Because of its increased scalability, Solana claims to be the fastest-growing blockchain network. The fact that it is based on proof-of-history consensus accounts for its greater scalability in processing up to 710,000 transactions per second.
Even though Solana is extremely popular, the security of its smart contracts has not been thoroughly tested. And testing is equally important in delivering the brand value promised to partners and fostering investor trust in your project.
This article will cover the various Solana coding flaws and how auditing can help identify and correct them.
Different Hacking Scenarios on Solana Blockchain
Wormhole, a blockchain bridge that allows tokenized exchanges between different blockchains, has joined the list of hacked crypto projects. The total loss of funds is estimated to be around $320 million, making this one of the most significant money laundering incidents in the crypto field.
Wormhole, as we know, enables the transfer of assets between blockchains. But the question is, how is it accomplished?
Smart contracts manage the tokens created on each chain, such as Ethereum or Solana. And to transfer the tokens, the transactions must be approved by Guardians, who verify the signatures of the minted tokens.
In the Wormhole incident, the hacker used the verify _signature function to create an instruction with fake data to validate their transactions.
This allowed the hacker to create a signature set with the necessary number of signatures for Validator Action Approval (VAA). As a result, the hacker gained access to start the unauthorized mint.
The hacker was able to obtain 120,000 wrapped Ethereum worth $320 million and loot them as a result of this.
Crema Finance Cheat
Crema Finance, a liquidity protocol on the Solana blockchain project list, was hacked and lost $8.78 million.
The hacker used a smart contract to take out a Solana flash loan and add liquidity to Crema. The pricing data was then manipulated, allowing the hackers to appear to own a large fee amount—all with fictitious data.
The Crema team tracked the flow of funds from Solana to Ethereum that the hacker was able to transfer. The team immediately advised the hacker to accept the bounty and return the stolen funds.
Soon after, the hacker returned the funds while keeping $1.6 million as a white hat bounty.
Cashio (CASH), Solana’s native algorithmically-backed stablecoin, lost $52.8 million due to an infinite mint error. Following this, the coin’s value dropped from $1 to $0.00005, crashing the DeFi ecosystem.
The Hack’s History
The hacker created two billion CASH tokens using Cashio’s codebase. What was the problem with the code?
The Infinite Mint Glitch—This protocol flaw allows the user to mint an infinite number of tokens without placing any collateral. The user can then sell these newly minted tokens on exchanges, causing the coin’s price to plummet.
The hacker burned two million CASH tokens in exchange for Saber USDT-USDC LP tokens in the Cashio exploit. The Liquidity Pair tokens are then exchanged for USDC and USDT tokens, resulting in a loss of $52.8 million.
How Can You Protect Your Projects From Hacks And Theft?
While security is always a work in progress, Defi smart contract development services providers use the tried and tested techniques. Auditors can reduce the ease with which hackers can perform attacks.
Security measures have effectively prevented governance attacks, price oracle manipulation, reentrancy errors, and other problems. So, let’s look for security measures that discourage attackers from exploiting contracts and laundering money.
Smart contract coding: Write contracts using secure coding practices, such as using tested libraries, a recommended programming language, implementing exceptional security on wallets, clearly defining functions, and so on.
Implement the blockchain security checklist: Numerous well-researched resources can be used to ensure hacker protection.
Use of security audit tools: Open-source security scanners are available to perform automated vulnerability checks on contracts and identify potential flaws.
It may not be effective in detecting errors, but it is helpful for a quick check. Audit tools such as MythX, Echidna, Manticore, Oyente, SmartCheck, and others aid in the detection of bugs in blockchain and smart contracts.
Pentesting and auditing services: Lastly, smart auditing contracts should never be overlooked. Minute flaws allow hackers to infiltrate and disrupt the agreements.
Security audits and pentesting thoroughly analyze the project and eliminate even the most remote possibilities for hackers. Knowing that auditing and pen-testing services are more critical in providing security, let’s go over how it’s done step by step.
Auditing’s Role in Smart Contract Security
Auditing entails a series of steps ranging from automated testing to manual review, covering all aspects of coding and looking for any flaws in the code. The following specifications are covered in the Solana auditing process:
- Checks for functionality
- Contract suspension
- Manipulation of the token supply
- Manipulation of user balance
- Mechanism of death
- Trial operations and event generation
The Procedure for Auditing a Solana Smart Contract
Solana smart contracts are audited with the utmost care, and a well-elaborated audit report is provided with all the auditing analysis. The workflow is outlined below in detail.
Step 1: Gathering Information
The client’s idea and intended purpose of the project is collected and studied to understand and gain complete knowledge of the code and its operation. Following the conclusion of the discussions, the auditors freeze the code to proceed to the next stage of the auditing process.
Step 2: Manual testing
Experienced Defi Development company examines the code for complexities and vulnerabilities. It entails looking for mathematical errors, logical problems, and so on.
Step 3: Perform functional testing
This procedure entails testing contracts under various conditions and verifying data retrieved by Solana smart contracts. The smart contract is tested to ensure that the intended actions are carried out correctly.
Step 4: Perform testing on the most recent attack vectors.
Recent attacks are studied, and smart contracts are tested to ensure they are fully resistant to attacks. Checking for attacks such as market manipulation, LP pricing, front running vectors, and so on.
Step 5: Tool testing automation
Tools such as Soteria, cargo-Clippy, cargo-audit, and specialized tools for Solana smart contract auditing are used to detect errors.
Step 6: Initial audit report
The initial audit report presents the contract’s bugs, which we then send to the developer team to resolve.
Step 7: Complete the audit report.
The report is tested for development team corrections before the final audit report is submitted.
This emphasizes the importance of Solana smart contract auditing services in resolving potential flaws and technical errors to protect them from hackers.