-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add some notes on Common Security Exploits
- Loading branch information
1 parent
6029cab
commit 7667cfd
Showing
1 changed file
with
56 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,20 +1,72 @@ | ||
| # 🛹 Security on Solana | ||
| # 🛹 Writing Secure Programs on Solana | ||
|
|
||
| <br> | ||
|
|
||
|
|
||
| ### tl; dr | ||
| ## Common Security Exploits | ||
|
|
||
| <br> | ||
|
|
||
|
|
||
| #### Missing Address Check | ||
|
|
||
| * Make sure that an account has the expected address (pubkey). | ||
| * For example, by verifying that an `admin` account is associated with the config account using the constraint `has_one = admin`. | ||
|
|
||
| <br> | ||
|
|
||
| #### Missing Ownership Check | ||
|
|
||
| * Verify that an account is owned by the expected program by using Anchor's `Account<`info, T>` type that checks the owner (instead of `AccountInfo<`info>`). | ||
|
|
||
| <br> | ||
|
|
||
| #### Missing Signer Check | ||
|
|
||
| * This vulnerability occurs when an account is not signed so anyone who knows the user pubkey can use it in a transaction. | ||
| * A solution is to replace `AccountInfo<'info>` with `Signer<'info>`. | ||
|
|
||
| <br> | ||
|
|
||
| #### Exploiting Arbitrary CPI | ||
|
|
||
| * Verify that the target program to be invoked has the correct address. | ||
| * For example, if the main program invokes an external program to transfer funds from a user account to a pool account and the program does not verify the address of the external program, an arbitrary code execution can happen. | ||
| * To mitigate, replace the `AccountInfo<'info>` type (which is unverified) with Anchor's `Program<'info, T>` type. | ||
| * Note that Anchor supports `System`, `Token`, and `AssociatedToken` programs, but other programs must have the CPI modules generated. | ||
|
|
||
| <br> | ||
|
|
||
| #### Math & Logic Issues | ||
|
|
||
| * Beware of arithmetics and precision issues. | ||
| * Validate account data and instruction parameters. | ||
| * Make sure instructions are exectured in the correct order. | ||
| * Make sure to prevent uninteded behavior when passing duplicated accounts. | ||
|
|
||
|
|
||
| <br> | ||
|
|
||
| #### Reinitialization and Revival Attacks | ||
|
|
||
| * Make sure to not re-initialize an already initalized account. | ||
| * Mare sure to not re-use an already closed account. | ||
|
|
||
| <br> | ||
|
|
||
| #### PDAs | ||
|
|
||
| * Use canonical bump to avoid multiple valid PDAs (never let the user define an arbitrary bump). | ||
| * Do not share global PDA authorities, instead use account specifi PDAs. | ||
|
|
||
| <br> | ||
|
|
||
| --- | ||
|
|
||
| ### Resources | ||
| ## Resources | ||
|
|
||
| <br> | ||
|
|
||
| * [Neodyme's Secure Scaffold](https://github.com/neodyme-labs/tradeoffer-secure-coding-workshop.git) | ||
| * [Ackee's Trdelník for Fuzzing](https://github.com/Ackee-Blockchain/trident) | ||
| * [Writing Secure Solana Programs, by Ackee Blockchain Security](https://www.youtube.com/watch?v=Qkf9QwSfHAM) | ||
| * [Ackee's Writing Secure Solana Programs](https://www.youtube.com/watch?v=Qkf9QwSfHAM) |