April 11, 2022
Solana Programs Part 2: Understanding SPL Associated Token Account
Following Part 1: understanding SPL Token Mint, this article introduces the technical details of the SPL associated token program, another popular official Solana smart contract.
April 1, 2022
On a $20M Bug in Jet Protocol
Recently, Charlie You disclosed a vulnerability in the Jet Protocol. The vulnerability would have caused $20m loss of Jet users’ funds if exploited. Fortunately, Jet patched it before any user was affected. sec3 team identified something tricky in Jet-v1’s code and had a discussion with Charlie shortly after the disclosure. It turns out that the vulnerability has a different cause (unexpected by Charlie)
March 24, 2022
CashioApp Attack - What’s the Vulnerability and How X-Ray Detects It
The Cashio stablecoin (CASH) protocol recently lost $50M in an attack. The attacker was able to mint 2,000,000,000 CASH tokens for almost free. The root cause is a vulnerability in the Cashio’s brrr smart contract. Soteria team conducted an in-depth analysis of the attack. Importantly, the vulnerability can be automatically detected by Soteria’s Premium Auto Auditor. This article elaborates on the details.
March 21, 2022
Solana Programs Part 1: Understanding SPL Token Mint
Most user-deployed Solana smart contracts (directly or transitively) use the token program to mint/transfer/burn tokens (i.e., SPL tokens). SPL tokens are similar to ERC20/ERC721 token with tricky differences. In this article, we elaborate on the SPL tokens and introduce the internals of the most commonly used instructions in the token program.
February 28, 2022
Announcing sec3 Premium: Auto Auditor for Solana Smart Contracts
We are glad to announce the first release of Sec3 Premium: an auto-auditing service offered by Sec3 team to scan a large list of security vulnerabilities in Solana smart contracts.
February 3, 2022
The Wormhole Hack: How X-Ray Detects the Vulnerability Automatically
Recently, an attacker was able to steal more than $320 million from Wormhole, a popular bridge linking Solana and Ethereum. This article describes how we enhance our X-Ray tool and detect the vulnerability.
January 30, 2022
Solana Internals Part 4: The Bank - A Key Component
Following Part 3: the TPU, this article elaborates on the bank module, a core component of Solana blockchain.
January 23, 2022
Solana Internals Part 3: The Transaction Processing Unit (TPU)
Solana recently experienced severe performance degradation due to network congestion. The TPS (number of transactions processed per second) dropped by orders of magnitude (from thousands to tens) for several hours. Technically, this problem is caused by performance bugs in Solana, in particular — the transaction processing unit (TPU). This article elaborates on the design of the TPU and highlights some intricacies.
January 16, 2022
Solana Internals Part 2: How Is a Solana Program Deployed and Upgraded
What happens inside Solana when you deploy a smart contract to the Solana Mainnet? Can a Solana program be modified or closed? How to upgrade a Solana program? Who is authorized to change a Solana program? This article focuses on the upgradability of Solana programs and highlights some intricacies.
December 31, 2021
Solana Internals Part 1: What Are the Native On-Chain Programs and Why Do They Matter?
Solana has a few built-in (native on-chain) programs (e.g., system_program, spl_token, stake, vote, ed25519, etc) that provide essential instructions and are generally trusted. In this article, we introduce the internals of these programs, and highlight some of the intricacies.
December 17, 2021
Solana Stake Pool: A Semantic Inconsistency Vulnerability Discovered by X-Ray
This article describes our journey in discovering the vulnerability and constructing the PoC. We note that the stake-pool code was audited before by multiple companies, which motivates the need of a more comprehensive and systematic audit process.
December 16, 2021
How to Audit Solana Smart Contracts Part 4: The Anchor Framework
Following Part 3: penetration testing, this article introduces the internals of Anchor, a popular framework for writing and testing Solana smart contracts.
December 8, 2021
How to Audit Solana Smart Contracts Part 3: Penetration Testing
In this article, we introduce a few penetration testing tools to help detect vulnerabilities in Solana or Rust programs in general.
December 6, 2021
sec3 Project Received a Grant From Solana Foundation
sec3 project is honored to announce it received a grant from Solana Foundation. sec3 team will continue to build tools and services for developers and builders in Solana Ecosystem to tackle security challenges. Thanks!
November 12, 2021
How to Audit Solana Smart Contracts Part 2: Automated Scanning
Following Part 1: a systematic approach, this article introduces a few automated scanning tools to help audit Solana smart contracts.
November 11, 2021
How to Audit Solana Smart Contracts Part 1: A Systematic Approach
In this article series, we will introduce a systematic approach including a few automated techniques for auditing Solana smart contracts.
October 23, 2021
Solana Bug Bounty Hunting With X-Ray
Recently, using X-Ray, we identified a vulnerability in an on-chain Solana smart contract (jet-v1) and have been awarded a bug bounty. We thank the Jet Protocol team and Immunefi for their quick responses and generous support. The fix has been applied in this commit. This article shares our bug hunting experience with X-Ray.
October 14, 2021
Understanding Arithmetic Overflow/Underflows in Rust and Solana Smart Contracts
Rust is a popular language used in blockchains such as Solana and Polkadot. For many developers, it may be a misconception that Rust is memory-safe so it is free of arithmetic overflow/underflows. This article explains why Rust programs still suffer from arithmetic errors, how these issues affect blockchain security, and how to deal with them in smart contracts.
October 8, 2021
X-Ray: A Vulnerability Scanner for Solana Smart Contracts
This article introduces X-Ray, a security tool that automatically scans Solana programs to detect common security pitfalls.
October 7, 2021
From Ethereum Smart Contracts to Solana Programs: Two Common Security Pitfalls and Beyond
Why Solana programs are faster than Ethereum smart contracts? What are their key differences? This article explains an essential difference between the two and illustrates two common security pitfalls in Solana programs.