[
  {
    "path": "README.md",
    "content": "# Solana Auditing and Security Resources\n\nA collection of resources to study Solana smart contract security, auditing, and exploits.\n\n\n\n## Foundations 📚\n\n- [Armani Sealevel Attacks and How to avoid them in Anchor](https://github.com/project-serum/sealevel-attacks)\n  - [Summary Thread](https://twitter.com/pencilflip/status/1483880018858201090) by pencilflip - use Anchor attributes, constraints and types, it will make your life easier!\n- [Armani Tips on Developing Secure Solana Programs](https://twitter.com/armaniferrante/status/1411589629384355840)\n  - Be wary of  `UncheckedAccount` and `AccountInfo` - check them properly!\n- [CMichel How to become a smart contract auditor](https://cmichel.io/how-to-become-a-smart-contract-auditor/) \n  - Targeted at ETH folks but contains general advice\n- [DeFi MOOC samczsun Practical Smart Contract Security](https://www.youtube.com/watch?v=pJKy5HWuFK8)\n  - Great intro to smart contract security that provides an overview of a large surface area of attacks. Mostly ETH-based but also covers a cross-chain BTC/ETH exploit, and contains lots of concepts that carry over to Solana\n- [Kudelski Solana Program Security](https://research.kudelskisecurity.com/2021/09/15/solana-program-security-part1/)\n  - A high-level overview of ownership and data validation\n- [Neodyme Common Pitfalls](https://blog.neodyme.io/posts/solana_common_pitfalls)\n  - Check owner, check signer, check account data, be careful of integer over/underflow, verify invoke_signed(), and [use Anchor](https://twitter.com/armaniferrante/status/1438706351295827968?s=20&t=YS6ldLG-nvqLffT4eZtpKg) (unless you have a good reason not to), e.g. account confusions are prevented in Anchor by implicitly assigning each `#[account]` a type with an 8-byte identifier \n- [Neodyme Solana Security Workshop Exercises and Solutions](https://workshop.neodyme.io/)\n  - Corresponding exercises to the common pitfalls mentioned in the blog post \n- [Neodyme Thinking Like An Attacker Workshop Recording](https://www.youtube.com/watch?v=vbkhhgeP30I)\n  - A quick rundown of the PoC framework and an explanation of Level 0 of the challenge\n- [OtterSec Solana from an Auditor’s perspective](https://osec.io/blog/tutorials/2022-03-14-solana-security-intro/)\n  - A bottoms-up introduction to Solana's Execution and Programming Model from a security perspective\n- [Sec3 Arithmetic Overflow and Underflow](https://www.sec3.dev/blog/understanding-arithmetic-overflow-underflows-in-rust-and-solana-smart-contracts)\n  - Don't use `+, - , /, *` operations, check arithmetic operations for overflow and underflow!\n- [Sec3 How to Audit Part 1: A Systematic Approach](https://www.sec3.dev/blog/how-to-audit-solana-smart-contracts-part-1-a-systematic-approach)\n  - A high-level overview of common attack surfaces and questions to ask as an auditor\n- [Sec3 How to Audit Part 2: using automated tools to find vulnerabilities](https://www.sec3.dev/blog/how-to-audit-solana-smart-contracts-part-2-automated-scanning)\n  - An outline of tools that can automatically scan your code for vulnerabilities, unsafe Rust, and spelling. More security tools are needed! \n- [Sec3 How to Audit Part 3: Penetration Testing](https://www.sec3.dev/blog/how-to-audit-solana-smart-contracts-part-3-penetration-testing)\n  - How to execute a proof of concept for an attack with Neodyme's PoC framework\n- [Sec3 How to Audit Part 4: Anchor](https://www.sec3.dev/blog/how-to-audit-solana-smart-contracts-part-4-the-anchor-framework)\n  - How Anchor's `#[program] `, `#[derive(Accounts)]` and `#[account]`work under-the-hood\n- [Sec3 Owner and Signer Check](https://www.sec3.dev/blog/from-ethereum-smart-contracts-to-solana-programs-two-common-security-pitfalls-and-beyond)\n  - Check the owner and check the signer! Use `#[account]` and `Signer<'info>` to [prevent](https://twitter.com/armaniferrante/status/1438706352805797889?s=20&t=YS6ldLG-nvqLffT4eZtpKg) this\n- [Solend Auditing Workshop](https://docs.google.com/presentation/d/1jZ9kVo6hnhBsz3D2sywqpMojqLE5VTZtaXna7OHL1Uk/edit?pli=1#slide=id.ge15c343642_0_51) \n  - Known attacks from ETH and how they carry over to Solana + auditing methodology\n- [Trail of Bits DeFi Security Success Stories](https://www.youtube.com/watch?v=jGrtK5k0CK0)\n  - ETH-focused but broadly applicable advice on securing systems in DeFi\n- [Zellic The Vulnerabilities You’ll Write With Anchor](https://www.zellic.io/blog/the-vulnerabilities-youll-write-with-anchor/)\n  - A subset of common vulnerabilities you'll come across in Anchor programs\n\n\n\n## Exploits 🪦\n\n- [CASH Hack Summary Thread](https://twitter.com/samczsun/status/1506578902331768832) (samczsun)\n  - Establish a root of trust!\n- [CASH Hack — What’s the Vulnerability](https://www.sec3.dev/blog/cashioapp-attack-whats-the-vulnerability-and-how-soteria-detects-it) (Sec3)\n  - Check input accounts!\n- [Cope Roulette](https://github.com/Arrowana/cope-roulette-pro) (Arrowana)\n  - Neat way to exploit reverting transactions\n- [Detecting Simulation in a Solana Program](https://opcodes.fr/en/publications/2022-01/detecting-transaction-simulation/) (Opcodes)\n  - Goes into how transaction simulation works and the purpose of the bank - Sec3 also has a great [overview](https://www.sec3.dev/blog/solana-internals-part-4-the-bank-a-key-component) of the bank module\n- [How to freely borrow all the TVL from the Jet Protocol](https://medium.com/@0xjayne/how-to-freely-borrow-all-the-tvl-from-the-jet-protocol-25d40e35920e) (Jayne)\n  - A fairly uncommon vulerability due to an unintended use of `break`\n- [How to Become a Millionaire, 0.000001 BTC at a Time](https://blog.neodyme.io/posts/lending_disclosure) (Neodyme)\n  - An innocent-looking rounding error that put $2.6bn at risk. If in doubt, use `floor` (or `ceil` depending on direction) instead of `round`\n  - [Context on Neodyme Exploit by Solend](https://blog.solend.fi/bug-bounty-and-response-to-spl-lending-vulnerability-f4c8874342d0)\n- [New Integer Overflow Bug Discovered in Solana rBPF](https://blocksecteam.medium.com/new-integer-overflow-bug-discovered-in-solana-rbpf-7729717159ee) (BlockSec)\n  - Use `checked_add(), checked_div(), checked_mul(), checked_pow, checked_sub` or `saturating_add(), saturating_mul(), saturating_pow(), saturating_sub()`! → read relevant [Sec3 blog post](https://www.sec3.dev/blog/understanding-arithmetic-overflow-underflows-in-rust-and-solana-smart-contracts)\n- [Schrodinger’s NFT, An Incinerator SPL Token program, and The Royal Flush Attack](https://medium.com/@solens_io/schrodingers-nft-an-incinerator-spl-token-program-and-the-royal-flush-attack-58e4ce4e63dc) (Solens) (similar to samczsun explanation of combining attacks)\n  - Chaining small exploits to create a significant exploit. Watch [samczsun's explanation](https://www.youtube.com/watch?v=oA6Td5ujGrM) of exploit chaining \n- [Smashing the Candy Machine for fun and profit!](https://medium.com/@solens_io/smashing-the-candy-machine-for-fun-and-profit-a3bcc58d6c30) (Solens)\n  - Check unchecked accounts properly! There is a reason why Anchor [requires](https://github.com/project-serum/anchor/pull/1452#discussion_r809207430) `UncheckedAccount` to have `/// CHECK` documentation. The fix came down to 1 line of Anchor code: `#[account(zero)]` vs `#[account(zero)]`\n- [Solana Stake Pool: A Semantic Inconsistency Vulnerability](https://www.sec3.dev/blog/solana-stake-pool-a-semantic-inconsistency-vulnerability-discovered-by-x-ray) (Sec3)\n  - Shows how to build a proof of concept with Neodyme’s Poc Framework. Also highlights how previously audited code (Stake Pool audits linked in audits section below) can contain vulnerabilities\n- [Solend Malicious Lending Market Incident Report](https://docs.google.com/document/d/1-WoQwT1QrPEX-r4N-fDamRQ50LM8DsdsOyq1iTabS3Q/edit#)  (Rooter)\n  - Read Kudelski's blog post on Solana Program Security to understand the exploit\n- [SPL Token Program Approve Instruction](https://2501babe.github.io/tools/revoken.html) (Hana)\n  - Sneaky way to revoke Solana token approvals\n- [The $200m Bluff: Cheating Oracles on Solana](https://osec.io/blog/reports/2022-02-16-lp-token-oracle-manipulation/) (OtterSec)\n  - How to move an AMM price to manipulate an oracle and exploit a lending protocol. Use fair pricing for LP tokens and TWAPs where possible! Drift has [examples of oracle guardrails](https://github.com/drift-labs/protocol-v1/blob/4c2d447a677693da506e4de9596a07e4b9ba4d5d/tests/admin.ts#L212) that aim to prevent these types of attacks\n- [Wormhole Hack Summary Thread](https://twitter.com/samczsun/status/1489044939732406275) (samczsun)\n  - Check/validate your input accounts anon!\n- [Wormhole Hack TLDR](https://halborn.com/explained-the-wormhole-hack-february-2022/) (Halborn)\n  - When chaining delegations of signature verifications, make sure it leads to proper verifications!\n- [Wormhole Hack Quick Analysis](https://research.kudelskisecurity.com/2022/02/03/quick-analysis-of-the-wormhole-attack/) (Kudelski)\n  - Validate [unmodified, reference-only accounts](https://docs.solana.com/developing/programming-model/accounts#verifying-validity-of-unmodified-reference-only-accounts)!\n- [Wormhole Post-Mortem Analysis](https://extropy-io.medium.com/solanas-wormhole-hack-post-mortem-analysis-3b68b9e88e13) (Entropy)\n  - Analyzing the input accounts to fake the `SignatureSet`\n\n\n\n## PoCs for Discovered Vulnerabilities 💡\n\n- [Cashio Exploit](https://github.com/PwnedNoMore/cashio-exploit-workshop/tree/poc) (PNM)\n- [Jet Governance](https://github.com/otter-sec/jet-governance-pocs) (OtterSec)\n- [Port Max Withdraw Bug](https://github.com/port-finance/variable-rate-lending/blob/master/token-lending/program/tests/max_withdraw_bug_poc.rs) (nojob)\n- [SPL Token-Lending](https://blog.neodyme.io/posts/lending_disclosure) (Neodyme)\n\n\n\n## Audits and Code Reviews 🔒\n\n- [Aldrin](https://dex.aldrin.com/877f900320eec44c13409814fe473fb7.pdf) (Kudelski)\n- [Audius](https://assets.website-files.com/6024b69839b1b755528798ea/6201872afb297b3955e303aa_Audius%20-%20Security%20Assessment%20for%20Audius%20Protocol%20v1.1.0.pdf) (Kudelski)\n- [Cashmere](https://github.com/cashmere-inc/multisig-audit-report/blob/main/cashmere-audit-public.pdf) (OtterSec)\n- [Cega](https://github.com/otter-sec/cega-vault-report) (OtterSec)\n- [Crema](https://www.bramah.systems/audits/Crema_Finance_Audit_Bramah.pdf) (Bramah)\n- [Cropper](https://github.com/HalbornSecurity/PublicReports/blob/master/Solana%20Program%20Audit/Cropper_Finance_AMM_Program_Security_Audit_Report_Halborn_Final.pdf) (Halborn)\n- [Debridge](https://docs.debridge.finance/the-core-protocol/security#has-debridge-been-audited) (Neodyme)\n- [Drift](https://github.com/Zellic/publications/blob/master/Drift%20Protocol%20Audit%20Report.pdf) (Zellic)\n- [Francium](https://www.certik.com/projects/francium) (Certik)\n- [Friktion](https://docs.friktion.fi/protocol/security) (Kudelski)\n- [Genopets](https://whitepaper.genopets.me/tokenomics/gene-staking/staking-program-audit) (MadShield)\n- [GooseFx](https://github.com/HalbornSecurity/PublicReports/blob/master/Solana%20Program%20Audit/GooseFX_Swap_Program_Security_Audit_Report_Halborn_Final.pdf) (Halborn)\n- [Hedge](https://docs.hedge.so/protocol-overview/security) (Kudelski, OtterSec + Sec3)\n- [Hubble](https://docs.hubbleprotocol.io/documentation/security-audits) (Kudelski)\n- [Invariant](https://invariant.app/audit.pdf) (Sec3)\n- [Jet Governance](https://github.com/jet-lab/jet-governance/blob/master/reports/jet-governance-audit-public.pdf) (OtterSec)\n- [Juiced](https://juiced.fi/audit-report.pdf) (OtterSec)\n- [Larix](https://docs.projectlarix.com/how-to-prove/audit) (SlowMist)\n- [Light](https://github.com/Lightprotocol/light-protocol-program/blob/main/Audit/Light%20Protocol%20Audit%20Report.pdf) (HashCloak)\n- [Mango](https://docs.mango.markets/audit) (Neodyme)\n- [Maple](https://uploads-ssl.webflow.com/6247b0423c35b87bbaaf6d4c/62617902491def721f481ecb_Maple_Finance_Audit_Bramah.pdf) (Bramah)\n- [Marinade](https://docs.marinade.finance/marinade-protocol/security/audits) (Kudelski + Ackee) and [Code Review](https://marinade.finance/docs/Neodyme.pdf) (Neodyme)\n- [Marinade v2](https://github.com/marinade-finance/liquid-staking-program) (Neodyme + Sec3)\n- [Mean](https://docs.meanfi.com/products/safety-and-security) (Sec3)\n- [Orca Whirlpools](https://docs.orca.so/#has-orca-been-audited) (Kudelski + Neodyme)\n- [Parrot](https://doc.parrot.fi/Party_Parrot_Solana_Smart_Contract_Security_Audit_Report_Halborn_v1_1.pdf) (Halborn)\n- [Phantasia](https://github.com/HalbornSecurity/PublicReports/blob/master/Solana%20Program%20Audit/Phantasia_Sports_NFT_Store_SPA_Solana_Program_Security_Audit_Report_Halborn_Final.pdf) (Halborn)\n- [Phoenix](https://github.com/Ellipsis-Labs/phoenix-v1/tree/master/audits) (MadShield + OtterSec)\n- [Port Lending](https://immunefi.com/bounty/portfinance/) (Kudelski + SlowMist)\n- [Port Sundial](https://github.com/port-finance/sundial/blob/master/audits/port-finance-sundial-audit-public.pdf) (OtterSec)\n- [Pyth](https://github.com/Zellic/publications) (Zellic)\n- [Quarry](https://github.com/QuarryProtocol/quarry/blob/master/audit/quantstamp.pdf) (Quantstamp)\n- [Saber](https://github.com/saber-hq/stable-swap/blob/master/audit/bramah-systems.pdf) (Bramah)\n- [Shared Memory and Token Swap Code Review](https://orca-dev-12345.s3-ap-southeast-1.amazonaws.com/Kudelski-audit.pdf) (Kudelski)\n- [Soda](https://certik-public-assets.s3.amazonaws.com/REP-Soda-Protocol-2021-10-26.pdf) (Certik)\n- [Solana](https://solana.com/solana-security-audit-2019.pdf) (Kudelski, 2019)\n- [Solana Stake Pool](https://solana.com/SolanaKudelskiStakePoolAudit.pdf) (Kudelski)\n- [Solana Stake Pool](https://solana.com/SolanaNeodymeStakePoolAudit.pdf) (Neodyme)\n- [Solana Stake Pool](https://solana.com/SolanaQuantstampStakePoolAudit.pdf) (Quantstamp)\n- [Solend](https://docs.solend.fi/protocol/audit) (Kudelski)\n- [Solido](https://github.com/ChorusOne/solido/tree/163b26aee08958fbdc0f3909ccb6ef606a1ea0f2/audit) (Bramah + Neodyme)\n- [Solvent](https://drive.google.com/file/d/1tVe-0EQhslQxr56nOQmxqaB8BSDwJ1s1/view) (OtterSec)\n- [Squads](https://github.com/Squads-Protocol/squads-mpl/blob/main/Squads%20V3%20-%20OtterSec%20Audit.pdf) (OtterSec)\n- [Streamflow](https://github.com/streamflow-finance/rust-sdk/blob/main/protocol_audit.pdf) (Opcodes)\n- [Swim](https://swim.io/audits/kudelski.pdf) (Kudelski)\n- [Synthetify](https://synthetify.io/resources/audit.pdf) (Kudelski)\n- [UXD Audit](https://docs.uxd.fi/uxdprotocol/resources/audits) (Sec3)\n- [Wormhole](https://github.com/certusone/wormhole/blob/dev.v2/audits/2021-01-10_neodyme.pdf) (Neodyme)\n\n\n\n## Tools 🔧\n\n- [Ackee Trident](https://github.com/Ackee-Blockchain/trident) (Solana fuzzing framework)\n- [Anchor Test UI](https://github.com/0xPratik/anchor-UI) (Visual Anchor testing framework)\n- [APR](https://www.apr.dev/) (Anchor Program Registry)\n- [Blockworks Checked Math](https://github.com/blockworks-foundation/checked-math) (Macro to check math operations)\n- [cargo-audit](https://docs.rs/cargo-audit/latest/cargo_audit) (checks Cargo.lock files for vulnerable crates)\n- [cargo-geiger](https://crates.io/crates/cargo-geiger) (checks usage of unsafe Rust code)\n- [Kudelski Semgrep](https://twitter.com/cryptographadam/status/1425163382982811650?s=20&t=5rNeZ11MMw0N1e-_SmU5Tw) (static analysis)\n- [Neodyme Solana PoC Framework](https://github.com/neodyme-labs/solana-poc-framework) (penetration testing)\n- [OtterSec Solana CTF Framework](https://github.com/otter-sec/sol-ctf-framework)\n- [Saber Vipers](https://github.com/saber-hq/vipers) (checks and validations)\n- [Sec3 Auto Auditor](https://twitter.com/aeyakovenko/status/1529138221094883333) (vulnerability scanner)\n- [L3X](https://github.com/VulnPlanet/l3x) - (AI-driven Smart Contract Static Analyzer)\n- [Rug Checker Solana](https://rugcheckersolana.com/) - (Best solana rug checker tool)\n\n\n## Bug Bounties **🏆**\n\n- [Drift](https://immunefi.com/bounty/driftprotocol/) (up to 500k)\n- [Friktion](https://docs.friktion.fi/protocol/security) (up to 100k)\n- [Hubble](https://github.com/hubbleprotocol/audits/blob/master/docs/SECURITY.md) (up to 500k)\n- [Jet](https://immunefi.com/bounty/jetprotocol/) (up to 75k)\n- [Larix](https://docs.projectlarix.com/how-to-prove/bug-bounty-reward) (up to 150k)\n- [Lido](https://immunefi.com/bounty/lidoforsolana/) (up to 2m)\n- [Mango](https://docs.mango.markets/mango/bug-bounty) (up to 1m)\n- [Marinade](https://immunefi.com/bounty/marinade/) (up to 250k)\n- [Metaplex](https://www.metaplex.com/bounty-program) (up to 200k)\n- [Orca](https://immunefi.com/bounty/orca/) (up to 500k)\n- [Port](https://immunefi.com/bounty/portfinance/) (up to 500k)\n- [Phoenix](https://github.com/Ellipsis-Labs/phoenix-v1/security) (up to 100k)\n- [Saber](https://blog.saber.so/the-cashio-vulnerability-against-saber-and-our-users-what-happened-and-what-we-are-doing-about-it-d0ee188e8346) (up to 1m)\n- [Serum](https://forum.projectserum.com/t/formalizing-a-bug-bounty-program/410) (up to 1m)\n- [Solana Labs](https://github.com/solana-labs/solana/security/policy) (up to 2m)\n- [Solend](https://docs.solend.fi/protocol/bug-bounty) (up to 1m)\n- [Solvent](https://solvent-protocol.gitbook.io/solvent-protocol/developers/bug-bounty) (up to 250k)\n- [Swim](https://immunefi.com/bounty/swimprotocol/) (up to 100k)\n- [Synthetify](https://synthetify.io/blog/bug-bounty) (up to 100k)\n- [UXD](https://docs.uxd.fi/uxdprotocol/resources/bug-bounty) (up to 2.5m)\n- [Wormhole](https://immunefi.com/bounty/wormhole/) (up to 2.5m)\n\n\n\n## Open Questions ？\n\n- [When is it appropriate to reward a bounty?](https://twitter.com/wireless_anon/status/1501025792565915657)\n- [When to audit a protocol?](https://twitter.com/ChenWainuo/status/1499871348696379393), [thread on deploying to mainnet without an audit](https://twitter.com/cronos_so/status/1500131620606681088)\n- [Who would pay for an Anchor exploit?](https://twitter.com/armaniferrante/status/1506691213394694152)\n\n\n\n## Contributing 🤝\n\nPull requests are welcome! For major changes, please open an issue first to discuss what you would like to change.\n\n\n## License 🪧\n\nFeel free to do whatever you want with this material (but pls be a whitehacker)!\n"
  }
]