Following Part 1: a systematic approach, this article introduces a few automated scanning tools to help audit Solana smart contracts.
X-Ray is an auto-scanner developed by the sec3 team dedicated for finding all the common vulnerabilities in Solana smart contracts.
We next use two examples to showcase X-Ray.
In this pull request, solido applied a fix to a missing check on the reserve_account(line 151 below):
This missing checking is a critical security vulnerability. It allows an attacker to mint and receive unlimited token by supplying an attacker-controlled reserve_account.
To reproduce this vulnerability, we checked out the newest version of solido from github:
and commented out the line containing the check (in file solido/program/src/processor.rs):
By running x-ray -analyzeAll ., X-Ray only takes a few seconds to detect this vulnerability and will also report the following in the terminal:
In this commit, jet-v1 applied a fix to an Integer overflow in the borrow function (line 119 below):
The possible consequences of this overflow are:
To reproduce this vulnerability, we checked out the newest version of jet-v1 from github:
and changed the check_add fix (line 122 in file programs/jet/src/instructions/borrow.rs):
Again, by running x-ray -analyzeAll ., x-ray detects this vulnerability in a few seconds and reports the following in the terminal:
cargo-audit is a tool to audit `Cargo.lock` files for crates with security vulnerabilities reported to the RustSec Advisory Database.
To install, execute `cargo install cargo-audit`
To run, execute cargo audit at the top level of any Cargo project (where Cargo.lock exists).
The following shows the result of cargo audit on solido. It loaded 371 security advisories and scanned 143 crate dependencies, but did not find vulnerabilities.
cargo-clippy is a linter to catch common mistakes in Rust code. It has a collection of over 450 lint rules.
To install, execute rustup update and rustup component add clippy
To run, execute cargo clippy under the smart contract’s directory (where Xargo.toml exists).
cargo clippy reports a large number of warnings on jet-v1. The following shows a few of them:
cargo-geiger is a tool that detects the usage of unsafe Rust code. It lists statistics in a Rust crate and all its dependencies.
To install, execute cargo install cargo-geiger
To run, execute cargo geiger under the smart contract’s directory.
The following is a screenshot of the statistics on jet-v1 reported by cargo geiger:
cargo-spellcheck is a tool that checks for spelling and grammar mistakes in Rust code and documentation. It may not appear useful to find security-related issues, but can be helpful to pinpoint typos in many cases.
To install, execute cargo install --locked cargo-spellcheck
To run, execute cargo spellcheck under the smart contract’s directory.
The following shows a few warnings reported by cargo spellcheck on jet-v1:
sec3 is founded by leading minds in the fields of blockchain security and software verification.
In the next few articles, we will continue to introduce auditing skills for Solana smart contracts, including automated testing tools and Anchor.
How to audit Solana smart contracts series?
For all blogs by sec3, Please visit https://sec3.dev/blog