is often necessary to specify the instructions calling for a certain set of entities (e.g., call is allowed only for admin). In Solana smart contracts, it is often overlooked to check that the specific account has the required permissions to call the corresponding instructions (this check in Rust is performed via AccountInfo::is_signer).
4. Overflows / Underflows
One of the frequent oversights in Solana smart contracts is an integer overflow. This might happen due to the fact that Rust in debug mode catches overflow / underflow errors, which may cause developers to be careless, as they may expect this type of error to be caught in release mode as well. However, in release mode what Rust does is two’s complement wrapping without program panic. Thus, it’s essential to keep an eye on and calculate the necessary variable sizes so that they can properly accommodate all possible values for a given variable.
5. Precision loss
This type of vulnerability happens quite often in Solana smart contracts. The best way to avoid it is to use fixed point implementations during program development if possible.
6. Arbitrary Cross-Program Invocation (CPI)
Arbitrary cross-program invocation occurs when one smart contract is invoked by another and the invoking smart contract does not check whether the invoked smart contract matches the intended one. It is necessary to add verification of the target smart contract before invoking it. Without such verification, an attacker can substitute their own smart contract for the invocation.
In conclusion
Solana is a steadily developing blockchain with its own specifics that should be taken into account when developing projects on this network. Understanding the particular features of working with Solana allows creation of projects that are not only popular among the crypto community, but are also more secure for the users’ assets.
About SmartState
Launched in 2019 and incorporated in Dubai, SmartState is an independent Web3 security company providing top-notch external security audits and enterprise level blockchain security services.
We’ve built a professional team of skilled white-hat hackers, cyber security experts, analysts and developers. The SmartState team have extensive experience in ethical hacking and cyber security, blockchain & Web3 development, financial and economic sectors.
We’ve conducted security audits for >300 projects so far. None of code audited by SmartState had been hacked. Large projects like EYWA and 1inch & exchanges such as Binance and KuCoin rely on our experience.
Concerned about your project & assets security? Book our Free security consultation:
- 20 min
- SmartState top security experts
- Strictly about your project
🚀 Use this opportunity now! Let’s get in touch: info@smartstate.tech
Stay tuned and find more about us and what we provide on our:
DYOR. This article does not constitute legal, financial or investment advice, and we are not responsible for any decisions based on our analysis or recommendations. An audit does not provide any warranties regarding the code security. We presume that a single audit cannot be considered totally sufficient and always recommend several independent audits and a public bug bounty program to ensure code security.
