solana-security
by @tenequm
Audit Solana programs (Anchor or native Rust) for security vulnerabilities. Use when reviewing smart contract security, finding exploits, analyzing attack ve...
clawhub install solana-securityπ About This Skill
name: solana-security description: Audit Solana programs (Anchor or native Rust) for security vulnerabilities. Use when reviewing smart contract security, finding exploits, analyzing attack vectors, performing security assessments, or when explicitly asked to audit, review security, check for bugs, or find vulnerabilities in Solana programs. metadata: version: "0.6.1"
Solana Security Auditing
Systematic security review framework for Solana programs, supporting both Anchor and native Rust implementations.
Review Process
Follow this systematic 5-step process for comprehensive security audits:
Step 1: Initial Assessment
Understand the program's context and structure:
use anchor_lang::prelude::*)Cargo.toml for compatibility and known issuesStep 2: Systematic Security Review
For each instruction, perform security checks in this order:
1. Account Validation - Verify signer, owner, writable, and initialization checks
2. Arithmetic Safety - Check all math operations use checked_* methods
3. PDA Security - Validate canonical bumps and seed uniqueness
4. CPI Security - Ensure cross-program invocations validate target programs
5. Oracle/External Data - Verify price staleness and oracle status checks
β See references/security-checklists.md for detailed checklists
Step 3: Vulnerability Pattern Detection
Scan for common vulnerability patterns:
β See references/vulnerability-patterns.md for code examples and exploit scenarios
Step 4: Architecture and Testing Review
Evaluate overall design quality:
Step 5: Generate Security Report
Provide findings using this structure:
Severity Levels:
Finding Format:
## π΄ [CRITICAL] TitleLocation: programs/vault/src/lib.rs:45-52
Issue:
Brief description of the vulnerability
Vulnerable Code:
rust
// Show the problematic code
Exploit Scenario:
Step-by-step explanation of how this can be exploitedRecommendation:
rust
// Show the secure alternative
References:
[Link to relevant documentation or similar exploits]
Report Summary:
Quick Reference
Essential Checks (Every Instruction)
Anchor:
// β
Account validation with constraints
#[derive(Accounts)]
pub struct SecureInstruction<'info> {
#[account(
mut,
has_one = authority, // Relationship check
seeds = [b"vault", user.key().as_ref()],
bump, // Canonical bump
)]
pub vault: Account<'info, Vault>, pub authority: Signer<'info>, // Signer required
pub token_program: Program<'info, Token>, // Program validation
}
// β
Checked arithmetic
let total = balance.checked_add(amount)
.ok_or(ErrorCode::Overflow)?;
Native Rust:
// β
Manual account validation
if !authority.is_signer {
return Err(ProgramError::MissingRequiredSignature);
}if vault.owner != program_id {
return Err(ProgramError::IllegalOwner);
}
// β
Checked arithmetic
let total = balance.checked_add(amount)
.ok_or(ProgramError::ArithmeticOverflow)?;
Critical Anti-Patterns
β Never Do:
saturating_* arithmetic methods (hide errors)unwrap() or expect() in production codeinit_if_needed without additional checksβ Always Do:
checked_* arithmetic (checked_add, checked_sub, etc.)ok_or(error)? for Option unwrappinginit with proper validationSigner<'info> or is_signer checksProgram<'info, T> for CPI program validationFramework-Specific Patterns
Anchor Security Patterns
β See references/anchor-security.md for:
CpiContextNative Rust Security Patterns
β See references/native-security.md for:
Modern Practices (2025)
InitSpace derive for automatic space calculationSecurity Fundamentals
β See references/security-fundamentals.md for:
Common Vulnerabilities
β See references/vulnerability-patterns.md for:
Each vulnerability includes:
Security Checklists
β See references/security-checklists.md for:
Known Issues and Caveats
β See references/caveats.md for:
Security Resources
β See references/resources.md for:
Key Questions for Every Audit
Always verify these critical security properties:
1. Can an attacker substitute accounts? - PDA validation, program ID checks, has_one constraints
2. Can arithmetic overflow or underflow? - All math uses checked operations, division by zero protected
3. Are all accounts properly validated? - Owner, signer, writable, initialized checks present
4. Can the program be drained? - Authorization checks, reentrancy protection, account confusion prevention
5. What happens in edge cases? - Zero amounts, max values, closed accounts, expired data
6. Are external dependencies safe? - Oracle validation (staleness, status), CPI targets verified, token program checks
Audit Workflow
Before Starting
1. Understand the protocol purpose and mechanics 2. Review documentation and specifications 3. Set up local development environment 4. Run existing tests and check coverage
During Audit
1. Follow the 5-step review process systematically 2. Document findings with severity and remediation 3. Create proof-of-concept exploits for critical issues 4. Test fixes and verify they work
After Audit
1. Present findings clearly prioritized by severity 2. Provide actionable remediation steps 3. Re-audit after fixes are implemented 4. Document lessons learned for the protocol
Testing for Security
Beyond code review, validate security through testing:
Core Principle
In Solana's account model, attackers can pass arbitrary accounts to any instruction.
Security requires explicitly validating:
There are no implicit guarantees. Validate everything, trust nothing.