Research & Insights
Security research, audit insights, tooling updates, and ecosystem analysis from the Sec3 team.
IDL Guesser
The Solana ecosystem thrives on innovation, but many Anchor-based programs do not publish up-to-date IDLs, which complicates the analysis of such programs and their transactions. To tackle this, we developed and open-sourced a prototype tool called IDL Guesser. This tool aims to automatically recover instruction definitions, required accounts (including signer/writable flags), and parameter information directly from closed-source Solana program binaries. This blog outlines the approach behind IDL Guesser and discusses potential areas for future improvement.
Sec3 Ranked First in the CTF-Sui of the 2023 MetaTrust CTF
Last week, our very own senior security researcher Q7 clinched the top spot in the CTF-Sui track of the 2023 MetaTrust Web3 Security CTF. Competing against nearly 600 teams, Q7 aced challenges ranging from Solidity puzzles to Sui Move challenges, securing two first bloods and two second bloods. In this blog post, we dive deep into the intricacies of these challenges, offering detailed solutions and insights
Introducing Owl LM (OwLLM v1): The First Open-Source Large Language Model for Web3
Today, we're excited to open-source OwLLM v1.0 (colloquially called “Owl LM”), the first Open-source, web3-native Large Language Model. OwLLM has been trained on millions of transactions, has more than 100 million parameters, and is designed to be chain-agnostic.
All About Anchor Account Size
Smart contracts using Anchor require developers to allocate space for new accounts and specify the account size. Anchor provides guidelines for calculating the size based on the account structure, but many developers use std::mem::size_of instead, as they don't have to manually update the size when making changes to the account structure. Are they equivalent? In this blog post, we conduct a systematic comparison of the results produced by std::mem::size_of and the Anchor space reference.
How Cross-Chain Bridges Work: A Wormhole Case Study (Part 4)
Following Part 1, 2 and 3, this article focuses on explaining how Wormhole prevents double-delivery of the same message?
How Cross-Chain Bridges Work: A Wormhole Case Study (Part 3)
Following Part 1 and Part 2, this article focuses on explaining how Wormhole ensures the bridged tokens are correct.
How Cross-Chain Bridges Work: A Wormhole Case Study (Part 2)
Following Part 1, in this article we focus on guardian signatures verification in Wormhole on both Solana and Ethereum.
How Cross-Chain Bridges Work: A Wormhole Case Study (Part 1)
In this article series, we will elaborate on the internals of cross-chain bridges, how they are implemented and what their caveats are from the user's perspective. We will use a state-of-the-art bridge Wormhole as an example.
Sec3 Ranked First in the Aptos CTF MOVEment 2022
We're very excited to announce that our team scored first place in the Aptos Capture The Flag competition MOVEment with Aptos Dec 2022. We got two first-bloods and two second-bloods in the four challenges except for the sanity check, ranking first in the end.
How to Analyze an Attack?
In this article series, we will conduct in-depth post-hack investigations on a few representative attacks on on-chain protocols and share the techniques and tools used by the sec3 core team to understand the attacks.
Proactive After-Deployment Monitoring
Besides rigorous internal code reviews and external auditing, we are frequently asked by our customers: what we should do to keep our protocol safe once it's deployed on the chain?
Security of Solana Smart Contracts
The SPL Associated Token Program is used frequently in Solana smart contracts. We reviewed its technical details in a prior article. In this article, we focus on two important caveats of using associating token accounts as learned by the Sec3 core team.
Announcing sec3 WatchTower
sec3 announces the first release of WatchTower: an in-situ threat monitoring service for Solana smart contracts to detect, prevent and stop security attacks in real time.
A Review of Recent Hacks on Solana
Solana ecosystem has seen super rapid growth while witnessing multiple hacks (involving Wormhole, CashioApp, CremaFinance, Nirvana, and Slope Wallet), which collectively caused close to $400 million losses. In this article, we review the essence of these hacks and aim to find effective solutions to prevent such attacks in the future.
Security of Solana Smart Contracts
The same seeds with multiple valid bumps can have crucial security implication: PDAs can be faked if their bump seeds are not validated
Bidirectional Rounding
If a smart contract has a bidirectional function or functions (e.g., swap between a pair of tokens or mint/redeem a token) and the function uses the same rounding operation over arithmetic results in both directions, then the function is likely vulnerable to two-way trading attacks.
On Smart Contracts
While Solana’s core runtime is still under rapid development, its design of smart contracts has been fairly stable. In this article, I’d like to elaborate why Solana is more secure from the perspective of smart contracts.
Solana Programs Part 4
The Metaplex Candy Machine is among the most popular smart contracts used for NFT minting on Solana. Recently, it has even implemented sophisticated logic for detecting and taxing bots. How does the candy machine program work internally? What are its intended use cases and dependencies? How does it detect bots? This article elaborates on these technical details.
Announcing sec3 X-ray Security Scanner
sec3 X-ray scanner software is a security scanner specifically designed for Solana smart contracts. sec3 X-ray can detect more than 50 types of security vulnerabilities and can be integrated into the GitHub CI development process. Integrating sec3 X-ray into your protocol's development process can shift security practices left, reduce costly security issues, and speed up time-to-market. sec3 Xray has been adopted at leading Solana Protocols; try it out today!
Solana programs Part 3: understanding Metaplex Token Metadata
In this article, we elaborate on the implementation details of token-metadata.
Solana Programs Part 2: Understanding SPL Associated Token Account
Following Part 1: understanding SPL Token Mint, this article introduces the technical details of the SPL associated token program, another popular official Solana smart contract.
On a $20M Bug in Jet Protocol
Recently, Charlie You disclosed a vulnerability in the Jet Protocol. The vulnerability would have caused $20m loss of Jet users’ funds if exploited. Fortunately, Jet patched it before any user was affected. sec3 team identified something tricky in Jet-v1’s code and had a discussion with Charlie shortly after the disclosure. It turns out that the vulnerability has a different cause (unexpected by Charlie)
CashioApp Attack - What’s the Vulnerability and How Soteria Detects It
The Cashio stablecoin (CASH) protocol recently lost $50M in an attack. The attacker was able to mint 2,000,000,000 CASH tokens for almost free. The root cause is a vulnerability in the Cashio’s brrr smart contract. Soteria team conducted an in-depth analysis of the attack. Importantly, the vulnerability can be automatically detected by Soteria’s Premium Auto Auditor. This article elaborates on the details.
Solana Programs Part 1
Most user-deployed Solana smart contracts (directly or transitively) use the token program to mint/transfer/burn tokens (i.e., SPL tokens). SPL tokens are similar to ERC20/ERC721 token with tricky differences. In this article, we elaborate on the SPL tokens and introduce the internals of the most commonly used instructions in the token program.
Announcing sec3 X-Ray Premium
We are glad to announce the first release of Sec3 Premium: an auto-auditing service offered by Sec3 team to scan a large list of security vulnerabilities in Solana smart contracts.
Solana Internals Part 4
Following Part 3: the TPU, this article elaborates on the bank module, a core component of Solana blockchain.
Solana Internals Part 3
Solana recently experienced severe performance degradation due to network congestion. The TPS (number of transactions processed per second) dropped by orders of magnitude (from thousands to tens) for several hours. Technically, this problem is caused by performance bugs in Solana, in particular — the transaction processing unit (TPU). This article elaborates on the design of the TPU and highlights some intricacies.
Solana Internals Part 2
What happens inside Solana when you deploy a smart contract to the Solana Mainnet? Can a Solana program be modified or closed? How to upgrade a Solana program? Who is authorized to change a Solana program? This article focuses on the upgradability of Solana programs and highlights some intricacies.
Solana Internals Part 1
Solana has a few built-in (native on-chain) programs (e.g., system_program, spl_token, stake, vote, ed25519, etc) that provide essential instructions and are generally trusted. In this article, we introduce the internals of these programs, and highlight some of the intricacies.
Solana Stake Pool: A Semantic Inconsistency Vulnerability Discovered by X-Ray
This article describes our journey in discovering the vulnerability and constructing the PoC. We note that the stake-pool code was audited before by multiple companies, which motivates the need of a more comprehensive and systematic audit process.
How to Audit Solana Smart Contracts Part 4: The Anchor Framework
Following Part 3: penetration testing, this article introduces the internals of Anchor, a popular framework for writing and testing Solana smart contracts.
How to Audit Solana Smart Contracts Part 3: Penetration Testing
In this article, we introduce a few penetration testing tools to help detect vulnerabilities in Solana or Rust programs in general.
sec3 Project Received a Grant From Solana Foundation
sec3 project is honored to announce it received a grant from Solana Foundation. sec3 team will continue to build tools and services for developers and builders in Solana Ecosystem to tackle security challenges. Thanks!
How to Audit Solana Smart Contracts Part 2: Automated Scanning
Following Part 1: a systematic approach, this article introduces a few automated scanning tools to help audit Solana smart contracts.
How to Audit Solana Smart Contracts Part 1: A Systematic Approach
In this article series, we will introduce a systematic approach including a few automated techniques for auditing Solana smart contracts.
Solana Bug Bounty Hunting With X-Ray
Recently, using X-Ray, we identified a vulnerability in an on-chain Solana smart contract (jet-v1) and have been awarded a bug bounty. We thank the Jet Protocol team and Immunefi for their quick responses and generous support. The fix has been applied in this commit. This article shares our bug hunting experience with X-Ray.
Understanding Arithmetic Overflow/Underflows in Rust and Solana Smart Contracts
Rust is a popular language used in blockchains such as Solana and Polkadot. For many developers, it may be a misconception that Rust is memory-safe so it is free of arithmetic overflow/underflows. This article explains why Rust programs still suffer from arithmetic errors, how these issues affect blockchain security, and how to deal with them in smart contracts.
X-Ray: A Vulnerability Scanner for Solana Smart Contracts
This article introduces X-Ray, a security tool that automatically scans Solana programs to detect common security pitfalls.
From Ethereum Smart Contracts to Solana Programs: Two Common Security Pitfalls and Beyond
Why Solana programs are faster than Ethereum smart contracts? What are their key differences? This article explains an essential difference between the two and illustrates two common security pitfalls in Solana programs.
Why gas fees are crazily high on Ethereum and what's the rescue?
Transaction fees on Ethereum are crazily high recently. A token swap sometimes costs over $1000 gas fees, why? This article explains the underlying reasons and introduces a new solution that significantly reduces gas fees.