How to audit Solana smart contracts Part 3: penetration testing

In this article, we introduce a few penetration testing tools to help detect vulnerabilities in Solana or Rust programs in general.

• Solana PoC Framework: a framework for creating PoCs for Solana Smart Contracts developed by Neodyme.
• afl.rs: a fuzz testing tool for Rust programs based on AFL
• cargo-fuzz: cargo subcommand for fuzzing with libFuzzer and LLVM sanitizers.
• cargo-tarpaulin: a code coverage reporting tool for Rust projects

Solana PoC Framework

The poc-framework provides a convenient way to simulate transactions in a local environment. To illustrate its usage, we will use an example provided by Neodyme on Github.

The withdraw function in the level0 contract with a known vulnerability

We first run soteria -analyzeAll . to get a list of potential vulnerabilities, for which we then use the poc-framework to construct exploits. In particular, Soteria reports the following issue:

Vulnerability: an un-trustful wallet account in level0 reported by Soteria

In fact, this is a known vulnerability (line 104 a missing ownership check) in the level0 contract. In the next three steps, we will construct a PoC to exploit this…