Announcing sec3 X-Ray Premium
We are glad to announce the first release of sec3 X-Ray Premium: an auto-auditing service offered by sec3 (formerly Soteria) team to scan a large list of security vulnerabilities in Solana smart contracts.
sec3 X-Ray Premium has a number of features:
Vulnerability Detection Report showing detected issues with code annotations. The report header displays program name, date/time, build version, and detected vulnerability count. Below, expandable panels such as "Untrustful Account No.1" show the description and the relevant source code lines:
55| has_one = market,
56| has_one = vault,
57| has_one = loan_note_mint)]
58| pub reserve: Loader<'info, Reserve>,
59|
60| /// The reserve the collateral is from
61|> pub collateral_reserve: Loader<'info, Reserve>,
62|
63| /// The reserve's vault where the payment will be transferred to
64| #[account(mut)]
65| pub vault: AccountInfo<'info>,
66|
67| /// The mint for the debt/loan notes-
It detects 50+ types of common security vulnerabilities in Solana programs written in Rust, including all the common pitfalls by Neodyme and all the insecure Anchor usages in sealevel-attacks. See a full list in the section “Solana Vulnerabilities and Exposures (SVE)”. The list is expanding.
-
It is
fast: typically generates a report in less than five minutes even for large projects such as Metaplex. -
It works for both Anchor and non-Anchor based projects
-
It provides a web UI to navigate the reported vulnerabilities
-
It is available 7x24
-
…
A dashboard of Sec3 Premium is shown below:
Sec3 Premium dashboard showing the "MY TASKS" view. A completed task displays its status as "Completed," file size (4.08 MB), creation and update timestamps, and a Summary section listing "40 untrustful account issues" and "1 unsafe operation issue." Buttons for "View Full Report" and "Download PDF" are shown below the summary.
Solana Vulnerabilities and Exposures (SVE)
The auto-auditor currently detects the following list of Solana-specific SVEs (accumulated by Sec3 team):
SVE
Checker
Description
Explanation
SVE1001
MissingSignerCheck
The account is missing signer check
SVE1002
MissingOwnerCheck
The account is missing owner check
SVE1003
IntegerAddOverflow
The add operation may result in overflows
SVE1004
IntegerUnderflow
The sub operation may result in underflows
SVE1005
IntegerMulOverflow
The mul operation may result in overflows
SVE1006
IntegerDivOverflow
The div operation may result in overflows
SVE1007
UnverifiedParsedAccount
The account is not validated before parsing its data
SVE1008
DuplicateMutableAccount
These two accounts are both mutable and may be the same account
SVE1009
InsecureAccountClosing
The account is not securely closed
SVE1010
TypeFullCosplay
These two account data types are fully compatible and can be used to launch type confusion attacks
SVE1011
TypePartialCosplay
These two account data types are partially compatible and may be exploited by type confusion attacks
SVE1012
DivideByZero
The arithmetic operation may result in a div-by-zero error
SVE1013
AccountReInitialization
The account is vulnerable to program re-initialization
SVE1014
BumpSeedNotValidated
The account's bump seed is not validated and may be vulnerable to seed canonicalization attacks,
SVE1015
InsecurePDASharing
The PDA sharing with these seeds may be insecure
SVE1016
ArbitraryCPI
The spl_token account may be arbitrary
SVE1017
MaliciousSimulation
The program may contain malicious simulation
SVE1018
UnsafeSysVarAPI
The sysvar instructions API is unsafe and deprecated (wormhole exploit)
SVE1019
UnvalidatedAccount
The account is not properly validated and may be untrustful
SVE1020
OutdatedDependency
The program has outdated and vulnerable dependencies
SVE1021
UnsafeRust
The program contains unsafe Rust code
SVE1022
OverPayment
The code misses checking to prevent over payment
SVE1023
StalePriceFeed
The code may use a stale price feed (solend loss)
SVE1024
MissInitTokenMint
The init instruction misses minting pool tokens
SVE1025
MissRentExempt
The account misses rent exempt check
SVE1026
MissFreezeAuthority
The account misses checking for freeze authority
SVE1027
FlashLoanRisk
The instruction may suffer from flash loan attacks
SVE1028
InconsistentRounding
The arithmetics here have inconsistent rounding
SVE1029
CastTruncation
The cast operation here may lose precision due to truncation
SVE2001
IncorrectLogic
Loop break instead of continue (jet-v1 exploit)
SVE2002
IncorrectCalculation
Liquidation condition should be > instead of >=
SVE2003
ExponentialCalculation
The calculation has exponential complexity
SVE3001
BestSecurityPractice
The code does not follow best security practices
SVE3002
RedundantCode
The code is redundant or unused
SVE3003
InconsistentAnchor
The program uses Anchor inconsistently across different instructions
SVE3004
InconsistentConfig
The configuration and initialization data are inconsistent
The list of SVEs above will be expanded continuously as Sec3 team audits more Solana projects.
How To Use Sec3 Premium
Sec3 Premium is currently open to a short list of Pilot (paid) customers.
Each pilot customer will receive an invitation link. The link provides a unique ID to access Sec3 Premium service:
The "MY TASKS" page for a new user, showing "Currently you don't have any task." with a "Create a new task" button. Following are the steps to use the service:
- Click “Create a new task”:
The "NEW TASK" form with fields for "Task Name" (placeholder: "Enter a name for the task") and "Source Code" (placeholder: "Enter the URL of Github repo") with an "Upload from local" button as an alternative. "Create Task" and "Cancel" buttons appear at the bottom. 2. Enter a “Task Name” and provide the “Source Code” (either by a Github url if it is open source, or upload a compressed folder):
The "NEW TASK" form filled in with Task Name "test" and Source Code URL "https://github.com/soteria-bc/test". The downloaded file "test-master.zip" (4.09 MB) is shown below the URL field. 3. Click “Create Task” and then “Confirm Payment and Run Task”:
The "Review and Confirm Order" page showing the task with Status "Ready," Size 4.09 MB, creation timestamp, Price $0, and a "Confirm Payment and Run Task" button. 4. Wait for task to complete and then “View Full Report”:
The analysis time for a typical project is less than two minutes
The "MY TASKS" view showing the task with Status "In-progress," Size 4.09 MB, and a loading indicator. The analysis time for a typical project is less than two minutes.
The completed task view showing Status "Completed," Size 4.09 MB, timestamps, and a Summary with "40 untrustful account issues" and "1 unsafe operation issue." Buttons for "View Full Report" and "Download PDF" are available. 5. Finally, browse the reported vulnerabilities:
Annotations to ignore warnings
> Note: Most of the SVEs are semantic or logic issues, thus the reported vulnerabilities are only potential warnings but are not necessarily attacker-exploitable.
To ignore certain warnings: add annotation //#\[x-ray(ignore)\]
Any statement annotated with it will be ignored. For example:
//#[soteria(ignore)]
let system_program_info = next_account_info(account_info_iter)?;
For Anchor:
#[derive(Accounts)]
pub struct Withdraw<'info> {
//#[soteria(ignore)]
pub authority: AccountInfo<'info>,
Relationship with full sec3 audit
> We expect that sec3 Premium will be used in the development phase to continuously audit Solana programs upon any code change at any time. It will significantly reduce the time and cost of a final manual audit.
Note that the auto-auditor service is not the same as a full manual audit offered by sec3 team. sec3’s full audit relies on human experts to perform exhaustive manual reviews (assisted by in-house X-Ray tools).
The full audit is expected to discover vulnerabilities that are not covered by the auto-auditor.
sec3 Audit
Sec3 is founded by leading minds in the fields of blockchain security and software verification.
We are pleased to provide full audit services to high-impact Dapps on Solana. Please visit sec3.dev or email contact@sec3.dev