Smart Contracts Audit Services for Solana Blockchain
Solana is significantly new: its beta mainnet was launched only in March 2020. However, the fact that it has successfully gained the attention of both developers and users in a short time is undeniable.
The growth of Solana is directly connected with the efficiency and functionality of its offered solutions for achieving scalability, security, and decentralization. And the fact that it is a novel platform increases the need for thorough auditing and security testing.
In this article, let’s see what Solana Audit is and how it is conducted.
Solana Ecosystem and Architecture
Solana has an entirely different ecosystem compared to other blockchain platforms. It has an astonishing speed, which is connected with Proof of History (PoH) – the key innovation of the Solana team. Due to PoH’s function of recursive verifiable delay, transactions can be validated even without all the nodes agreeing at the same time.
The ecosystem of Solana has seen the emergence of many projects, including Metaplex and Solstarter. Metaplex allows independent content creators to self-host their NFT storefront, while Solstarter is known as Solana’s first IDO platform.
Many projects and significant amounts of investment have moved over to the Solana network during the last year.
Solana Smart Contract Auditing: The Process and Guidelines
The architecture and characteristics of the Solana blockchain are utterly different from other platforms, and the process of smart contract audit too. Solana Smart contract auditing entails completely different methods and techniques compared to the audit process of Ethereum.
The two significant differences between them are as follows:
- First, Ethereum uses Solidity programming language, while Solana uses the Rust program.
- The second difference is that Solana decouples code and data.
Now, let’s see the systematic approach and several Solana smart contract auditing techniques.
Possible Activity Areas of Attackers
To have a successful and effective audit, the auditors’ team should think from the attacker’s perspective and predict potential steps. Here are some of the steps a hacker can take:
- Stealing money from a smart contract: SOL, SPL tokens, or any other currency.
- Freezing the contract: disable the depositing, lock user funds, etc.
- Changing the critical states of the contract: changing the multisig owner, validator list, or the account owner.
- Changing the smart contract’s code to a malicious one.
- Buying more tokens than is allowed.
- Using the smart contract for sending money to the wrong accounts.
This list is broader in reality and can reach attacks exploiting any logic or economic bugs in smart contracts.
What’s Included in the Audit Process?
Smart contract auditing is conducted through several stages.
- Initial Review and Information Gathering: At this stage, the security team gathers all the necessary information and required data of the project for initial assessment and audit planning.
- Testing and Manual Analysis: During this phase, auditors perform manual analysis of the code and run different tests to identify potential issues and vulnerabilities of the project’s smart contracts.
- Exploitation and Remediation: When the issues are detected, it’s time for the exploitation process. Afterward, the team gives a complete assessment and suggests solutions to fix the existing problems and keep your codes secure.
- Final Report: The security team gives a detailed audit report that includes project assessments, test results, identified bugs and errors, and also further activity plan after the project audit is complete.
Common Vulnerabilities in Solana Smart Contract
Although smart contract issues, vulnerabilities, and security risks increase daily, multiple, widespread vulnerabilities are common for all smart contracts. Let’s explore some of them together.
- Missing ownership checks: The program may not thoroughly check the field AccountInfo:: owner if an account is not user-controlled.
- Missing checks of signer: For cases when instructions should be available only for specific entities set, the program can’t verify that the proper signer has signed the action.
- Missing checks of rent exemption: Generally, all accounts on Solana should contain enough SOL to be regarded as rent exemption; if not, the fall of loading is possible.
- Confusions in the Solana account: Sometimes, the program can’t ensure that the account data corresponds to the required type.
- Arithmetic underfloor or overflows: This is when the value is either high or low from the standard during an arithmetic operation.
- Incorrect calculation: This often happens because of copy/paste issues.
- The inefficiency of SPL-token validation.
- Loan overpayment or underpayment.
- Cast truncation.
- Expanding complexity in the calculation.
We can’t wrap up the list of smart contract vulnerabilities in one article. However, you can consider these issues mentioned above as a heads-up for initial expertise and security audit.
General Issues in Rust and Solana Programs
While conducting a Solana audit, it’s important to remember that the Rust programming language and the Solana blockchain have several primary issues you need to consider. Therefore, we will review some of them below:
- Reentrancy: Due to the cross-program invocation depth restriction, Solana offers the function of self-recursion. This option allows preventing some attacks of reentrance common in Ethereum.
- Insecure Rust code: A Rust type of system usually does not check the safety of Insecure Rust code memory. As a result, if contracts contain any Insecure Rust code, it can lead to memory corruptions, including uninitialized memory, use after frees, or buffer overflows.
- Out-of-date dependencies: Though Cargo and Rust make it easier to manage dependencies, they can still contain general security vulnerabilities or be outdated. You can use cargo-outdated for checking the dependencies.
- Skipping security best practices: Some projects fail to check multisig, user mistakes, or use assertions.
High-level Logic and Economic Errors
Besides general issues and problems, it’s also necessary to check the semantic errors of contracts during the audit. Some common issues in this field are:
- Eliminating economic attacks.
- Excluding service attacks denial.
- Assuring that the logic of the contract correctly executes the project’s specification.
- Checking for instructions allowing front-running attacks.
- Inspecting for an unsafe design can lead to general vulnerabilities.
- Checking for hidden backdoor or rug-pull mechanisms.
What are the prices and duration of the Solana Audit?
The duration and expenses mainly depend on the size of the project, the number of appliances, and smart contracts, including the complexity of the code, requirements, and used tools. You can request a price quote from the audit company team for a comprehensive estimate.
What’s included in the final report?
A list of detected errors, issues, and vulnerabilities of the contract’s code found in the project, recommendations, remediation solutions, final report, etc.
Do I need to keep the final report private or public?
Most companies will give you an original private report. However, to be secure and gain your partners’ trust, it’s recommended to make it public.
Because Solana is a novel platform in the blockchain industry, its exposure and success are relatively exponential. More and more projects and digital art owners move to the Solana platform daily. And it’s only the beginning. With its low transaction fees and utterly different expertise, Solana will surely expand rapidly in the future. Therefore, the importance of security audits and audit firms will reach its highest point.
And it’s already proven that more use will lead to more security problems, which will form the demand for up-to-date security testing and audit techniques.