Introduction
Solana's account model and Rust-based programming environment present unique security challenges. This guide covers the vulnerabilities specific to Solana program development.
Account Validation
Solana programs must explicitly validate every account passed to them. Missing validation is one of the most common vulnerabilities.
validate_accounts.rs
// Always validate account ownership and typepub fn process_transfer(accounts: &[AccountInfo]) -> ProgramResult { let [payer, token_account, authority] = accounts else { return Err(ProgramError::NotEnoughAccountKeys); }; // Validate token account ownership if token_account.owner != &spl_token::ID { return Err(ProgramError::IncorrectProgramId); } // Validate authority is signer if !authority.is_signer { return Err(ProgramError::MissingRequiredSignature); } // Continue with validated accounts... Ok(())}Common Vulnerabilities
- Missing signer checks
- Missing owner checks
- Integer overflow without checked math
- PDA seed collision
- Arbitrary CPI (Cross-Program Invocation)
Use Anchor framework when possible - it handles most account validation automatically.
Account Validation
Verify every account explicitly
Signer Checks
Never skip signature verification
Use Anchor
Framework handles common pitfalls