How to Conduct Solana Smart Contract Auditing
Due to its increased scalability, Solana claims to be the blockchain network with the fastest growth. Because it is based on proof-of-history consensus, it can process up to 710,000 transactions per second with greater scalability.
Even though Solana is incredibly popular, its smart contracts have not been thoroughly tested for security. In addition, testing is essential for delivering the brand value promised to partners and fostering investor confidence in your project.
This article will discuss the various Solana coding flaws and how auditing can assist in their identification and correction.
Multiple Attack Scenarios on the Solana Blockchain
Wormhole Hacks
Wormhole, a blockchain bridge that facilitates tokenized exchanges between different blockchains, has been added to the list of hacked cryptocurrency projects. The estimated total loss of funds is approximately $320 million, making this one of the most significant instances of money laundering in the cryptocurrency industry.
Hacking History
Wormhole enables the transfer of assets between blockchains, as we already know. However, the question is how this is achieved.
The tokens created on each chain, such as Ethereum or Solana, are managed by smart contracts. And to transfer tokens, transactions must be approved by Guardians, who verify the signatures of newly-minted tokens.
In the Wormhole incident, the hacker used the verify _signature function to generate an instruction that validated their transactions with fabricated data.
This enabled the hacker to generate the required number of signatures for Validator Action Approval (VAA). Therefore, the hacker was able to initiate the unauthorized mint.
Due to this, the hacker could obtain 120,000 wrapped Ethereum worth $320 million and steal them.
Crema Finance Hack
Crema Finance, a liquidity protocol on the list of Solana blockchain projects, had $8.78 million stolen.
History of Hack
The hacker used a smart contract to obtain a Solana flash loan and increase Crema’s liquidity. The pricing data was then altered, allowing the hackers to appear to have a substantial fee amount, all with fictitious information.
The Crema team tracked the hacker’s successful funds transfer from Solana to Ethereum. The team advised the hacker to accept the reward and return the stolen funds immediately.
The hacker returned the funds almost immediately after that while keeping the white-hat bounty of $1,600,000.
Cashio Fraud
Due to an infinite mint error, Cashio (CASH), Solana’s native algorithmically-backed stablecoin, lost $52.8 million. Consequently, the coin’s value fell from $1 to $0.00005, bringing the DeFi ecosystem to its knees.
The Hack’s Background
Using Cashio’s source code, the hacker generated two billion CASH tokens. What exactly was the issue with the code?
This protocol flaw allows the user to mint an infinite quantity of tokens without providing collateral. The user can then sell these newly-minted tokens on exchanges, causing the coin price to drop.
The hacker burned two million CASH tokens in exchange for Saber USDT-USDC LP tokens in the Cashio exploit. The exchange of Liquidity Pair tokens for USDC and USDT tokens result in a loss of $52.8 million.
How can you safeguard your projects against hacking and theft?
Although security is a constant work in progress, Defi smart contract development service providers employ tried and true methods. Auditors can make it more difficult for hackers to conduct attacks.
Adequate security precautions have prevented governance attacks, price oracle manipulation, reentrancy errors, and other issues. Therefore, seek security measures to discourage contract abuse and money laundering.
Smart contract coding: Write contracts using secure coding techniques, such as testing libraries, a recommended programming language, implementing exceptional security on wallets, and clearly defining functions.
Implement the checklist for blockchain security: Numerous well-researched resources can be utilized to protect against hackers.
Utilization of security auditing tools: Open-source security scanners are available to perform automated vulnerability checks on contracts and identify potential vulnerabilities.
It may not detect errors, but it is helpful for a quick check. MythX, Echidna, Manticore, Oyente, SmartCheck, and others aid in the detection of blockchain and smart contract vulnerabilities.
Pentesting and auditing services: Contracts for intelligent auditing should never be overlooked. Hackers can infiltrate and disrupt agreements due to slight flaws.
Audits and penetration tests for security thoroughly examine the project and eliminate even the most remote hacker entry points. Keeping in mind that auditing and penetration testing services are more important for providing protection, let’s walk through the process.
The Role of Auditing in Smart Contract Security
Auditing consists of steps ranging from automated testing to manual review, covering all aspects of coding and searching for flaws. In the Solana auditing process, the following specifications are evaluated:
- Validates functionality
- Contract termination
- Manipulation of the supply of tokens
- Manipulation of user equilibrium
- Trial administration and event creation
Auditing Procedure for a Solana Smart Contract
Solana smart contracts are meticulously audited, and a comprehensive audit report with all auditing analyses is provided. The workflow is described in detail below.
Step 1: Information Collection
The client’s concept and intended purpose for the project is gathered and analyzed to comprehend and acquire complete knowledge of the code’s operation. Following the conclusion of the discussions, the auditors freeze the code in preparation for the subsequent auditing phase.
Step 2: Testing by hand
A Defi Development company with extensive experience examines the code for complexities and vulnerabilities. It involves searching for mathematical errors, logical flaws, etc.
Step 3: Conduct functional testing
This process involves testing contracts under various conditions and validating the data retrieved by Solana smart contracts. Tests are performed on the smart contract to ensure that the intended actions are carried out accurately.
Step 4- Testing on latest attack vectors
Recent attacks are analyzed, and smart contracts are subjected to rigorous testing to ensure their complete resistance to attack. Examining for attacks including market manipulation, LP pricing, front running vectors, etc.
Step 5: Automated tool testing
Soteria, cargo-Clippy, cargo-audit, and specialized Solana smart contract auditing tools are used to detect errors.
Step 6: Initial audit report
The initial audit report details the contract’s flaws, which are then forwarded to the development team for resolution.
Step 7- Final audit report
The report is tested for development team corrections before submitting the final audit report.
Final Thoughts
This highlights the significance of Solana’s smart contract auditing services in resolving potential flaws and technical errors to protect smart contracts from cybercriminals.
