DOI QR코드

DOI QR Code

Study of Vulnerabilities in Solana Smart Contracts

솔라나 스마트 계약의 취약점 연구

  • Mahboubeh Bagheri (Dept. of Computer Science and Engineering, Pusan National University) ;
  • Seong-Hwan Park (Dept. of Information Convergence Engineering, Pusan National University) ;
  • Dong-Hyeon Kwon (Dept. of Computer Science and Engineering, Pusan National University)
  • 바게리 마흐부베 (부산대학교 정보컴퓨터공학과) ;
  • 박성환 (부산대학교 정보융합공학과) ;
  • 권동현 (부산대학교 정보컴퓨터공학과)
  • Published : 2024.10.31

Abstract

Solana, a high-performance blockchain platform, is known for its fast transaction speeds and low operational costs, making it a popular choice for decentralized applications. However, its architecture introduces unique security vulnerabilities in smart contracts. This paper presents an analysis of six key vulnerabilities in Solana smart contracts-missing ownership checks, missing signer checks, arithmetic overflow/underflow, cross-program invocation (CPI) vulnerabilities, account confusion, and missing key checks. We further evaluate how automated verification tools like VRust and fuzzing techniques detect these vulnerabilities. Through case studies of widely-used Solana programs like Mango Markets and the Solana Program Library (SPL), we illustrate the effectiveness of these tools in real-world scenarios.

Keywords

Acknowledgement

This research was supported by the MSIT (Ministry of Science and ICT), Korea, under the Special R&D Zone Development Project (R&D) - Development of R&D Innovation Valley support program (2023-DD-RD-0152), supervised by the Innovation Foundation.

References

  1. Sven Smolka, Jens-Rene Giesen, Pascal Winkler, Oussama Draissi, Lucas Davi, Ghassan Karame, Klaus Pohl. "Fuzz on the Beach: Fuzzing Solana Smart Contracts." Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS '23), Copenhagen, Denmark, 2023, pp. 1197-1211.
  2. Tien N. Tavu. Automated Verification Techniques for Solana Smart Contracts. Undergraduate Research Scholars Program, Texas A&M University, 2022.
  3. Siwei Cui, Gang Zhao, Yifei Gao, Tien Tavu, Jeff Huang. "VRust: Automated Vulnerability Detection for Solana Smart Contracts." Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS '22), Los Angeles, USA, 2022, pp. 639-652.
  4. Sebastien Andreina, Tobias Cloosters, Lucas Davi, Jens-Rene Giesen, Marco Gutfleisch, Ghassan Karame, Alena Naiakshina, Houda Naji. "Defying the Odds: Solana's Unexpected Resilience in Spite of the Security Challenges Faced by Developers." arXiv preprint, arXiv:2406.05231 [cs.CR], 2024.
  5. Fang, J., & Qu, H. "VeriOover: A Verifier for Detecting Integer Overflow by Loop Abstraction." Proceedings of the 13th International Workshop on Computer Science and Engineering (WCSE 2023), Ocean University of China, Qingdao, China, 2023.