Announcing sec3 X-Ray Premium
Auto Scanner for Solana Smart Contracts
February 28, 2022

We are glad to announce the first release of sec3 X-Ray Premium: an auto-auditing service offered by sec3 (formerly Soteria) team to scan a large list of security vulnerabilities in Solana smart contracts.

sec3 X-Ray Premium has a number of features:

  • It detects 50+ types of common security vulnerabilities in Solana programs written in Rust, including all the common pitfalls by Neodyme and all the insecure Anchor usages in sealevel-attacks. See a full list in the section “Solana Vulnerabilities and Exposures (SVE)”. The list is expanding.
  • It is fast: typically generates a report in less than five minutes even for large projects such as Metaplex.
  • It works for both Anchor and non-Anchor based projects
  • It provides a web UI to navigate the reported vulnerabilities
  • It is available 7x24

A dashboard of Sec3 Premium is shown below:

Solana Vulnerabilities and Exposures (SVE)

The auto-auditor currently detects the following list of Solana-specific SVEs (accumulated by Sec3 team):

SVE Checker Description Explanation
SVE1001 MissingSignerCheck The account is missing signer check Example
SVE1002 MissingOwnerCheck The account is missing owner check Example
SVE1003 IntegerAddOverflow The add operation may result in overflows Example
SVE1004 IntegerUnderflow The sub operation may result in underflows Example
SVE1005 IntegerMulOverflow The mul operation may result in overflows Example
SVE1006 IntegerDivOverflow The div operation may result in overflows Example
SVE1007 UnverifiedParsedAccount The account is not validated before parsing its data Example
SVE1008 DuplicateMutableAccount These two accounts are both mutable and may be the same account Example
SVE1009 InsecureAccountClosing The account is not securely closed Example
SVE1010 TypeFullCosplay These two account data types are fully compatible and can be used to launch type confusion attacks Example
SVE1011 TypePartialCosplay These two account data types are partially compatible and may be exploited by type confusion attacks Example
SVE1012 DivideByZero The arithmetic operation may result in a div-by-zero error Example
SVE1013 AccountReInitialization The account is vulnerable to program re-initialization Example
SVE1014 BumpSeedNotValidated The account's bump seed is not validated and may be vulnerable to seed canonicalization attacks, Example
SVE1015 InsecurePDASharing The PDA sharing with these seeds may be insecure Example
SVE1016 ArbitraryCPI The spl_token account may be arbitrary Example
SVE1017 MaliciousSimulation The program may contain malicious simulation Example
SVE1018 UnsafeSysVarAPI The sysvar instructions API is unsafe and deprecated (wormhole exploit) Example
SVE1019 UnvalidatedAccount The account is not properly validated and may be untrustful Example
SVE1020 OutdatedDependency The program has outdated and vulnerable dependencies Example
SVE1021 UnsafeRust The program contains unsafe Rust code Example
SVE1022 OverPayment The code misses checking to prevent over payment Example
SVE1023 StalePriceFeed The code may use a stale price feed (solend loss) Example
SVE1024 MissInitTokenMint The init instruction misses minting pool tokens Example
SVE1025 MissRentExempt The account misses rent exempt check Example
SVE1026 MissFreezeAuthority The account misses checking for freeze authority Example
SVE1027 FlashLoanRisk The instruction may suffer from flash loan attacks Example
SVE1028 InconsistentRounding The arithmetics here have inconsistent rounding Example
SVE1029 CastTruncation The cast operation here may lose precision due to truncation Example
SVE2001 IncorrectLogic Loop break instead of continue (jet-v1 exploit) Example
SVE2002 IncorrectCalculation Liquidation condition should be > instead of >= Example
SVE2003 ExponentialCalculation The calculation has exponential complexity Example
SVE3001 BestSecurityPractice The code does not follow best security practices Example
SVE3002 RedundantCode The code is redundant or unused Example
SVE3003 InconsistentAnchor The program uses Anchor inconsistently across different instructions Example
SVE3004 InconsistentConfig The configuration and initialization data are inconsistent Example

The list of SVEs above will be expanded continuously as Sec3 team audits more Solana projects.

How To Use Sec3 Premium

Sec3 Premium is currently open to a short list of Pilot (paid) customers.

Each pilot customer will receive an invitation link. The link provides a unique ID to access Sec3 Premium service:

Following are the steps to use the service:

1. Click “Create a new task”:

2. Enter a “Task Name” and provide the “Source Code” (either by a Github url if it is open source, or upload a compressed folder):

3. Click “Create Task” and then “Confirm Payment and Run Task”:

4. Wait for task to complete and then “View Full Report”:

The analysis time for a typical project is less than two minutes

5. Finally, browse the reported vulnerabilities:

Annotations to ignore warnings

Note: Most of the SVEs are semantic or logic issues, thus the reported vulnerabilities are only potential warnings but are not necessarily attacker-exploitable.

To ignore certain warnings: add annotation //#[x-ray(ignore)]

Any statement annotated with it will be ignored. For example:

let system_program_info = next_account_info(account_info_iter)?;

For Anchor:

pub struct Withdraw<'info> {
pub authority: AccountInfo<'info>,

Relationship with full sec3 audit

We expect that sec3 Premium will be used in the development phase to continuously audit Solana programs upon any code change at any time. It will significantly reduce the time and cost of a final manual audit.

Note that the auto-auditor service is not the same as a full manual audit offered by sec3 team. sec3’s full audit relies on human experts to perform exhaustive manual reviews (assisted by in-house X-Ray tools).

The full audit is expected to discover vulnerabilities that are not covered by the auto-auditor.

sec3 Audit

Sec3 is founded by leading minds in the fields of blockchain security and software verification.

We are pleased to provide full audit services to high-impact Dapps on Solana. Please visit or email