September 6, 2022
A Review of Recent Hacks on Solana: What Is in Common and How to Prevent Them?
Solana ecosystem has seen super rapid growth while witnessing multiple hacks (involving Wormhole, CashioApp, CremaFinance, Nirvana, and Slope Wallet), which collectively caused close to $400 million losses. In this article, we review the essence of these hacks and aim to find effective solutions to prevent such attacks in the future.
July 6, 2022
Security of Solana Smart Contracts: Why You Should Always Validate PDA Bump Seeds
The same seeds with multiple valid bumps can have crucial security implication: PDAs can be faked if their bump seeds are not validated
June 13, 2022
Bidirectional Rounding: A Common Security Vulnerability in Defi Smart Contracts
If a smart contract has a bidirectional function or functions (e.g., swap between a pair of tokens or mint/redeem a token) and the function uses the same rounding operation over arithmetic results in both directions, then the function is likely vulnerable to two-way trading attacks.
June 5, 2022
On Smart Contracts: Why Solana Is More Secure?
While Solana’s core runtime is still under rapid development, its design of smart contracts has been fairly stable. In this article, I’d like to elaborate why Solana is more secure from the perspective of smart contracts.
May 29, 2022
Solana Programs Part 4: Metaplex Candy Machine
The Metaplex Candy Machine is among the most popular smart contracts used for NFT minting on Solana. Recently, it has even implemented sophisticated logic for detecting and taxing bots. How does the candy machine program work internally? What are its intended use cases and dependencies? How does it detect bots? This article elaborates on these technical details.
May 24, 2022
Announcing sec3 X-ray Security Scanner: General Public Release
sec3 X-ray scanner software is a security scanner specifically designed for Solana smart contracts. sec3 X-ray can detect more than 50 types of security vulnerabilities and can be integrated into the GitHub CI development process. Integrating sec3 X-ray into your protocol's development process can shift security practices left, reduce costly security issues, and speed up time-to-market. sec3 Xray has been adopted at leading Solana Protocols; try it out today!
May 23, 2022
Solana programs Part 3: understanding Metaplex Token Metadata
In this article, we elaborate on the implementation details of token-metadata.
April 11, 2022
Solana Programs Part 2: Understanding SPL Associated Token Account
Following Part 1: understanding SPL Token Mint, this article introduces the technical details of the SPL associated token program, another popular official Solana smart contract.
April 1, 2022
On a $20M Bug in Jet Protocol
Recently, Charlie You disclosed a vulnerability in the Jet Protocol. The vulnerability would have caused $20m loss of Jet users’ funds if exploited. Fortunately, Jet patched it before any user was affected. Soteria team identified something tricky in Jet-v1’s code and had a discussion with Charlie shortly after the disclosure. It turns out that the vulnerability has a different cause (unexpected by Charlie)
March 24, 2022
CashioApp Attack - What’s the Vulnerability and How Soteria Detects It
The Cashio stablecoin (CASH) protocol recently lost $50M in an attack. The attacker was able to mint 2,000,000,000 CASH tokens for almost free. The root cause is a vulnerability in the Cashio’s brrr smart contract. Soteria team conducted an in-depth analysis of the attack. Importantly, the vulnerability can be automatically detected by Soteria’s Premium Auto Auditor. This article elaborates on the details.