Home » Blog » 6 Solana common crypto project vulnerabilities

6 Solana common crypto project vulnerabilities

Solana is one of the most popular blockchains today. Many popular meme coins and more complex projects are made on it. Solana provides high transaction speeds and sufficiently low commissions, but it also frequently takes higher technical skills - Solana project development may often require to put up or rent a node or to design a solid backend part.

When it comes to security, Solana has its own peculiarities that should be taken into account when developing projects on this network. That's why a security audit of a Solana-based project varies from a smart contract audit of a project on, say, Ethereum. Some of the most common security issues of Solana will be discussed in this article.

0. Backend vulnerabilities

This cluster of vulnerabilities will not be described in this article because it is not directly related to Solana itself, but we find this vulnerability type quite important.

When developing projects on Solana, many projects often build an additional backend part. Based on our experience, a significant part of vulnerabilities can be hidden not in the code of smart contracts (to be precise, smart contract is called a program in Solana) themselves, but in the backend part. It is worth keeping in mind that if you use or plan to use backend functionality in your Solana project (generally this applies to any blockchain / crypto project on any network), you need to pay extra attention to the security checks of the backend of your project.

1. Missing ownership check

The owner of an account in Solana is by definition a smart contract (a program). The owner data (public key) is contained in the owner field in the account metadata (AccountInfo::owner). If a smart contract contains functionality that is intended to be available to some specific list of accounts, it is necessary to provide validation of the account owner. Without owner validation, an attacker could add their spoofed account instead of the expected account.

2. Account confusion

A Solana program (smart contract) may have multiple accounts with different types of data for different purposes. It is important to verify that the account data is of the type that the program expects from the account, as an attacker could use the lack of verification for their own purposes.

3. Missing signer check

In smart contract design in general, it is often necessary to specify the instructions calling for a certain set of entities (e.g., call is allowed only for admin). In Solana smart contracts, it is often overlooked to check that the specific account has the required permissions to call the corresponding instructions (this check in Rust is performed via AccountInfo::is_signer).

4. Overflows / Underflows

One of the frequent oversights in Solana smart contracts is an integer overflow. This might happen due to the fact that Rust in debug mode catches overflow / underflow errors, which may cause developers to be careless, as they may expect this type of error to be caught in release mode as well. However, in release mode what Rust does is two's complement wrapping without program panic. Thus, it's essential to keep an eye on and calculate the necessary variable sizes so that they can properly accommodate all possible values for a given variable.

5. Precision loss

This type of vulnerability happens quite often in Solana smart contracts. The best way to avoid it is to use fixed point implementations during program development if possible.

6. Arbitrary Cross-Program Invocation (CPI)

Arbitrary cross-program invocation occurs when one smart contract is invoked by another and the invoking smart contract does not check whether the invoked smart contract matches the intended one. It is necessary to add verification of the target smart contract before invoking it. Without such verification, an attacker can substitute their own smart contract for the invocation.

In conclusion

Solana is a steadily developing blockchain with its own specifics that should be taken into account when developing projects on this network. Understanding the particular features of working with Solana allows creation of projects that are not only popular among the crypto community, but are also more secure for the users' assets.

previous post

December 31, 2023

The role of decentralized finance (DeFi) in the global market

The invention of the Decentralized Finance system made a revolution in global finance and brought about a bunch of innovative changes. Being built on blockchain technology, it opens access for the users to financial services without relying on traditional sources and institutions. It offers transparency, trading solutions, low costs, higher security and much more. The new services help to find solutions for the cases which were impossible ...

Read more