Solana Security Resources

• OtterSec's guide to an auditor's introduction

• Solend Auditing Workshop

  • more general blockchain than solana-specific

• Zellic's list of Anchor vulnerabilities

• Soteria Series on Auditing

  • Intro
  • Scanning Tools
  • Penetration Testing
  • Anchor

• Soteria blog

• Soldev compilation of security resources

• Kudelski Solana Security Part 1

• Armani Tweets about security

  • https://twitter.com/armaniferrante/status/1411589639006154754?s=21
  • https://twitter.com/armaniferrante/status/1411589629384355840?s=21
    • Archive (in case of deadlink): https://threadreaderapp.com/thread/1411589629384355840.html

• Sealevel attacks by Armani

  • Common malpractices (broken into secure, insecure, recommended)
  • Tweet thread breakdown https://twitter.com/pencilflip/status/1483880018858201090

• Neodyme Solana Common Pitfalls

  • Give hints to the Workshop exercises

• Saber Library for basic security checks

  • has asserts and other testing primitives. Some things are deprecated because automatically part of Anchor

• Sencha account validators

  • Some account validation examples, uses vipers.

• Assert Balances

  • Assertion instruction included on client-side/wallets, allows safe failure if unexpected result

• Soteria Series on Internals

  • Part 1: On chain programs
  • Part 2: Deploying and upgrading under the hood
  • Part 3: How the Transaction Processing Unit works
  • Part 4: Bank Internals

Hands On (CTF Challenges)

• Neodyme Breakpoint Workshop
  • CTF style
• Neodyme Breakpoint Workshop Video
  • Goes over exercise 0 of Neodyme Breakpoint Workshop
• TJCTF 2022 Moar-Horse-5
  • CTF Solana challenge
• PicoCTF 2022 Solfire
  • CTF Solana challenge

Hacks/Bug bounty reports

• spl-token lending protocol exploit (neodyme)
• spl-token-swap rounding exploit (osec)
  • Osec tweet
• Jet hack
• Cope Pierre Hack
• Wallet simulation rug pull
  • Tweet about it
• Why Magic Eden is garbage Tweet
  • transferring token authority from user to magic eden
  • https://github.com/solana-labs/solana-program-library/issues/2640
• Wormhole Hack
  • call complete_wrapped (instruction 03)
  • post_VAA (instruction 02) called on main bridge
  • solana_program::sysvar::instructions not verified in this vesion of solana_program
  • https://twitter.com/wireless_anon/status/1489075372662476800?s=20&t=XHV8n8c4DJOBzcKwzAqunw
  • unmerged PR to fix issue: https://github.com/certusone/wormhole/commit/7edbbd3677ee6ca681be8722a607bc576a3912c8#diff-0d27d8889edd071b86d3f3299276882d97613ad6ab3b0b6412ae4ebf3ccd6370L92-R101
• Soteria Bug report on solana stake pool
• Potential Solana attack vector on ERC-20 approve (Actually happened to Solfire victims)
• exchgART hack
  • Archive thread
  • drained funds in offer accounts. But refunded.
• Jet 20m bug report
  • Tweet breakdown
• Serum v4 bug
• Serum Zero day
• Cashio hack (Soteria)
• Cheating Oracles on Solana
• Solana Core seed collision (Neodyme)
• Zellic Postmortem of Drift
• Integer overflow in rBPF

Contributing

• Please make any PR's or tweet @kevinchow23 for more additional resources/hack reports
• Internet archive posts + tweets