Over the past two months, the Solana engineering team has engaged with world renowned software security company Kudelski Security to audit every detail of the Solana software architecture. The Kudelski team dove into the furthest corners Solana’s eight core innovations, and had our team defend our design decisions at each step to thoroughly inspect and dissect every element of the Solana infrastructure.
Kudelski maintains a sterling global reputation, and its audits are considered a gold standard: “Given our trust in Kudelski, we were happy to see Solana working with Kudelski to audit their technology,” explained Rob Steiner, Head of Blockchain at DISH. “Kudelski is a highly regarded international cybersecurity company,” corroborated David Campbell, COO at Electric Coin Company (creators of Zcash).
Overall, the Kudelski analysis into Solana took a notably positive stance on the project. Kudelski was particularly fond of Proof of History, immediately recognizing it as a Lamport clock, a familiar sight in high-performance computing projects. They dug into TowerBFT, our innovation at the consensus layer, and understood how the choice to use Proof of Stake created an opportunity to break away from traditional BFT algorithms and simplify consensus. The Kudelski team were able to identify and offer various ways to partition the network to challenge TowerBFT, and identified gaps in our documentation and test suite that didn’t cover those situations. Accommodating those edge cases will be our team’s focus between now and mainnet launch.
“While the general purpose of this analysis is to focus on the technology as designed and implemented, it bears a short acknowledgement to the skills and knowledge of the Solana Team,” states the Kudelski report. “Solana has implemented a strategy for personnel which leverages individual talents to make leaps forward in technology, but with a constant attention towards backfill and knowledge transfer.”
The report continues: “The team functioned as a true team, with each member able to comment and enrich the discussion regardless of the particular topic. This means that the key human resource structure of the Solana team is well-positioned for growth and can tolerate the loss or departure of individuals without losing focus or capabilities in continued development and implementation of the platform. This is generally a risk for small companies and startups, and it is remarkable that this situation is not the case for Solana. They have done an excellent job at conveying and distributing knowledge and training across their entire team.”
While the overwhelming majority of the Solana infrastructure was found to be airtight, Kudelski’s analysis was intended to uncover potential for breaches from every conceivable angle, no matter how infinitesimal. The transaction parallelism of our Sealevel runtime generated plenty of discussion. We pointed to cases where parallelism was safe, to which the Kudelski team came up with attacks to prevent those cases from occurring in practice. After some back and forth, we’ve been convinced that a well-funded attacker could theoretically slow down access to particular accounts.
Here’s an example:
If one used Solana to implement a crowdfunding campaign, an attacker could continuously pay a small amount of tokens to the crowdfunded account in rapid succession. The small payments would prevent others from making larger payments at the same time. If the attack continued for over two minutes, an honest client would need to regenerate a new transaction and resubmit it. If Solana offered a high-priority channel into Sealevel — which the current implementation does — that well-funded attacker could eclipse all other clients for as long as they are willing to pay the transaction fees. Suffice it to say, we’ll be plugging that hole immediately!
Kudelski’s audit reached beyond our expectations. It wasn’t just sufficient that the architecture be sound. They wanted to see an automated exploration of all the edge cases, and a resilient team that could respond quickly to the unexpected. While we are exceedingly encouraged by Kudelski’s findings as we enter the final phase of development towards Solana mainnet, we also have a clearer understanding of the edge cases and exceptions that must be accommodated before launch.
We’re humbled by Kudelski’s findings, and proudly share their unredacted report in full. We believe strongly in transparency.