DeFi Safety
Published in

DeFi Safety

Solana needs work

Due to repeated downtime, Solana has the second worst final technical risk score of the 15 chains that we have reviewed so far. Only Ronin has a lower score at this point. This is for a variety of reasons.

Firstly, Solana’s base score is low. Despite a public software repository and some good documentation, their infrastructure relating to nodes is subpar.

There is only one node implementation (we will address this later), the updates are handled in a haphazard manner and there is no process for an archive node.

It is still unclear where the chain stores its history — there have been no documented updates on the Solar bridge after archivers were abandoned. https://docs.solana.com/proposals/ledger-replication-to-implement

Aside from the founder’s reddit comment from 1 year ago that states the chain “is archived to arweave” and that validators store 2 days of history, there have been no documented updates. https://www.reddit.com/r/solana/comments/mk71yl/is_solana_going_to_be_easy_to_hack_since_its_a/gtg671x/?utm_source=reddit&utm_medium=web2x&context=3

While Solana Beach / SolScan have made significant strides in UX, their utility as a block explorer still does not match Etherscan’s.

Frequent 404 errors and failed searches plagued our researchers when trying to view components of older transactions. This raises questions about the nature of Solana as a blockchain if it is not easily verifiable. https://solscan.io/tx/5MiGs3KSuTqYf5uofqmmSJLFXE6i3tuqE73huxvvVYr6VvQbgraeJdsMndZ7VpTnYJVx3L86UWpv5UBxP5Hkziy2

In addition, while Solana as a chain has been audited (years ago) the node software has not been audited. Kudelski’s 2019 Audit focuses on architecture and not node software. The 3 years of subsequent iterations are thus unaudited. https://solana.com/solana-security-audit-2019.pdf

This is alarming given the lack of formal process relating to upgrading any part of Solana — the production version of the chain is at the whim of whichever core contributor sees the push request.

This presents risk to user funds as this is a single point of failure. Solana Labs should pursue formal verification on this chain to ensure it functions as intended, like other leading L1s do.

Credit where it’s due, Solana has made significant strides in validation decentralisation. Thanks to an impressive program that incentivises many validators on other continents, Solana scores well on this point. Nonetheless, it is unclear what role these validators play.

Upon downtime, a selection of 25 validators restarted the chain (coordinated via google docs). What is a blockchain? We would like to thank @Solana for sharing that google doc explaining their chain restart process. This is nice transparency. Is it the future of finance?

https://docs.google.com/document/u/1/d/e/2PACX-1vSam1Vp4hfO-Ea2fmSfexYH5FqyIatwz3PDOlW8-XkD2jgyfoJRXeF-KEtMDKnsbotzY3we6OqTnGnm/pub

This is the 8th time that this has occurred (or 9th, it is unclear). How a chain of such significance can be controlled by 25 groups is incomprehensible and unsafe. The potential for chain manipulation is high.

https://solanabeach.io/validators

Given that two of these chain failures occurred in less than 6 months, an already unimpressive score is docked twice by half. This leaves their score at 25% of its original value.

There was some discussion amongst validators about censoring specific transactions that caused the downtime, which would have incurred a further penalty, but fortunately this was not necessary. https://twitter.com/Austin_Federa/status/1520607188946878464

We strongly advise @Solana to increase the number of node implementations they offer to validators. Validators identified this in the last week’s downtime as a potential contributing factor. One is not enough. Other leading L1s have 5 or more.

They have an impressive bug bounty though, as @austin_federa correctly identifies. Maybe @solana would consider offering full time contracts for security researchers instead of the bounty system they currently operate.

This would surely lead to better outcomes (and may even prove cheaper than the full payout amount). https://twitter.com/Austin_Federa/status/1533089857223925761

All in all, Solana presents systemic technical risk. There is no doubt about it. User funds, in our eyes, are at risk. We penalise them heavily for downtime because users cannot access their funds when the chain goes down.

Solana justifies this as still being in “beta”. The fact that @Solana has to state to users that “funds are safe” is probably an indicator that they aren’t. This isn’t a question people should have to consider. https://twitter.com/SolanaStatus/status/1532076698790862848

This is frankly inexcusable given the TVL of this chain and how prevalent it is in DeFi. Any serious DeFi risk analysis will identify that the risk adjusted return for any activity on this chain makes the opportunities irrelevant.

This is not to say that things won’t change: we know some of the biggest brains in this industry work on Solana. They just need to show the development process the respect it deserves.

Their users deserve better. DeFi deserves better. We are hopeful that this will be the case soon, but Solana has been around for so long now and downtimes are as frequent as ever. Audits are irrelevant and out of date. Node implementations are anaemic.

Development is arbitrary. The core contributors are unresponsive to requests for comments. We cannot see a documented process for verifying chain archives. Move fast, by all means, but show your users (and their funds) the due process blockchain security requires.

At the moment, Solana does not. Anyone who uses this chain subjects themselves to massive and at this point seemingly inherent technical risk and trust. We cannot advise any serious investor to use this chain.

This is a (long) snippet of a full safety report on Solana. For the full report, 14 other chains, scores on some 30,000 contracts as well as the protocol scores you know and love, please visit DeFiSafety.com/app and buy a subscription.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store