Soteria — A vulnerability scanner for Solana smart contracts

Published in

Coinmonks

3 min readOct 8, 2021

Solana is a fast-growing blockchain with a unique type of smart contracts — called Solana programs. This article introduces Soteria, a security tool that automatically scans Solana programs to detect common security pitfalls.

Common pitfalls in Solana smart contracts

Neodyme recently collected a list of common pitfalls in Solana smart contracts, falling into five categories:

Missing ownership check
Missing signer check
Solana account confusions
Arbitrary signed program invocation
Integer overflow & underflow

As an example, the code below illustrates a common pitfall of missing signer check.

fn update_admin(accounts: &[AccountInfo], admin: [u8; 32]) -> ProgramResult {
        let acc_iter = &mut accounts.iter();
        let admin_info = next_account_info(acc_iter)?;
        let staking_info = next_account_info(acc_iter)?;
        
        // if !admin_info.is_signer {
        //     return Err(ProgramError::MissingRequiredSignature);
        // }
        
        let mut staking = StakingInfo::try_from_slice(&staking_info.data.borrow())?;
        if staking.admin == [0; 32] {
              staking.admin = admin;
        } else if staking.admin == admin_info.key.to_bytes() {
              staking.admin = admin;
        } else {
              return…

Soteria — A vulnerability scanner for Solana smart contracts

Common pitfalls in Solana smart contracts

Written by sec3 (formerly Soteria)