How to do Solana Smart Contract Auditing Contrary to Rising Hacks

Read Time: 6 minutes

Solana claims to be the fastest-growing blockchain network due to its higher scalability. Operated on proof-of-history consensus is all the reason for its greater scalability in processing up to 710,000 transactions per second. 

Despite Solana’s enormous popularity, the security of its smart contracts is not thoroughly tested. And testing is as much crucial in delivering the brand value as promised to the partners and fostering the investor’s reliability on your project. 

In this article, we shall unwind the possible Solana coding defects and how auditing helps identify and rectify them.

Different Scenarios Of Hacks On Solana Blockchain Explained

Wormhole Hack 

Wormhole, a blockchain bridge that facilitates tokenised exchanges between different blockchains, joins the string of crypto projects hacked. The total loss of funds is around $320 million- one of the major money laundering events in the crypto field.

History of hack

As we know, Wormhole allows the transfer of assets between different blockchains. But, the question is, how it is done?

Token created on each chain, i.e. Ethereum or Solana, is managed by the smart contracts. And to transfer the tokens, the transactions are approved by Guardians who check whether the minted tokens are correctly generated by verifying their signatures.

In the Wormhole incident, the verify _signature function is exploited with which the hacker created an instruction with fake data to validate their transactions. 

Through this, the hacker created a signature_set containing enough number of signatures required for Validator Action Approval (VAA). Thereby, the hacker gained access to initiate the unauthorized mint. 

By this, the hacker was able to lay hands on 120,000 wrapped Ethereum worth $320 million, looting them away.   

Crema Finance Hack 

Crema Finance, the liquidity protocol in the list of Solana blockchain projects, suffered a hack losing $8.78 million.

History of Hack

The hacker deployed a smart contract to take a flash loan on Solana and add liquidity on Crema. The pricing data was then manipulated, allowing the hackers to make it look like they own a huge fee amount— all with fake data. 

The Crema team traced the flow of funds which the hacker managed to swap from Solana to Ethereum. The team immediately cautioned the hacker to return the stolen funds by accepting the bounty.

And soon after, the hacker returned the funds retaining $1.6M as a white hat bounty. 

Cashio Hack 

Cashio (CASH), a native algorithmically-backed stablecoin of Solana, lost a whopping $52.8 million due to infinite mint error. Following this, the value of the coin went from $1 to $0.00005, crashing the DeFi ecosystem. 

History Of The Hack

Exploiting Cashio’s codebase, the hacker first minted two billion CASH tokens. What was wrong with the code? 

The Infinite Mint Glitch— This error in the protocol gives the user access to mint any number of tokens without placing any collateral. The user can then sell these minted tokens in the exchanges, which crashes the price of the coin.

In Cashio exploit, the hacker burnt from the two million CASH tokens for the Saber USDT-USDC LP tokens. The Liquidity Pair tokens are then swapped for USDC and USDT tokens resulting in the draining of $52.8M. 

How To Safeguard Projects From Hacks And Thefts?

While security is always a work-in-progress, the tried and tested techniques adopted by developers and auditors can mitigate hackers from easily performing attacks. 

Security measures have proved effective in eliminating governance attacks, price oracle manipulation, Reentrancy errors, etc. So, let’s now find the security measures that deter attackers from exploiting contracts and laundering money.

Smart coding of contracts: Write contracts using secure coding practices, which include the use of tested libraries, recommendable programming language, implementing special security on wallets, defining functions clearly and so on.

Actionize blockchain security checklist: Many well-researched resources are available which can be checked through to ensure protection from hacks. 

Use of security audit tools: Open-source security scanners are available to do automated vulnerability checks on contracts and identify potential flaws in the contracts. 

However, it might not be effective in spotting errors, but it helps for a basic check. Different kinds of audit tools help identify bugs in the blockchain and smart contracts such as MythX, Echidna, Manticore, Oyente, SmartCheck, etc. 

Undertake Pentesting and auditing services: Last but not least, auditing smart contracts can never be underrated. Minute loopholes help the hackers find a way to intrude and crash the contracts.

Security audits and periodic pentesting thoroughly analyse the project and eliminate even the slightest possibilities for the hackers. Having known that auditing and pentesting services hold greater significance in offering security, let’s step-wise understand how it’s done. 

Role Of Auditing In Securing Smart Contracts

Auditing involves a series of steps from automated testing to manual review, widely covering all the aspects of coding and checking for any weak spots present in the code. Some of the specifications covered in the Solana auditing process include;

• Functionality checks
• Freezing of a contract
• Token supply manipulation
• User balance manipulation
• Kill-switch mechanism
• Operation trials & event generation, and so on

Steps Followed By QuillAudits to Audit a Solana Smart Contract

The auditing of Solana smart contracts is done with the utmost diligence, and a well-elaborative audit report is furnished with all the analysis from the auditing. The step-by-step workflow is given below. 

Step 1- Gathering Details

The idea and the intended purpose of the project are collected and studied from the client to understand and gain complete knowledge of the code and its functioning. Once the discussions are over, the auditors freeze the code to move to the next step of the auditing process.

Step 2- Manual testing

Our experienced in-house auditors check for the intricacies and vulnerability concerns in the code. It includes looking out for mathematical errors, logical issues, etc.

Step 3- Functionality testing 

This process comprises testing contracts under different conditions and verifying data fetched by the Solana smart contracts. The smart contract is tested to ensure the intended actions are performed correctly.

Step 4- Testing on latest attack vectors

The recent attacks are studied, and tests are carried out on smart contracts to make sure they offer full resistance to attacks. It includes checking for attacks such as market manipulation, LP pricing, front running vectors, etc. 

Step 5- Automated tool testing

Tools such as Soteria, cargo-Clippy, cargo-audit and specialised tools for Solana smart contract auditing are implemented to look out for any errors. We also implement techniques like fuzzing to ensure that we may articulate real-world attack vectors as much as possible.

Step 6- Initial audit report

Initial audit report presents the bugs in the contract, and then we send it to the developer team to resolve them. 

Step 7- Final audit report

The report is tested for the corrections made by the development team, and then the final audit report is submitted. 

Final Thoughts, 

The emphasis on the need for Solana smart contract auditing services to resolve the conceivable flaws and technical mishaps to shield them from hackers is made clear from this.

And not to mention, QuillAudits have the expertise armed with all-advanced tools and techniques to undertake the auditing services and deliver assured results. You needn’t search elsewhere as we’re just a click away.

FAQs

What is the Solana smart contract coding language?

Solana smart contract is written using Rust programming language with the program containing Solana-specific mechanisms. 

Is Solana faster than Ethereum?

Certainly Yes, Solana can process up to 70,000 transactions per second and Ethereum only 30 transactions. Also, the block time of Solana is one second while Ethereum is 15 seconds.

What are the major challenges faced by Solana smart contracts?

The general issues faced by Solana smart contract include outdated dependencies, redundant/repeated code, uninitialised memory in rust code, etc. 

How do you audit Solana smart contracts?

QuillAudits performs an in-depth examination of the components of smart contracts and libraries imported apart from rust coding. We do manual code review and do an exhaustive scan to verify the program’s inputs via Fuzzing. 

What is the significance of smart contract auditing?

Blockchain is attracting the attention of billions, including hackers. In short, auditing is crucial to prevent potential vulnerabilities and ensure the project’s credibility. 

156 Views