A Review of Recent Hacks on Solana
What Is in Common and How to Prevent Them?
September 6, 2022

Since a year ago, the Solana ecosystem has seen super rapid growth while witnessing multiple hacks (involving Wormhole, CashioApp, CremaFinance, Nirvana, and Slope Wallet), which collectively caused close to $400 million losses.

Importantly, most of these hacks (except Slope Wallet) were due to smart contract vulnerabilities, i.e., coding flaws in on-chain protocols:

In this article, we review the essence of these hacks and aim to find effective solutions to prevent such attacks in the future.

What Is in Common Among These Hacks?

1. Almost all hacks (except Slope Wallet) crafted one or more fake accounts

2. All hacks involved multiple transactions

3. All hacks spanned at least a few minutes (hours or even days)

4. The biggest losses were due to missing account validations

The first three hacks (Wormhole, CashioApp and CremaFinance) were rooted in missing proper account validations.

By coincidence or not, these attacks also caused the largest financial losses.

5. Flash loan was involved in two hacks

Both CremaFinance and Nirvana hacks involved direct flash loan transactions and were both through Solend.

In CremaFinance, the flash loan was used to bootstrap the deposit liquidity.

In Nirvana, its internal price oracle was manipulated by the flash loan.

How to Prevent Similar Hacks in the Future?

Based on the characteristics of these attacks summarized above, we recommend the following security practices:

1. Pre-deployment: validate all input accounts to smart contracts

In writing a Solana smart contract, always keep in mind that all inputs can be faked by attackers, including all the accounts and external programs (i.e., user wallet accounts, PDA accounts, and other smart contracts).

Solana’s programming model decouples code and data, so all accounts used in the program must be passed as data inputs.

In almost all cases, you should validate:

  • Account ownership
  • Account signers
  • Relationships (or logical constraints) between accounts

Depending on the protocol logic, you should also check:

  • If any internal price oracle can be manipulated by flash loans (with a large amount of transfer) and add constraints to prevent discrepancies
  • If any abnormal state (e.g., fees or awards) could be computed and add constraints to prevent discrepancies

2. Post-deployment: use proactively real-time threat monitoring

As all these hacks involve multiple transactions spanning at least minutes or hours of time, it is possible to proactively detect suspicious transactions early and throttle the attacks in the middle.

This is a unique property of Solana, which allows on-chain threat monitoring techniques to help effectively prevent and stop security attacks as a defense solution (rather than merely a passive observer of irrecoverable attacks):

In principle, a threat monitoring solution may help:

  • Monitor large transfers of SOL or SPL tokens
  • Monitor flash loan transactions targeting your smart contract
  • Monitor potential rug pulls via upgrading a dependent program
  • Monitor abnormal states (e.g., calculated fees)
  • Monitor round-trip-trade transactions (e.g., deposit-claim-withdraw in a single tx)
  • Monitor repeated transactions from the same signer
  • … Any customized monitoring for protocol-specific properties

If any of the monitored transactions led to a fake account or an abnormal state used in a subsequent hack, detecting them early could help stop the hack.

3. sec3 Pro: end-to-end pre- and post-deployment security

sec3 Pro (https://pro.sec3.dev) offers a one-stop, end-to-end solution to secure Solana projects.

Pre-deployment: sec3 X-ray auto auditor can check 50+ types of Solana smart contract vulnerabilities 7x24, powered by an inference engine that can infer account relationships and pinpoint any missing account validations. It also includes sophisticated checkers for flash loan vulnerabilities and abnormal states.

Post-deployment: sec3 WatchTower features an in-situ security monitoring service for Solana smart contracts. It detects suspicious transactions, and prevents and stops security attacks in real-time. More details can be found in Announcing sec3 WatchTower: Smart Monitor for Smart Contracts.

About sec3 (Formerly Soteria)

sec3 is a security research firm that prepares Solana projects for millions of users. sec3’s Launch Audit is a rigorous, researcher-led code examination that investigates and certifies mainnet-grade smart contracts; sec3’s continuous auditing software platform, X-ray, integrates with GitHub to progressively scan pull requests, helping projects fortify code before deployment; and sec3’s post-deployment security solution, WatchTower, ensures funds stay safe. sec3 is building technology-based scalable solutions for Web3 projects to ensure protocols stay safe as they scale.

To learn more about sec3, please visit https://www.sec3.dev