Announcing sec3 Premium: Auto Auditor for Solana Smart Contracts

Announcing sec3 X-Ray Premium

Auto Scanner for Solana Smart Contracts

February 28, 2022

We are glad to announce the first release of sec3 X-Ray Premium: an auto-auditing service offered by sec3 (formerly Soteria) team to scan a large list of security vulnerabilities in Solana smart contracts.

sec3 X-Ray Premium has a number of features:

It detects 50+ types of common security vulnerabilities in Solana programs written in Rust, including all the common pitfalls by Neodyme and all the insecure Anchor usages in sealevel-attacks. See a full list in the section “Solana Vulnerabilities and Exposures (SVE)”. The list is expanding.‍
It is fast: typically generates a report in less than five minutes even for large projects such as Metaplex.
It works for both Anchor and non-Anchor based projects
It provides a web UI to navigate the reported vulnerabilities
It is available 7x24‍
…

A dashboard of Sec3 Premium is shown below:

‍

Solana Vulnerabilities and Exposures (SVE)

The auto-auditor currently detects the following list of Solana-specific SVEs (accumulated by Sec3 team):

SVE	Checker	Description	Explanation
SVE1001	MissingSignerCheck	The account is missing signer check	Example
SVE1002	MissingOwnerCheck	The account is missing owner check	Example
SVE1003	IntegerAddOverflow	The add operation may result in overflows	Example
SVE1004	IntegerUnderflow	The sub operation may result in underflows	Example
SVE1005	IntegerMulOverflow	The mul operation may result in overflows	Example
SVE1006	IntegerDivOverflow	The div operation may result in overflows	Example
SVE1007	UnverifiedParsedAccount	The account is not validated before parsing its data	Example
SVE1008	DuplicateMutableAccount	These two accounts are both mutable and may be the same account	Example
SVE1009	InsecureAccountClosing	The account is not securely closed	Example
SVE1010	TypeFullCosplay	These two account data types are fully compatible and can be used to launch type confusion attacks	Example
SVE1011	TypePartialCosplay	These two account data types are partially compatible and may be exploited by type confusion attacks	Example
SVE1012	DivideByZero	The arithmetic operation may result in a div-by-zero error	Example
SVE1013	AccountReInitialization	The account is vulnerable to program re-initialization	Example
SVE1014	BumpSeedNotValidated	The account's bump seed is not validated and may be vulnerable to seed canonicalization attacks,	Example
SVE1015	InsecurePDASharing	The PDA sharing with these seeds may be insecure	Example
SVE1016	ArbitraryCPI	The spl_token account may be arbitrary	Example
SVE1017	MaliciousSimulation	The program may contain malicious simulation	Example
SVE1018	UnsafeSysVarAPI	The sysvar instructions API is unsafe and deprecated (wormhole exploit)	Example
SVE1019	UnvalidatedAccount	The account is not properly validated and may be untrustful	Example
SVE1020	OutdatedDependency	The program has outdated and vulnerable dependencies	Example
SVE1021	UnsafeRust	The program contains unsafe Rust code	Example
SVE1022	OverPayment	The code misses checking to prevent over payment	Example
SVE1023	StalePriceFeed	The code may use a stale price feed (solend loss)	Example
SVE1024	MissInitTokenMint	The init instruction misses minting pool tokens	Example
SVE1025	MissRentExempt	The account misses rent exempt check	Example
SVE1026	MissFreezeAuthority	The account misses checking for freeze authority	Example
SVE1027	FlashLoanRisk	The instruction may suffer from flash loan attacks	Example
SVE1028	InconsistentRounding	The arithmetics here have inconsistent rounding	Example
SVE1029	CastTruncation	The cast operation here may lose precision due to truncation	Example
SVE2001	IncorrectLogic	Loop break instead of continue (jet-v1 exploit)	Example
SVE2002	IncorrectCalculation	Liquidation condition should be `>` instead of `>=`	Example
SVE2003	ExponentialCalculation	The calculation has exponential complexity	Example
SVE3001	BestSecurityPractice	The code does not follow best security practices	Example
SVE3002	RedundantCode	The code is redundant or unused	Example
SVE3003	InconsistentAnchor	The program uses Anchor inconsistently across different instructions	Example
SVE3004	InconsistentConfig	The configuration and initialization data are inconsistent	Example

The list of SVEs above will be expanded continuously as Sec3 team audits more Solana projects.

How To Use Sec3 Premium

Sec3 Premium is currently open to a short list of Pilot (paid) customers.

Each pilot customer will receive an invitation link. The link provides a unique ID to access Sec3 Premium service:

Following are the steps to use the service:

1. Click “Create a new task”:

2. Enter a “Task Name” and provide the “Source Code” (either by a Github url if it is open source, or upload a compressed folder):

3. Click “Create Task” and then “Confirm Payment and Run Task”:

4. Wait for task to complete and then “View Full Report”:

The analysis time for a typical project is less than two minutes

5. Finally, browse the reported vulnerabilities:

Annotations to ignore warnings

Note: Most of the SVEs are semantic or logic issues, thus the reported vulnerabilities are only potential warnings but are not necessarily attacker-exploitable.

To ignore certain warnings: add annotation //#[x-ray(ignore)]

Any statement annotated with it will be ignored. For example:

//#[soteria(ignore)]
let system_program_info = next_account_info(account_info_iter)?;

For Anchor:

#[derive(Accounts)]
pub struct Withdraw<'info> {
//#[soteria(ignore)]
pub authority: AccountInfo<'info>,

Relationship with full sec3 audit

We expect that sec3 Premium will be used in the development phase to continuously audit Solana programs upon any code change at any time. It will significantly reduce the time and cost of a final manual audit.

Note that the auto-auditor service is not the same as a full manual audit offered by sec3 team. sec3’s full audit relies on human experts to perform exhaustive manual reviews (assisted by in-house X-Ray tools).

The full audit is expected to discover vulnerabilities that are not covered by the auto-auditor.

sec3 Audit

Sec3 is founded by leading minds in the fields of blockchain security and software verification.

We are pleased to provide full audit services to high-impact Dapps on Solana. Please visit sec3.dev or email contact@sec3.dev

New! - be the first to try WatchTower real-time monitor!

February 28, 2022