is a fast-growing blockchain with Solanaa unique type of smart contracts — called Solana programs. This article introduces X-Ray, a security tool that automatically scans Solana programs to detect common security pitfalls.
Neodyme recently collected a list of common pitfalls in Solana smart contracts, falling into five categories:
As an example, the code below illustrates a common pitfall of missing signer check.
The function update_admin updates the admin of a staking_info account. It attempts to ensure that the function is only callable by the current admin of staking_info by comparing staking.admin to admin_info account’s public key. It must check that admin_info has actually signed this operation. This can be done by adding the check if !admin_info.is_signer. Otherwise if the check is missed, an attacker can update the admin to any account.
The reason is that, in Solana, users can supply arbitrary accounts when invoking a smart contract, so there’s nothing stopping a malicious user from just supplying a fakeadmin_info with admin_info.key.to_bytes()as staking.admin and their own account as the new admin.
Powered by the GreenCore technology, sec3 X-Ray can automatically detect security vulnerabilities in Solana programs by checking all code paths against these common pitfalls. The basic idea is to look at the data flow of each user account supplied to the program and flag it as untrustful if its validity is not properly checked in the program’s execution context. Figure 1 shows a screenshot of the missing signer check detected by X-Ray in the update_admin code. Figure 2 shows a screenshot of an arithmetic overflow/underflow detected by X-Ray in the Jet protocol.
Under Solana program’s directory (where Xargo.toml exists), invoke X-Ray . or X-Ray -analyzeAll .
The dot . is a shortcut for the following cargo build command:
Depending on the code complexity, X-Ray currently adds only a second or so to the build time. At the end of the screen, it also shows a summary of the findings and generates a report that can be inspected in the browser.
Option 1 (Linux terminal)
Option 2 (Docker)
Please email firstname.lastname@example.org
For all blogs by sec3, Please visit https://www.sec3.dev/blog