Solana Vulnerability Scanner

Solana Vulnerability Scanner is a community skill for detecting security vulnerabilities in Solana smart contracts, covering program analysis, account validation, instruction parsing, common exploit patterns, and audit reporting for Solana blockchain security.

What Is This?

Overview

Solana Vulnerability Scanner provides patterns for analyzing Solana programs for common security flaws. It covers account ownership and signer validation checks that prevent unauthorized program invocations, integer overflow and underflow detection in arithmetic operations on token amounts, missing rent exemption checks that could allow account closure attacks, cross-program invocation validation to prevent privilege escalation through malicious programs, and PDA derivation verification ensuring correct seed and bump combinations. The skill enables security auditors to systematically review Solana programs for vulnerabilities that could lead to fund loss or unauthorized state changes.

Who Should Use This

This skill serves blockchain security auditors reviewing Solana programs for vulnerabilities before deployment, Solana developers building programs who want to follow secure coding patterns, and teams conducting authorized penetration testing on deployed Solana applications.

Why Use It?

Problems It Solves

Solana programs must manually validate account ownership and signer status, unlike EVM contracts where the runtime enforces some checks. Missing account validation allows attackers to pass arbitrary accounts that bypass intended authorization. Arithmetic operations on token amounts can overflow without explicit checks in older Rust compiler configurations. Cross-program invocations without proper program ID verification can delegate authority to malicious programs.

Core Highlights

Account validator checks owner, signer, and writable flags on all instruction accounts. Arithmetic analyzer detects unchecked math operations on token balances. CPI inspector verifies program IDs in cross-program invocation targets. PDA checker validates seed derivation and bump usage patterns.

How to Use It?

Basic Usage

use solana_program::{
    account_info::AccountInfo,
    entrypoint::ProgramResult,
    program_error::ProgramError,
    pubkey::Pubkey,
    msg,
};

pub fn validate_account(
    account: &AccountInfo,
    expected_owner: &Pubkey,
    require_signer: bool,
    require_writable: bool,
) -> ProgramResult {
    if account.owner != expected_owner {
        msg!("Invalid owner: {}",
             account.key);
        return Err(
            ProgramError::IllegalOwner);
    }
    if require_signer
        && !account.is_signer {
        return Err(
            ProgramError
            ::MissingRequiredSignature);
    }
    if require_writable
        && !account.is_writable {
        return Err(
            ProgramError::InvalidArgument);
    }
    Ok(())
}

pub fn safe_transfer(
    amount: u64,
    balance: u64,
) -> Result<u64, ProgramError> {
    balance.checked_sub(amount)
        .ok_or(
            ProgramError::InsufficientFunds)
}

Real-World Examples

use solana_program::{
    account_info::AccountInfo,
    entrypoint::ProgramResult,
    program::invoke_signed,
    pubkey::Pubkey,
    system_instruction,
    program_error::ProgramError,
};

pub fn validate_pda(
    pda_account: &AccountInfo,
    program_id: &Pubkey,
    seeds: &[&[u8]],
    expected_bump: u8,
) -> ProgramResult {
    let (expected_key, bump) =
        Pubkey::find_program_address(
            seeds, program_id);
    if *pda_account.key != expected_key {
        return Err(
            ProgramError::InvalidSeeds);
    }
    if bump != expected_bump {
        return Err(
            ProgramError::InvalidArgument);
    }
    Ok(())
}

pub fn secure_cpi_transfer(
    from: &AccountInfo,
    to: &AccountInfo,
    authority: &AccountInfo,
    amount: u64,
    seeds: &[&[u8]],
) -> ProgramResult {
    let ix = system_instruction::transfer(
        from.key, to.key, amount);
    invoke_signed(
        &ix,
        &[from.clone(), to.clone(),
          authority.clone()],
        &[seeds],
    )
}

Advanced Tips

Use Anchor framework constraints like has_one and constraint attributes to enforce account validation declaratively rather than with manual checks. Run cargo audit regularly to detect known vulnerabilities in Solana SDK and dependency versions. Test programs with the solana-program-test crate using adversarial account inputs to verify validation logic handles malicious inputs correctly.

When to Use It?

Use Cases

Build an automated scanner that analyzes Solana program bytecode for missing account validation patterns. Create an audit checklist tool that verifies programs against common vulnerability categories before mainnet deployment. Implement a monitoring system that detects suspicious transaction patterns targeting known vulnerability classes.

Related Topics

Blockchain security, Solana programming, smart contract auditing, Rust security patterns, and program verification.

Important Notes

Requirements

Rust toolchain with Solana program libraries for building and analyzing programs. Solana CLI tools for deploying and testing on devnet. Understanding of Solana account model and program architecture.

Usage Recommendations

Do: validate ownership, signer status, and writability for every account passed to program instructions. Use checked arithmetic operations for all calculations involving token amounts. Verify program IDs explicitly in cross-program invocations to prevent delegation to malicious programs.

Don't: assume accounts passed by the runtime are correctly owned or signed without explicit checks. Use unchecked arithmetic that can silently overflow or underflow on token balances. Deploy programs to mainnet without professional security audit review.

Limitations

Static analysis cannot detect all vulnerability patterns that depend on runtime state and transaction ordering. New vulnerability classes emerge as the Solana runtime evolves and new program patterns are adopted. Automated scanning supplements but does not replace manual expert code review for critical programs.