The same seeds with multiple valid bumps can have crucial security implication: PDAs can be faked if their bump seeds are not validated

If a smart contract has a bidirectional function or functions (e.g., swap between a pair of tokens or mint/redeem a token) and the function uses the same rounding operation over arithmetic results in both directions, then the function is likely vulnerable to two-way trading attacks.

While Solana’s core runtime is still under rapid development, its design of smart contracts has been fairly stable. In this article, I’d like to elaborate why Solana is more secure from the perspective of smart contracts.

The Metaplex Candy Machine is among the most popular smart contracts used for NFT minting on Solana. Recently, it has even implemented sophisticated logic for detecting and taxing bots. How does the candy machine program work internally? What are its intended use cases and dependencies? How does it detect bots? This article elaborates on these technical details.

We are glad to announce the general public release of Sec3 Premium (formerly Soteria) — the premier security analysis service for Solana smart contracts.