DEV Community: Mira The latest articles on DEV Community by Mira (@4k_mira). https://dev.to/4k_mira https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F471792%2F57bb87a6-1051-4372-954f-e5114a71b614.png DEV Community: Mira https://dev.to/4k_mira en Solana Vulnerabilities Every Developer Should Know Mira Sat, 31 Jan 2026 12:22:38 +0000 https://dev.to/4k_mira/solana-vulnerabilities-every-developer-should-know-389l https://dev.to/4k_mira/solana-vulnerabilities-every-developer-should-know-389l <h2> Solana Security: The $500M+ Lesson </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh84iyxyka5zvlmtr3qft.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh84iyxyka5zvlmtr3qft.png" alt="Solana, rust, anchor, pinocchio" width="800" height="533"></a></p> <p>$325 million stolen from Wormhole. $115 million drained from Mango Markets. $52 million vanished from Cashio. These aren't hypothetical scenarios or theoretical attacks. These are real hacks that happened on Solana, affecting real projects, and costing real money to real people.</p> <p>Between 2021 and 2025, Solana-based protocols have lost over $450 million to exploits, with individual incidents ranging from hundreds of thousands to hundreds of millions of dollars. The DEXX hack in November 2024 alone affected over 9,000 wallets and drained $30 million. In January 2025, the NoOnes bridge exploit siphoned $8 million across multiple chains.</p> <p>Here's what makes this terrifying: most of these hacks weren't sophisticated zero-days or nation-state attacks. They were simple mistakes. Missing signer checks. Unverified account ownership. Fake accounts accepted as real. The kind of bugs that could have been caught with proper validation.</p> <p>If you're building on Solana, you're not just writing code. You're handling other people's money. Every missing check is a potential exploit. Every unvalidated account is a backdoor. This guide breaks down 15 critical vulnerabilities that have cost projects millions, shows you exactly how each exploit worked, and teaches you how to fix them before they cost you everything.</p> <h2> The Reality of Solana Security </h2> <p>Solana's architecture is fundamentally different from EVM chains. Programs are stateless. Accounts are passed in by users. Nothing can be trusted by default. This creates unique security challenges that developers coming from Ethereum often miss.</p> <p>The golden rule: <strong>Trust nothing</strong>. Not the account passed in. Not its owner. Not the signer. Not the data inside it. Every single thing must be explicitly validated.</p> <p>The examples below cover 15 vulnerabilities from intermediate to advanced. Each has both a vulnerable and a secure version, with tests that demonstrate the exploit and confirm the fix. They are implemented in Anchor and Pinocchio so you can see how different frameworks handle the same issues.</p> <h2> 1. Missing Signer Check </h2> <p><strong>Type:</strong> Access Control | <strong>Severity:</strong> Critical</p> <h3> What Breaks </h3> <p>Your program needs someone to authorize an action (like withdrawing from a vault). You check that the right public key is present in the instruction, but you never verify that the key's owner actually signed the transaction. An attacker can pass anyone's public key without owning it, and your program executes the privileged action anyway.</p> <h3> Real Exploit </h3> <p>In August 2021, a hacker attempted to steal $2 million from Solend by manipulating protocol parameters. They bypassed admin checks by passing the admin's public key without signing with it. The protocol checked "is this the admin's key?" but not "did the admin actually sign this?" The attack was caught before funds were lost, but it exposed a critical flaw that exists in countless programs.</p> <h3> The Attack Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Vault stores authority = "AuthPubkey123" 2. Attacker sends instruction with authority account = "AuthPubkey123" 3. Program checks: vault.authority == passed_authority.key ✓ 4. Program never checks: passed_authority.is_signer 5. Withdrawal executes, funds gone </code></pre> </div> <p>The attacker never needed the private key. They just needed to know the public key and pass it through.</p> <h3> How to Fix </h3> <p><strong>Anchor:</strong> Use <code>Signer&lt;'info&gt;</code> instead of <code>AccountInfo</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">pub</span> <span class="k">struct</span> <span class="n">Withdraw</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;</span> <span class="p">{</span> <span class="nd">#[account(mut)]</span> <span class="k">pub</span> <span class="n">vault</span><span class="p">:</span> <span class="n">Account</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">Vault</span><span class="o">&gt;</span><span class="p">,</span> <span class="k">pub</span> <span class="n">authority</span><span class="p">:</span> <span class="n">Signer</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;</span><span class="p">,</span> <span class="c1">// Enforces signature check</span> <span class="p">}</span> </code></pre> </div> <p><strong>Pinocchio/Native:</strong> Manually verify the signer flag<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">if</span> <span class="o">!</span><span class="n">authority</span><span class="nf">.is_signer</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">MissingRequiredSignature</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The fix is simple. The cost of missing it is catastrophic.</p> <h2> 2. Missing Owner Check </h2> <p><strong>Type:</strong> Access Control | <strong>Severity:</strong> Critical</p> <h3> What Breaks </h3> <p>Every Solana account has an "owner" field indicating which program controls it. Your program acts on an account (like reading vault data) without checking if your program actually owns it. An attacker creates a fake account with identical data layout but owned by a different program. Your program reads it, trusts it, and gets exploited.</p> <h3> Real Exploit </h3> <p>The Solend exploit in August 2021 involved creating fake lending markets with manipulated parameters. Because the program didn't verify account ownership, the attacker's fake accounts were treated as legitimate protocol accounts. They set liquidation thresholds to 1%, liquidation bonuses to 90%, and attempted to liquidate healthy positions for massive profit.</p> <p>In the Crema Finance hack (July 2022, $8.8M stolen), the attacker created a fake "Tick" account with false price data. This fake account wasn't owned by Crema's program, but because ownership wasn't validated, it was accepted as real. The attacker used this fake data to claim inflated LP fees through flash loans.</p> <h3> The Attack Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Real vault owned by YourProgram, has authority + balance 2. Attacker creates fake vault owned by SystemProgram 3. Fake vault has same data layout, attacker's key as authority 4. Program accepts fake vault, reads attacker's authority 5. Program allows withdrawal, funds stolen </code></pre> </div> <h3> How to Fix </h3> <p><strong>Anchor:</strong> Use <code>Account&lt;'info, T&gt;</code> which automatically verifies ownership<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="nd">#[account(mut)]</span> <span class="k">pub</span> <span class="n">vault</span><span class="p">:</span> <span class="n">Account</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">Vault</span><span class="o">&gt;</span><span class="p">,</span> <span class="c1">// Checks owner == program_id</span> </code></pre> </div> <p><strong>Pinocchio/Native:</strong> Manually check the owner field<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">if</span> <span class="n">account</span><span class="nf">.owner</span><span class="p">()</span> <span class="o">!=</span> <span class="n">program_id</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">IllegalOwner</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Ownership checks are not optional. They're the foundation of Solana security.</p> <h2> 3. Account Data Matching </h2> <p><strong>Type:</strong> Account Validation | <strong>Severity:</strong> High</p> <h3> What Breaks </h3> <p>An account might be the correct type and owned by your program, but it's not the <em>specific</em> account you need. For example, accepting any token account when you specifically need the pool's token account. The attacker substitutes their own account that passes type checks but doesn't match the required relationships.</p> <h3> Real Exploit </h3> <p>This vulnerability enabled the Solend oracle manipulation attack (November 2022, $1.26M stolen). The protocol accepted USDH as collateral but only checked price data from a single Saber pool. The attacker traded between Saber and Orca, manipulating the Saber pool price while keeping costs low. They deposited USDH valued at the inflated price ($8.80 instead of $1.00), borrowed against it, and defaulted on the loan.</p> <p>The root cause: the oracle only validated that it was reading <em>a</em> price feed, not that it was reading the <em>correct</em> price feed that represented true market prices across multiple sources.</p> <h3> The Attack Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Pool expects token account for MintA 2. Attacker passes token account for MintB (which they control) 3. Both are valid token accounts, both owned by TokenProgram 4. Program accepts it because type matches 5. Attacker manipulates their own mint, drains pool </code></pre> </div> <h3> How to Fix </h3> <p><strong>Anchor:</strong> Use constraints to validate relationships<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="nd">#[account(</span> <span class="nd">constraint</span> <span class="nd">=</span> <span class="nd">user_token</span><span class="err">.</span><span class="nd">mint</span> <span class="nd">==</span> <span class="nd">pool</span><span class="err">.</span><span class="nd">mint,</span> <span class="nd">constraint</span> <span class="nd">=</span> <span class="nd">user_token</span><span class="err">.</span><span class="nd">owner</span> <span class="nd">==</span> <span class="nd">user</span><span class="err">.</span><span class="nd">key()</span> <span class="nd">)]</span> <span class="k">pub</span> <span class="n">user_token</span><span class="p">:</span> <span class="n">Account</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">TokenAccount</span><span class="o">&gt;</span><span class="p">,</span> </code></pre> </div> <p><strong>Pinocchio/Native:</strong> Manually compare public keys<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">if</span> <span class="n">token_account</span><span class="py">.mint</span> <span class="o">!=</span> <span class="n">expected_mint</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">InvalidAccountData</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span> <span class="n">token_account</span><span class="py">.owner</span> <span class="o">!=</span> <span class="n">expected_owner</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">InvalidAccountData</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Validate not just type, but context. Every relationship matters.</p> <h2> 4. Type Cosplay </h2> <p><strong>Type:</strong> Account Validation | <strong>Severity:</strong> Critical</p> <h3> What Breaks </h3> <p>You have multiple account types (Vault, User) with similar data layouts. If certain fields align at the same byte offsets, an attacker can pass one type where another is expected. Your program reads a User's data as if it were a Vault, misinterpreting field meanings entirely.</p> <h3> Real Exploit </h3> <p>While there's no single famous "type cosplay" hack, this vulnerability class has been identified in multiple security audits. Programs that store different account types without discriminators are vulnerable to having accounts misinterpreted. If a User struct and a Vault struct both have a u64 at offset 8, an attacker can create a User with a high value there and pass it as a Vault, making the program think it has more funds than it does.</p> <h3> The Attack Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Vault: [discriminator: 8 bytes][authority: 32 bytes][balance: 8 bytes] User: [discriminator: 8 bytes][user_key: 32 bytes][points: 8 bytes] 1. Attacker creates User with 1,000,000 points 2. Passes User account to instruction expecting Vault 3. Program reads offset 48 (balance field) 4. Gets 1,000,000 (actually the points field) 5. Allows withdrawal based on fake balance </code></pre> </div> <h3> How to Fix </h3> <p><strong>Anchor:</strong> Use discriminators automatically via <code>Account&lt;'info, T&gt;</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// Anchor adds 8-byte discriminator to each type automatically</span> <span class="nd">#[account]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">Vault</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">authority</span><span class="p">:</span> <span class="n">Pubkey</span><span class="p">,</span> <span class="k">pub</span> <span class="n">balance</span><span class="p">:</span> <span class="nb">u64</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p><strong>Pinocchio/Native:</strong> Implement and verify discriminators manually<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">const</span> <span class="n">VAULT_DISCRIMINATOR</span><span class="p">:</span> <span class="p">[</span><span class="nb">u8</span><span class="p">;</span> <span class="mi">8</span><span class="p">]</span> <span class="o">=</span> <span class="cm">/* hash("account:Vault") */</span><span class="p">;</span> <span class="k">let</span> <span class="n">disc</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">account</span><span class="py">.data</span><span class="p">[</span><span class="mi">0</span><span class="o">..</span><span class="mi">8</span><span class="p">];</span> <span class="k">if</span> <span class="n">disc</span> <span class="o">!=</span> <span class="n">VAULT_DISCRIMINATOR</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">InvalidAccountData</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Every account type needs a unique identifier. No exceptions.</p> <h2> 5. PDA Bump Seed Canonicalization </h2> <p><strong>Type:</strong> Account Validation | <strong>Severity:</strong> High</p> <h3> What Breaks </h3> <p>Program Derived Addresses (PDAs) are found using seeds and a "bump" value. <code>find_program_address</code> returns the canonical bump (usually 255, the first valid one). But other bumps can also create valid PDAs at different addresses. If your program accepts any valid bump without checking it's canonical, attackers can create shadow PDAs at different addresses for the same logical seeds.</p> <h3> Real Exploit </h3> <p>This vulnerability has been found in numerous audits. If a program stores "vault" PDAs using [b"vault", user_pubkey] as seeds but doesn't enforce the canonical bump, an attacker can:</p> <ol> <li>Find the canonical PDA at bump 255</li> <li>Find another valid PDA at bump 254 (different address)</li> <li>Initialize the non-canonical PDA</li> <li>Now two "vaults" exist for the same user</li> <li>Attacker controls one, can drain funds or create accounting chaos</li> </ol> <p>The impact depends on program logic, but it fundamentally breaks the assumption that "one set of seeds = one address."</p> <h3> The Attack Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Seeds: [b"vault", user_pubkey] Canonical bump: 255 -&gt; Address A Non-canonical bump: 254 -&gt; Address B 1. Real vault at Address A, bump 255 2. Attacker creates account at Address B, bump 254 3. Program accepts both as valid (both pass PDA checks) 4. Attacker has shadow vault, can bypass restrictions </code></pre> </div> <h3> How to Fix </h3> <p><strong>Anchor:</strong> Store and verify the canonical bump<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="nd">#[account(</span> <span class="nd">init,</span> <span class="nd">payer</span> <span class="nd">=</span> <span class="nd">user,</span> <span class="nd">space</span> <span class="nd">=</span> <span class="mi">8</span> <span class="err">+</span> <span class="mi">32</span> <span class="err">+</span> <span class="mi">1</span><span class="nd">,</span> <span class="nd">seeds</span> <span class="nd">=</span> <span class="err">[</span><span class="s">b"vault"</span><span class="nd">,</span> <span class="nd">user</span><span class="err">.</span><span class="nd">key()</span><span class="err">.</span><span class="nd">as_ref()]</span><span class="p">,</span> <span class="n">bump</span> <span class="c1">// Anchor finds and stores canonical bump</span> <span class="p">)]</span> <span class="k">pub</span> <span class="n">vault</span><span class="p">:</span> <span class="n">Account</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">Vault</span><span class="o">&gt;</span><span class="p">,</span> <span class="c1">// Later validations automatically check:</span> <span class="c1">// seeds = [b"vault", user.key().as_ref()],</span> <span class="c1">// bump = vault.bump // Must match stored canonical bump</span> </code></pre> </div> <p><strong>Pinocchio/Native:</strong> Find and store canonical bump explicitly<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="p">(</span><span class="n">pda</span><span class="p">,</span> <span class="n">bump</span><span class="p">)</span> <span class="o">=</span> <span class="nn">Pubkey</span><span class="p">::</span><span class="nf">find_program_address</span><span class="p">(</span> <span class="o">&amp;</span><span class="p">[</span><span class="s">b"vault"</span><span class="p">,</span> <span class="n">user_pubkey</span><span class="nf">.as_ref</span><span class="p">()],</span> <span class="n">program_id</span> <span class="p">);</span> <span class="c1">// Store bump in account data</span> <span class="n">vault</span><span class="py">.bump</span> <span class="o">=</span> <span class="n">bump</span><span class="p">;</span> <span class="c1">// Later, verify it matches</span> <span class="k">if</span> <span class="n">account_key</span> <span class="o">!=</span> <span class="nn">Pubkey</span><span class="p">::</span><span class="nf">create_program_address</span><span class="p">(</span> <span class="o">&amp;</span><span class="p">[</span><span class="s">b"vault"</span><span class="p">,</span> <span class="n">user_pubkey</span><span class="nf">.as_ref</span><span class="p">(),</span> <span class="o">&amp;</span><span class="p">[</span><span class="n">vault</span><span class="py">.bump</span><span class="p">]],</span> <span class="n">program_id</span> <span class="p">)</span><span class="o">?</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">InvalidSeeds</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>One PDA per seed set. Enforce it.</p> <h2> 6. Account Reinitialization </h2> <p><strong>Type:</strong> Account Validation | <strong>Severity:</strong> Critical</p> <h3> What Breaks </h3> <p>An initialize instruction can be called on an already-initialized account, overwriting its data. An attacker calls initialize on someone else's vault, overwrites the authority field with their key, and takes control of existing funds.</p> <h3> Real Exploit </h3> <p>This was a core vulnerability in early Solana programs before best practices solidified. The pattern showed up in the Slope wallet compromise (though that was ultimately a key exposure issue), where re-initialization concerns were part of the broader security review that followed.</p> <h3> The Attack Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. User creates vault, authority = User's key 2. Vault accumulates funds 3. Attacker calls initialize on same vault account 4. Program overwrites authority = Attacker's key 5. Attacker now controls user's funds </code></pre> </div> <h3> How to Fix </h3> <p><strong>Anchor:</strong> Use <code>init</code> which fails if account exists<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="nd">#[account(</span> <span class="nd">init,</span> <span class="c1">// Fails if account already has data</span> <span class="nd">payer</span> <span class="nd">=</span> <span class="nd">user,</span> <span class="nd">space</span> <span class="nd">=</span> <span class="mi">8</span> <span class="err">+</span> <span class="mi">32</span> <span class="err">+</span> <span class="mi">8</span> <span class="nd">)]</span> <span class="k">pub</span> <span class="n">vault</span><span class="p">:</span> <span class="n">Account</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">Vault</span><span class="o">&gt;</span><span class="p">,</span> </code></pre> </div> <p><strong>Pinocchio/Native:</strong> Check if already initialized<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">if</span> <span class="n">vault</span><span class="py">.is_initialized</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">AccountAlreadyInitialized</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Or check discriminator</span> <span class="k">if</span> <span class="n">account</span><span class="py">.data</span><span class="p">[</span><span class="mi">0</span><span class="o">..</span><span class="mi">8</span><span class="p">]</span> <span class="o">!=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">8</span><span class="p">]</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">AccountAlreadyInitialized</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Initialize once. Verify always.</p> <h2> 7. Arbitrary CPI </h2> <p><strong>Type:</strong> Cross-Program Security | <strong>Severity:</strong> Critical</p> <h3> What Breaks </h3> <p>Cross-Program Invocations (CPI) let your program call other programs. If you accept the target program ID from user input without validation, an attacker can point it to their malicious program. Your program invokes the fake program with your authority, and the attacker's code runs with your program's privileges.</p> <h3> Real Exploit </h3> <p>While no single massive CPI exploit made headlines, this vulnerability class is found regularly in audits. The danger is particularly acute when programs invoke token transfers or other privileged operations. If the program ID isn't hardcoded or validated, an attacker's program can receive your PDA signatures and drain funds.</p> <h3> The Attack Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Program intends to CPI to Token Program for transfer 2. Program accepts token_program account from user 3. Attacker passes their malicious program instead 4. CPI executes to malicious program with PDA signature 5. Malicious program has your program's authority, drains funds </code></pre> </div> <h3> How to Fix </h3> <p><strong>Anchor:</strong> Use <code>Program&lt;'info, T&gt;</code> to fix program at compile time<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">pub</span> <span class="k">struct</span> <span class="n">Transfer</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">token_program</span><span class="p">:</span> <span class="n">Program</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">Token</span><span class="o">&gt;</span><span class="p">,</span> <span class="c1">// Must be Token Program</span> <span class="p">}</span> </code></pre> </div> <p><strong>Pinocchio/Native:</strong> Hardcode and verify program IDs<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">const</span> <span class="n">TOKEN_PROGRAM_ID</span><span class="p">:</span> <span class="n">Pubkey</span> <span class="o">=</span> <span class="cm">/* known token program */</span><span class="p">;</span> <span class="k">if</span> <span class="n">program</span><span class="py">.key</span> <span class="o">!=</span> <span class="n">TOKEN_PROGRAM_ID</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">IncorrectProgramId</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Never CPI to user-supplied program IDs. Ever.</p> <h2> 8. Integer Overflow </h2> <p><strong>Type:</strong> Arithmetic Safety | <strong>Severity:</strong> High</p> <h3> What Breaks </h3> <p>Arithmetic operations overflow or underflow without panicking. A user withdraws 11 tokens from a balance of 10. With unchecked math, <code>10 - 11</code> wraps to maximum value (18 quintillion for u64). User now has infinite balance.</p> <h3> Real Exploit </h3> <p>The Nirvana Finance hack (July 2022, $3.5M stolen) involved arithmetic manipulation. While not a simple overflow, the exploit relied on the protocol's pricing curve calculation being vulnerable to extreme inputs that created artificial price inflation. The attacker used flash loans to manipulate internal accounting, ultimately draining the treasury.</p> <p>Overflow vulnerabilities have been found in numerous audits across DeFi protocols. They're particularly dangerous in reward calculations, fee distributions, and price computations.</p> <h3> The Attack Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Balance: 10 tokens Withdrawal: 11 tokens Unchecked: 10 - 11 = 18446744073709551615 (wraparound) Checked: 10 - 11 = Error 1. User deposits 10 tokens 2. User withdraws 11 tokens 3. With unchecked math, balance wraps to maximum 4. User can now withdraw infinite tokens </code></pre> </div> <h3> How to Fix </h3> <p><strong>Rust/Anchor:</strong> Use checked arithmetic<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// Bad</span> <span class="n">vault</span><span class="py">.balance</span> <span class="o">=</span> <span class="n">vault</span><span class="py">.balance</span> <span class="o">-</span> <span class="n">amount</span><span class="p">;</span> <span class="c1">// Good</span> <span class="n">vault</span><span class="py">.balance</span> <span class="o">=</span> <span class="n">vault</span><span class="py">.balance</span> <span class="nf">.checked_sub</span><span class="p">(</span><span class="n">amount</span><span class="p">)</span> <span class="nf">.ok_or</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">InsufficientFunds</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Also good</span> <span class="n">vault</span><span class="py">.balance</span> <span class="o">=</span> <span class="n">vault</span><span class="py">.balance</span> <span class="nf">.saturating_sub</span><span class="p">(</span><span class="n">amount</span><span class="p">);</span> </code></pre> </div> <p>Enable overflow checks in Cargo.toml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[profile.release]</span> <span class="py">overflow-checks</span> <span class="p">=</span> <span class="kc">true</span> </code></pre> </div> <p>Check every operation. Assume users will try to break math.</p> <h2> 9. Closing Accounts Without Clearing Data And Rent Siphoning </h2> <p><strong>Type:</strong> State Management | <strong>Severity:</strong> High</p> <h3> What Breaks </h3> <p>Closing an account transfers its lamports (rent) to another account but doesn't zero its data. The account sits dormant with old data intact. An attacker re-funds it with minimal lamports before garbage collection. The account "revives" with stale authority, state, or permissions, and the attacker can abuse the old data.</p> <h3> Real Exploit </h3> <p>This has been a persistent issue in Solana programs. The Raydium exploit (December 2022, $4.4M stolen) involved compromised admin keys, but during the security review afterward, account closure procedures were scrutinized. Proper account closure prevents many attack vectors that rely on resurrecting old state.</p> <h3> The Attack Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. User closes vault: transfers lamports, leaves data 2. Account sits with 0 lamports, old authority in data 3. Attacker funds account with 1 lamport in same tx 4. Account "alive" again with stale authority 5. Program treats revived account as valid </code></pre> </div> <h3> How to Fix </h3> <p><strong>Anchor:</strong> Use <code>close</code> constraint which zeros data<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="nd">#[account(</span> <span class="nd">mut,</span> <span class="nd">close</span> <span class="nd">=</span> <span class="nd">destination</span> <span class="c1">// Transfers lamports AND zeros data</span> <span class="nd">)]</span> <span class="k">pub</span> <span class="n">vault</span><span class="p">:</span> <span class="n">Account</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">Vault</span><span class="o">&gt;</span><span class="p">,</span> </code></pre> </div> <p><strong>Pinocchio/Native:</strong> Explicitly zero data and transfer lamports<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// Zero all data</span> <span class="n">account</span><span class="py">.data</span><span class="nf">.fill</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="c1">// Transfer lamports</span> <span class="o">**</span><span class="n">destination</span><span class="py">.lamports</span><span class="nf">.borrow_mut</span><span class="p">()</span> <span class="o">+=</span> <span class="o">**</span><span class="n">account</span><span class="py">.lamports</span><span class="nf">.borrow</span><span class="p">();</span> <span class="o">**</span><span class="n">account</span><span class="py">.lamports</span><span class="nf">.borrow_mut</span><span class="p">()</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </code></pre> </div> <p>Dead accounts must stay dead. Zero everything.</p> <h2> 10. Duplicate Mutable Accounts </h2> <p><strong>Type:</strong> Account Validation | <strong>Severity:</strong> High</p> <h3> What Breaks </h3> <p>An instruction accepts two mutable accounts (source and destination for a transfer). It doesn't verify they're different. Attacker passes the same account for both. Depending on read/write order, this can double balances, skip fees, or create accounting chaos.</p> <h3> Real Exploit </h3> <p>This vulnerability appeared in the Jet Protocol discovery (December 2021, potential $25M if exploited). The issue involved how the protocol handled position arrays when accounts were closed. While the specific bug was different, it highlighted how account relationship assumptions can be violated when the same account appears multiple times.</p> <h3> The Attack Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Transfer 50 from source to destination Source = Destination = Same account (balance 100) Vulnerable code: source.balance -= 50 // balance = 50 dest.balance += 50 // balance = 100 (if reading stale value) Result: Created 50 tokens from nothing </code></pre> </div> <h3> How to Fix </h3> <p><strong>Anchor:</strong> Add constraint to enforce different accounts<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="nd">#[account(</span> <span class="nd">mut,</span> <span class="nd">constraint</span> <span class="nd">=</span> <span class="nd">source</span><span class="err">.</span><span class="nd">key()</span> <span class="err">!</span><span class="nd">=</span> <span class="nd">destination</span><span class="err">.</span><span class="nd">key()</span> <span class="nd">)]</span> <span class="k">pub</span> <span class="n">source</span><span class="p">:</span> <span class="n">Account</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">TokenAccount</span><span class="o">&gt;</span><span class="p">,</span> <span class="nd">#[account(mut)]</span> <span class="k">pub</span> <span class="n">destination</span><span class="p">:</span> <span class="n">Account</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">TokenAccount</span><span class="o">&gt;</span><span class="p">,</span> </code></pre> </div> <p><strong>Pinocchio/Native:</strong> Explicitly check equality<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">if</span> <span class="n">source</span><span class="nf">.key</span><span class="p">()</span> <span class="o">==</span> <span class="n">destination</span><span class="nf">.key</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">InvalidArgument</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Assume users will try every input combination. Defend against all of them.</p> <h2> 11. Insecure Randomness </h2> <p><strong>Type:</strong> Randomness | <strong>Severity:</strong> Medium-High</p> <h3> What Breaks </h3> <p>Program needs randomness (lottery, game, NFT reveal) and uses on-chain data like slot number, timestamp, or recent blockhash. These values are public and predictable. Attackers (or validators) simulate outcomes and only submit transactions when they win.</p> <h3> Real Exploit </h3> <p>Numerous NFT mints and gaming applications on Solana have been vulnerable to randomness manipulation. Users can simulate mints locally, check which slots produce rare traits, and only submit during those slots. This turned "random" drops into deterministic farming.</p> <p>In DeFi, oracle-based games and prediction markets have been manipulated when they relied on predictable on-chain values instead of verifiable random functions.</p> <h3> The Attack Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Game uses: winner = slot % 100 &lt; 10 (10% win rate) 1. Attacker simulates game at current slot: loses 2. Simulates at slot + 1: loses 3. Simulates at slot + 2: wins! 4. Waits for slot + 2, submits transaction 5. Guaranteed win, "random" game broken </code></pre> </div> <h3> How to Fix </h3> <p><strong>DON'T USE:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">random</span> <span class="o">=</span> <span class="nn">Clock</span><span class="p">::</span><span class="nf">get</span><span class="p">()</span><span class="o">?</span><span class="py">.slot</span> <span class="o">%</span> <span class="mi">100</span><span class="p">;</span> <span class="c1">// Predictable</span> <span class="k">let</span> <span class="n">random</span> <span class="o">=</span> <span class="nn">Clock</span><span class="p">::</span><span class="nf">get</span><span class="p">()</span><span class="o">?</span><span class="py">.unix_timestamp</span><span class="p">;</span> <span class="c1">// Predictable </span> <span class="k">let</span> <span class="n">random</span> <span class="o">=</span> <span class="n">recent_blockhashes</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="c1">// Predictable</span> </code></pre> </div> <p><strong>DO USE:</strong></p> <ul> <li>Switchboard VRF</li> <li>Chainlink VRF </li> <li>Commit-reveal schemes</li> <li>Off-chain randomness with on-chain verification </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// Example: Switchboard VRF</span> <span class="nd">#[account(mut)]</span> <span class="k">pub</span> <span class="n">vrf</span><span class="p">:</span> <span class="n">AccountLoader</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">VrfAccountData</span><span class="o">&gt;</span><span class="p">,</span> <span class="c1">// Verify VRF was properly requested and callback received</span> <span class="c1">// Use vrf.result.value as randomness</span> </code></pre> </div> <h1> Additional Solana Security Vulnerabilities to Consider </h1> <p>Based on extensive research into recent Solana exploits and security audits, here are critical additional vulnerabilities that should be included in your security guide:</p> <h2> 12. Sysvar Account Validation (CRITICAL) </h2> <p><strong>Priority: HIGH - This caused the $325M Wormhole hack</strong></p> <h3> What It Is </h3> <p>Solana has system accounts called "sysvars" that contain cluster information (Clock, Rent, Instructions, etc.). Programs trust these to get authentic system data. If you don't verify that a sysvar account is actually THE system sysvar, attackers can pass fake sysvar accounts with manipulated data.</p> <h3> Real Exploit </h3> <p><strong>Wormhole Bridge Exploit (February 2022, $325M)</strong></p> <ul> <li>The bridge used <code>load_instruction_at()</code> to check if signature verification happened</li> <li>This function reads instruction data but DOESN'T verify the account is the real Instructions sysvar</li> <li>Attacker created fake Instructions sysvar with fake signature verification data</li> <li>Bridge thought signatures were verified when they weren't</li> <li>Attacker minted 120,000 ETH on Solana and bridged it to Ethereum</li> </ul> <h3> The Attack Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Program expects Sysvar::Instructions account 2. Attacker creates fake account with same data layout 3. Program uses deprecated load_instruction_at() without checking account ID 4. Fake data is read as authentic system data 5. Critical validation bypassed </code></pre> </div> <h3> How to Fix </h3> <p><strong>Anchor:</strong> Use constraints to verify sysvar address<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">anchor_lang</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="nd">#[derive(Accounts)]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">VerifyInstruction</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;</span> <span class="p">{</span> <span class="cd">/// CHECK: Verified via constraint</span> <span class="nd">#[account(address</span> <span class="nd">=</span> <span class="nd">sysvar::instructions::ID)]</span> <span class="k">pub</span> <span class="n">instruction_sysvar</span><span class="p">:</span> <span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">process</span><span class="p">(</span><span class="n">ctx</span><span class="p">:</span> <span class="n">Context</span><span class="o">&lt;</span><span class="n">VerifyInstruction</span><span class="o">&gt;</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Safe to use - address constraint verified it's the real sysvar</span> <span class="k">let</span> <span class="n">instruction_data</span> <span class="o">=</span> <span class="nf">load_current_index_checked</span><span class="p">(</span> <span class="o">&amp;</span><span class="n">ctx</span><span class="py">.accounts.instruction_sysvar</span> <span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> </code></pre> </div> <p><strong>Pinocchio/Native:</strong> Manually verify sysvar public key<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">solana_program</span><span class="p">::{</span> <span class="nn">sysvar</span><span class="p">::{</span><span class="n">instructions</span><span class="p">,</span> <span class="n">clock</span><span class="p">,</span> <span class="n">rent</span><span class="p">},</span> <span class="nn">account_info</span><span class="p">::</span><span class="n">AccountInfo</span><span class="p">,</span> <span class="nn">pubkey</span><span class="p">::</span><span class="n">Pubkey</span><span class="p">,</span> <span class="nn">program_error</span><span class="p">::</span><span class="n">ProgramError</span><span class="p">,</span> <span class="p">};</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">verify_instructions_sysvar</span><span class="p">(</span> <span class="n">instructions_account</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="n">ProgramError</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Verify this is the real Instructions sysvar</span> <span class="k">if</span> <span class="n">instructions_account</span><span class="py">.key</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="nn">instructions</span><span class="p">::</span><span class="n">ID</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">InvalidArgument</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Now safe to use</span> <span class="k">let</span> <span class="n">instruction_data</span> <span class="o">=</span> <span class="n">instructions_account</span><span class="py">.data</span><span class="nf">.borrow</span><span class="p">();</span> <span class="c1">// Process instruction data...</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="c1">// For Clock sysvar</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">verify_clock_sysvar</span><span class="p">(</span> <span class="n">clock_account</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="n">ProgramError</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="n">clock_account</span><span class="py">.key</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="nn">clock</span><span class="p">::</span><span class="n">ID</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">InvalidArgument</span><span class="p">);</span> <span class="p">}</span> <span class="k">let</span> <span class="n">clock</span> <span class="o">=</span> <span class="nn">Clock</span><span class="p">::</span><span class="nf">from_account_info</span><span class="p">(</span><span class="n">clock_account</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Use clock data safely...</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> </code></pre> </div> <p><strong>Impact:</strong> $325M stolen. This is one of the largest DeFi hacks ever.</p> <h2> 13. Account Reload After CPI (HIGH SEVERITY) </h2> <h3> What It Is </h3> <p>When you make a CPI (cross-program invocation), the called program can modify accounts. BUT Anchor/Rust doesn't automatically update your in-memory copy of the account data. You're operating on stale data.</p> <h3> Real Risk </h3> <p>Found in numerous audits. Programs that:</p> <ul> <li>Transfer tokens via CPI</li> <li>Then check balances</li> <li>Make decisions based on old balance data Can be exploited to bypass spending limits, drain funds, or manipulate state.</li> </ul> <h3> The Attack Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Program loads account balance: 100 tokens 2. Program makes CPI that transfers 50 tokens 3. Program still thinks balance is 100 (stale data) 4. Program allows another withdrawal based on wrong balance 5. Account actually has 50 but program thinks 100 </code></pre> </div> <h3> How to Fix </h3> <p><strong>Anchor:</strong> Use <code>.reload()</code> method after CPI<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">anchor_lang</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">anchor_spl</span><span class="p">::</span><span class="nn">token</span><span class="p">::{</span><span class="k">self</span><span class="p">,</span> <span class="n">Token</span><span class="p">,</span> <span class="n">TokenAccount</span><span class="p">,</span> <span class="n">Transfer</span><span class="p">};</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">transfer_and_check</span><span class="p">(</span><span class="n">ctx</span><span class="p">:</span> <span class="n">Context</span><span class="o">&lt;</span><span class="n">TransferAndCheck</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">amount</span><span class="p">:</span> <span class="nb">u64</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">balance_before</span> <span class="o">=</span> <span class="n">ctx</span><span class="py">.accounts.token_account.amount</span><span class="p">;</span> <span class="c1">// Make CPI transfer</span> <span class="k">let</span> <span class="n">cpi_accounts</span> <span class="o">=</span> <span class="n">Transfer</span> <span class="p">{</span> <span class="n">from</span><span class="p">:</span> <span class="n">ctx</span><span class="py">.accounts.token_account</span><span class="nf">.to_account_info</span><span class="p">(),</span> <span class="n">to</span><span class="p">:</span> <span class="n">ctx</span><span class="py">.accounts.destination</span><span class="nf">.to_account_info</span><span class="p">(),</span> <span class="n">authority</span><span class="p">:</span> <span class="n">ctx</span><span class="py">.accounts.authority</span><span class="nf">.to_account_info</span><span class="p">(),</span> <span class="p">};</span> <span class="k">let</span> <span class="n">cpi_ctx</span> <span class="o">=</span> <span class="nn">CpiContext</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">ctx</span><span class="py">.accounts.token_program</span><span class="nf">.to_account_info</span><span class="p">(),</span> <span class="n">cpi_accounts</span><span class="p">);</span> <span class="nn">token</span><span class="p">::</span><span class="nf">transfer</span><span class="p">(</span><span class="n">cpi_ctx</span><span class="p">,</span> <span class="n">amount</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// CRITICAL: Reload to get fresh data after CPI</span> <span class="n">ctx</span><span class="py">.accounts.token_account</span><span class="nf">.reload</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Now we have the correct balance</span> <span class="nd">require!</span><span class="p">(</span> <span class="n">ctx</span><span class="py">.accounts.token_account.amount</span> <span class="o">&gt;=</span> <span class="n">MIN_BALANCE</span><span class="p">,</span> <span class="nn">ErrorCode</span><span class="p">::</span><span class="n">BalanceTooLow</span> <span class="p">);</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="nd">#[derive(Accounts)]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">TransferAndCheck</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;</span> <span class="p">{</span> <span class="nd">#[account(mut)]</span> <span class="k">pub</span> <span class="n">token_account</span><span class="p">:</span> <span class="n">Account</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">TokenAccount</span><span class="o">&gt;</span><span class="p">,</span> <span class="nd">#[account(mut)]</span> <span class="k">pub</span> <span class="n">destination</span><span class="p">:</span> <span class="n">Account</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">TokenAccount</span><span class="o">&gt;</span><span class="p">,</span> <span class="k">pub</span> <span class="n">authority</span><span class="p">:</span> <span class="n">Signer</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;</span><span class="p">,</span> <span class="k">pub</span> <span class="n">token_program</span><span class="p">:</span> <span class="n">Program</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">Token</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p><strong>Pinocchio/Native:</strong> Re-deserialize account after CPI<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">solana_program</span><span class="p">::{</span> <span class="nn">account_info</span><span class="p">::</span><span class="n">AccountInfo</span><span class="p">,</span> <span class="nn">program</span><span class="p">::{</span><span class="n">invoke</span><span class="p">,</span> <span class="n">invoke_signed</span><span class="p">},</span> <span class="nn">program_error</span><span class="p">::</span><span class="n">ProgramError</span><span class="p">,</span> <span class="p">};</span> <span class="k">use</span> <span class="nn">spl_token</span><span class="p">::</span><span class="nn">state</span><span class="p">::</span><span class="n">Account</span> <span class="k">as</span> <span class="n">TokenAccount</span><span class="p">;</span> <span class="k">pub</span> <span class="k">fn</span> <span class="n">transfer_and_check</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">(</span> <span class="n">token_account</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">destination</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">authority</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">token_program</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">amount</span><span class="p">:</span> <span class="nb">u64</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="n">ProgramError</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Make CPI transfer</span> <span class="k">let</span> <span class="n">transfer_instruction</span> <span class="o">=</span> <span class="nn">spl_token</span><span class="p">::</span><span class="nn">instruction</span><span class="p">::</span><span class="nf">transfer</span><span class="p">(</span> <span class="n">token_program</span><span class="py">.key</span><span class="p">,</span> <span class="n">token_account</span><span class="py">.key</span><span class="p">,</span> <span class="n">destination</span><span class="py">.key</span><span class="p">,</span> <span class="n">authority</span><span class="py">.key</span><span class="p">,</span> <span class="o">&amp;</span><span class="p">[],</span> <span class="n">amount</span><span class="p">,</span> <span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">invoke</span><span class="p">(</span> <span class="o">&amp;</span><span class="n">transfer_instruction</span><span class="p">,</span> <span class="o">&amp;</span><span class="p">[</span> <span class="n">token_account</span><span class="nf">.clone</span><span class="p">(),</span> <span class="n">destination</span><span class="nf">.clone</span><span class="p">(),</span> <span class="n">authority</span><span class="nf">.clone</span><span class="p">(),</span> <span class="n">token_program</span><span class="nf">.clone</span><span class="p">(),</span> <span class="p">],</span> <span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// CRITICAL: Re-deserialize to get fresh data</span> <span class="k">let</span> <span class="n">token_data</span> <span class="o">=</span> <span class="nn">TokenAccount</span><span class="p">::</span><span class="nf">unpack</span><span class="p">(</span><span class="o">&amp;</span><span class="n">token_account</span><span class="py">.data</span><span class="nf">.borrow</span><span class="p">())</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Now check with correct balance</span> <span class="k">if</span> <span class="n">token_data</span><span class="py">.amount</span> <span class="o">&lt;</span> <span class="n">MIN_BALANCE</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">InsufficientFunds</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> </code></pre> </div> <p><strong>Impact:</strong> Found in multiple audits, potential for fund loss when combined with spending limits or balance checks.</p> <h2> 14. Rent Siphoning / Account Revival (MEDIUM-HIGH) </h2> <h3> What It Is </h3> <p>Beyond just not zeroing data on close, there's a more subtle attack: </p> <ul> <li>Attacker can keep "closed" accounts alive by adding lamports</li> <li>Or prevent account creation by pre-funding the address</li> <li>Or drain rent from accounts that drop below rent-exempt threshold</li> </ul> <h3> Real Issues </h3> <p>Not a single famous exploit, but found repeatedly in audits and can be combined with other attacks.</p> <h3> Attack Patterns </h3> <p><strong>Pattern 1: Account Revival (covered in your guide)</strong><br> Already in your guide as "Closing Accounts"</p> <p><strong>Pattern 2: Account Squatting</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Program tries to create account at deterministic address 2. Attacker pre-funds that address with 1 lamport 3. Create instruction fails (account already exists) 4. Denial of service, program can't initialize </code></pre> </div> <p><strong>Pattern 3: Rent Drain</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Account drops below rent-exempt minimum 2. Solana starts deducting rent per epoch 3. Account slowly drains to zero 4. Account becomes unusable </code></pre> </div> <h3> How to Fix </h3> <p><strong>Anchor:</strong> Use init constraints and rent checks<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">anchor_lang</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="c1">// Prevent account squatting during initialization</span> <span class="nd">#[derive(Accounts)]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">Initialize</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;</span> <span class="p">{</span> <span class="nd">#[account(</span> <span class="nd">init,</span> <span class="nd">payer</span> <span class="nd">=</span> <span class="nd">user,</span> <span class="nd">space</span> <span class="nd">=</span> <span class="mi">8</span> <span class="err">+</span> <span class="mi">32</span> <span class="err">+</span> <span class="mi">8</span><span class="nd">,</span> <span class="nd">seeds</span> <span class="nd">=</span> <span class="err">[</span><span class="s">b"vault"</span><span class="nd">,</span> <span class="nd">user</span><span class="err">.</span><span class="nd">key()</span><span class="err">.</span><span class="nd">as_ref()]</span><span class="p">,</span> <span class="n">bump</span> <span class="p">)]</span> <span class="k">pub</span> <span class="n">vault</span><span class="p">:</span> <span class="n">Account</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">Vault</span><span class="o">&gt;</span><span class="p">,</span> <span class="nd">#[account(mut)]</span> <span class="k">pub</span> <span class="n">user</span><span class="p">:</span> <span class="n">Signer</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;</span><span class="p">,</span> <span class="k">pub</span> <span class="n">system_program</span><span class="p">:</span> <span class="n">Program</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">System</span><span class="o">&gt;</span><span class="p">,</span> <span class="k">pub</span> <span class="n">rent</span><span class="p">:</span> <span class="n">Sysvar</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">Rent</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">}</span> <span class="c1">// Verify rent exemption for critical accounts</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">verify_rent_exempt</span><span class="p">(</span><span class="n">ctx</span><span class="p">:</span> <span class="n">Context</span><span class="o">&lt;</span><span class="n">CheckRent</span><span class="o">&gt;</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">account</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">ctx</span><span class="py">.accounts.critical_account</span><span class="p">;</span> <span class="k">let</span> <span class="n">rent</span> <span class="o">=</span> <span class="nn">Rent</span><span class="p">::</span><span class="nf">get</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="nd">require!</span><span class="p">(</span> <span class="n">rent</span><span class="nf">.is_exempt</span><span class="p">(</span><span class="n">account</span><span class="nf">.to_account_info</span><span class="p">()</span><span class="nf">.lamports</span><span class="p">(),</span> <span class="n">account</span><span class="nf">.to_account_info</span><span class="p">()</span><span class="nf">.data_len</span><span class="p">()),</span> <span class="nn">ErrorCode</span><span class="p">::</span><span class="n">NotRentExempt</span> <span class="p">);</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="c1">// Proper account closing</span> <span class="nd">#[derive(Accounts)]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">Close</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;</span> <span class="p">{</span> <span class="nd">#[account(</span> <span class="nd">mut,</span> <span class="nd">close</span> <span class="nd">=</span> <span class="nd">destination,</span> <span class="c1">// Transfers lamports AND zeros data</span> <span class="nd">has_one</span> <span class="nd">=</span> <span class="nd">authority</span> <span class="nd">)]</span> <span class="k">pub</span> <span class="n">vault</span><span class="p">:</span> <span class="n">Account</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">Vault</span><span class="o">&gt;</span><span class="p">,</span> <span class="k">pub</span> <span class="n">authority</span><span class="p">:</span> <span class="n">Signer</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;</span><span class="p">,</span> <span class="nd">#[account(mut)]</span> <span class="k">pub</span> <span class="n">destination</span><span class="p">:</span> <span class="n">SystemAccount</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p><strong>Pinocchio/Native:</strong> Manual checks and proper closing<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">solana_program</span><span class="p">::{</span> <span class="nn">account_info</span><span class="p">::</span><span class="n">AccountInfo</span><span class="p">,</span> <span class="nn">program_error</span><span class="p">::</span><span class="n">ProgramError</span><span class="p">,</span> <span class="nn">rent</span><span class="p">::</span><span class="n">Rent</span><span class="p">,</span> <span class="nn">sysvar</span><span class="p">::</span><span class="n">Sysvar</span><span class="p">,</span> <span class="n">system_instruction</span><span class="p">,</span> <span class="nn">program</span><span class="p">::</span><span class="n">invoke</span><span class="p">,</span> <span class="p">};</span> <span class="c1">// Check if account is uninitialized before creating</span> <span class="k">pub</span> <span class="k">fn</span> <span class="n">safe_initialize</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">(</span> <span class="n">account</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">payer</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">space</span><span class="p">:</span> <span class="nb">usize</span><span class="p">,</span> <span class="n">owner</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Pubkey</span><span class="p">,</span> <span class="n">system_program</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="n">ProgramError</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Prevent account squatting</span> <span class="k">if</span> <span class="n">account</span><span class="nf">.lamports</span><span class="p">()</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">AccountAlreadyInitialized</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Create account</span> <span class="k">let</span> <span class="n">rent</span> <span class="o">=</span> <span class="nn">Rent</span><span class="p">::</span><span class="nf">get</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">lamports</span> <span class="o">=</span> <span class="n">rent</span><span class="nf">.minimum_balance</span><span class="p">(</span><span class="n">space</span><span class="p">);</span> <span class="nf">invoke</span><span class="p">(</span> <span class="o">&amp;</span><span class="nn">system_instruction</span><span class="p">::</span><span class="nf">create_account</span><span class="p">(</span> <span class="n">payer</span><span class="py">.key</span><span class="p">,</span> <span class="n">account</span><span class="py">.key</span><span class="p">,</span> <span class="n">lamports</span><span class="p">,</span> <span class="n">space</span> <span class="k">as</span> <span class="nb">u64</span><span class="p">,</span> <span class="n">owner</span><span class="p">,</span> <span class="p">),</span> <span class="o">&amp;</span><span class="p">[</span><span class="n">payer</span><span class="nf">.clone</span><span class="p">(),</span> <span class="n">account</span><span class="nf">.clone</span><span class="p">(),</span> <span class="n">system_program</span><span class="nf">.clone</span><span class="p">()],</span> <span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="c1">// Verify rent exemption</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">verify_rent_exempt</span><span class="p">(</span> <span class="n">account</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="n">ProgramError</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">rent</span> <span class="o">=</span> <span class="nn">Rent</span><span class="p">::</span><span class="nf">get</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="k">if</span> <span class="o">!</span><span class="n">rent</span><span class="nf">.is_exempt</span><span class="p">(</span><span class="n">account</span><span class="nf">.lamports</span><span class="p">(),</span> <span class="n">account</span><span class="nf">.data_len</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">InsufficientFunds</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="c1">// Properly close account</span> <span class="k">pub</span> <span class="k">fn</span> <span class="n">close_account</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">(</span> <span class="n">account</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">destination</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="n">ProgramError</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Transfer ALL lamports to destination</span> <span class="k">let</span> <span class="n">dest_starting_lamports</span> <span class="o">=</span> <span class="n">destination</span><span class="nf">.lamports</span><span class="p">();</span> <span class="o">**</span><span class="n">destination</span><span class="py">.lamports</span><span class="nf">.borrow_mut</span><span class="p">()</span> <span class="o">=</span> <span class="n">dest_starting_lamports</span> <span class="nf">.checked_add</span><span class="p">(</span><span class="n">account</span><span class="nf">.lamports</span><span class="p">())</span> <span class="nf">.ok_or</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">ArithmeticOverflow</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="o">**</span><span class="n">account</span><span class="py">.lamports</span><span class="nf">.borrow_mut</span><span class="p">()</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="c1">// Zero out data to prevent revival</span> <span class="n">account</span><span class="py">.data</span><span class="nf">.borrow_mut</span><span class="p">()</span><span class="nf">.fill</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="c1">// Assign to system program (optional but recommended)</span> <span class="n">account</span><span class="nf">.assign</span><span class="p">(</span><span class="o">&amp;</span><span class="nn">solana_program</span><span class="p">::</span><span class="nn">system_program</span><span class="p">::</span><span class="n">ID</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> </code></pre> </div> <h2> 15. Owner Change Without Verification (MEDIUM) </h2> <h3> What It Is </h3> <p>Solana accounts have an "owner" field. Some legitimate use cases change ownership (like creating PDAs). But if a program doesn't track or verify ownership changes, attackers can reassign account ownership to bypass checks.</p> <h3> Attack Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Program checks account.owner == expected_program at start 2. During CPI, attacker's malicious program changes owner 3. Program continues using account assuming original owner 4. Account now owned by attacker's program 5. Later operations trust wrong owner </code></pre> </div> <h3> How to Fix </h3> <p><strong>Anchor:</strong> Verify owner before and after CPI<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">anchor_lang</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">pub</span> <span class="k">fn</span> <span class="n">safe_cpi_with_owner_check</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;</span><span class="p">(</span> <span class="n">ctx</span><span class="p">:</span> <span class="n">Context</span><span class="o">&lt;</span><span class="nv">'_</span><span class="p">,</span> <span class="nv">'_</span><span class="p">,</span> <span class="nv">'_</span><span class="p">,</span> <span class="nv">'info</span><span class="p">,</span> <span class="n">SafeCPI</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;&gt;</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">account</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">ctx</span><span class="py">.accounts.mutable_account</span><span class="p">;</span> <span class="c1">// Store owner before CPI</span> <span class="k">let</span> <span class="n">owner_before</span> <span class="o">=</span> <span class="o">*</span><span class="n">account</span><span class="nf">.to_account_info</span><span class="p">()</span><span class="py">.owner</span><span class="p">;</span> <span class="c1">// Perform CPI (example: some external program call)</span> <span class="c1">// invoke(...)?;</span> <span class="c1">// Verify owner hasn't changed</span> <span class="nd">require!</span><span class="p">(</span> <span class="o">*</span><span class="n">account</span><span class="nf">.to_account_info</span><span class="p">()</span><span class="py">.owner</span> <span class="o">==</span> <span class="n">owner_before</span><span class="p">,</span> <span class="nn">ErrorCode</span><span class="p">::</span><span class="n">UnexpectedOwnerChange</span> <span class="p">);</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="nd">#[derive(Accounts)]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">SafeCPI</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;</span> <span class="p">{</span> <span class="cd">/// CHECK: Owner verified manually</span> <span class="nd">#[account(mut)]</span> <span class="k">pub</span> <span class="n">mutable_account</span><span class="p">:</span> <span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">}</span> <span class="nd">#[error_code]</span> <span class="k">pub</span> <span class="k">enum</span> <span class="n">ErrorCode</span> <span class="p">{</span> <span class="nd">#[msg(</span><span class="s">"Account owner changed unexpectedly during CPI"</span><span class="nd">)]</span> <span class="n">UnexpectedOwnerChange</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p><strong>Pinocchio/Native:</strong> Manual owner verification<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">solana_program</span><span class="p">::{</span> <span class="nn">account_info</span><span class="p">::</span><span class="n">AccountInfo</span><span class="p">,</span> <span class="nn">program_error</span><span class="p">::</span><span class="n">ProgramError</span><span class="p">,</span> <span class="nn">pubkey</span><span class="p">::</span><span class="n">Pubkey</span><span class="p">,</span> <span class="nn">program</span><span class="p">::</span><span class="n">invoke</span><span class="p">,</span> <span class="p">};</span> <span class="k">pub</span> <span class="k">fn</span> <span class="n">safe_cpi_with_owner_check</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">(</span> <span class="n">account</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">program_to_invoke</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">expected_owner</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Pubkey</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="n">ProgramError</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Verify owner matches expectation</span> <span class="k">if</span> <span class="n">account</span><span class="py">.owner</span> <span class="o">!=</span> <span class="n">expected_owner</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">IllegalOwner</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Store owner before CPI</span> <span class="k">let</span> <span class="n">owner_before</span> <span class="o">=</span> <span class="o">*</span><span class="n">account</span><span class="py">.owner</span><span class="p">;</span> <span class="c1">// Perform CPI</span> <span class="nf">invoke</span><span class="p">(</span> <span class="o">&amp;</span><span class="n">some_instruction</span><span class="p">,</span> <span class="o">&amp;</span><span class="p">[</span><span class="n">account</span><span class="nf">.clone</span><span class="p">(),</span> <span class="n">program_to_invoke</span><span class="nf">.clone</span><span class="p">()],</span> <span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Verify owner hasn't changed</span> <span class="k">if</span> <span class="n">account</span><span class="py">.owner</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">owner_before</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">IllegalOwner</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="c1">// Alternative: Verify owner after any suspicious CPI</span> <span class="k">pub</span> <span class="k">fn</span> <span class="n">verify_owner_unchanged</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">(</span> <span class="n">account</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">expected_owner</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Pubkey</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="n">ProgramError</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="n">account</span><span class="py">.owner</span> <span class="o">!=</span> <span class="n">expected_owner</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">IllegalOwner</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> </code></pre> </div> <p><strong>Note:</strong> This is rare but can be combined with reload vulnerabilities.</p> <h2> 16. Create Account DoS (MEDIUM) </h2> <h3> What It Is </h3> <p>SystemProgram::CreateAccount fails if the account already has lamports. Attacker can grief by sending 1 lamport to your deterministic addresses, blocking initialization.</p> <h3> Attack Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Protocol uses deterministic PDA: seeds = [b"vault", user.key] 2. Attacker calculates same address 3. Attacker sends 1 lamport to that address 4. User tries to initialize vault 5. CreateAccount fails (account has balance) 6. User can't use protocol </code></pre> </div> <h3> How to Fix </h3> <p><strong>Anchor:</strong> Use <code>init_if_needed</code> with caution or check for existing lamports<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">anchor_lang</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="c1">// Option 1: Use init_if_needed (be aware of reinitialization risks)</span> <span class="nd">#[derive(Accounts)]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">Initialize</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;</span> <span class="p">{</span> <span class="nd">#[account(</span> <span class="nd">init_if_needed,</span> <span class="c1">// Will use existing account if it has lamports</span> <span class="nd">payer</span> <span class="nd">=</span> <span class="nd">user,</span> <span class="nd">space</span> <span class="nd">=</span> <span class="mi">8</span> <span class="err">+</span> <span class="mi">32</span> <span class="err">+</span> <span class="mi">8</span><span class="nd">,</span> <span class="nd">seeds</span> <span class="nd">=</span> <span class="err">[</span><span class="s">b"vault"</span><span class="nd">,</span> <span class="nd">user</span><span class="err">.</span><span class="nd">key()</span><span class="err">.</span><span class="nd">as_ref()]</span><span class="p">,</span> <span class="n">bump</span> <span class="p">)]</span> <span class="k">pub</span> <span class="n">vault</span><span class="p">:</span> <span class="n">Account</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">Vault</span><span class="o">&gt;</span><span class="p">,</span> <span class="nd">#[account(mut)]</span> <span class="k">pub</span> <span class="n">user</span><span class="p">:</span> <span class="n">Signer</span><span class="o">&lt;</span><span class="nv">'info</span><span class="o">&gt;</span><span class="p">,</span> <span class="k">pub</span> <span class="n">system_program</span><span class="p">:</span> <span class="n">Program</span><span class="o">&lt;</span><span class="nv">'info</span><span class="p">,</span> <span class="n">System</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">}</span> <span class="c1">// Option 2: Explicitly handle existing accounts</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">initialize_safe</span><span class="p">(</span><span class="n">ctx</span><span class="p">:</span> <span class="n">Context</span><span class="o">&lt;</span><span class="n">InitializeSafe</span><span class="o">&gt;</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">vault</span> <span class="o">=</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">ctx</span><span class="py">.accounts.vault</span><span class="p">;</span> <span class="c1">// If account exists and is initialized, return error</span> <span class="k">if</span> <span class="n">vault</span><span class="nf">.to_account_info</span><span class="p">()</span><span class="nf">.lamports</span><span class="p">()</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="p">{</span> <span class="nd">require!</span><span class="p">(</span><span class="o">!</span><span class="n">vault</span><span class="py">.is_initialized</span><span class="p">,</span> <span class="nn">ErrorCode</span><span class="p">::</span><span class="n">AlreadyInitialized</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Initialize vault data</span> <span class="n">vault</span><span class="py">.authority</span> <span class="o">=</span> <span class="n">ctx</span><span class="py">.accounts.user</span><span class="nf">.key</span><span class="p">();</span> <span class="n">vault</span><span class="py">.balance</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">vault</span><span class="py">.is_initialized</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="nd">#[account]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">Vault</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">authority</span><span class="p">:</span> <span class="n">Pubkey</span><span class="p">,</span> <span class="k">pub</span> <span class="n">balance</span><span class="p">:</span> <span class="nb">u64</span><span class="p">,</span> <span class="k">pub</span> <span class="n">is_initialized</span><span class="p">:</span> <span class="nb">bool</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p><strong>Pinocchio/Native:</strong> Handle existing lamports gracefully<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">solana_program</span><span class="p">::{</span> <span class="nn">account_info</span><span class="p">::</span><span class="n">AccountInfo</span><span class="p">,</span> <span class="nn">program_error</span><span class="p">::</span><span class="n">ProgramError</span><span class="p">,</span> <span class="n">system_instruction</span><span class="p">,</span> <span class="nn">program</span><span class="p">::</span><span class="n">invoke</span><span class="p">,</span> <span class="nn">rent</span><span class="p">::</span><span class="n">Rent</span><span class="p">,</span> <span class="nn">sysvar</span><span class="p">::</span><span class="n">Sysvar</span><span class="p">,</span> <span class="p">};</span> <span class="k">pub</span> <span class="k">fn</span> <span class="n">initialize_account_safe</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">(</span> <span class="n">account</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">payer</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">space</span><span class="p">:</span> <span class="nb">usize</span><span class="p">,</span> <span class="n">owner</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Pubkey</span><span class="p">,</span> <span class="n">system_program</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="n">ProgramError</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">rent</span> <span class="o">=</span> <span class="nn">Rent</span><span class="p">::</span><span class="nf">get</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">required_lamports</span> <span class="o">=</span> <span class="n">rent</span><span class="nf">.minimum_balance</span><span class="p">(</span><span class="n">space</span><span class="p">);</span> <span class="k">if</span> <span class="n">account</span><span class="nf">.lamports</span><span class="p">()</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="p">{</span> <span class="c1">// Account has lamports - check if properly initialized</span> <span class="k">if</span> <span class="n">account</span><span class="nf">.data_len</span><span class="p">()</span> <span class="o">!=</span> <span class="n">space</span> <span class="p">||</span> <span class="n">account</span><span class="py">.owner</span> <span class="o">!=</span> <span class="n">owner</span> <span class="p">{</span> <span class="c1">// Account exists but wrong size/owner</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">InvalidAccountData</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Check if account has enough lamports for rent</span> <span class="k">if</span> <span class="n">account</span><span class="nf">.lamports</span><span class="p">()</span> <span class="o">&lt;</span> <span class="n">required_lamports</span> <span class="p">{</span> <span class="c1">// Transfer additional lamports needed</span> <span class="k">let</span> <span class="n">additional</span> <span class="o">=</span> <span class="n">required_lamports</span> <span class="o">-</span> <span class="n">account</span><span class="nf">.lamports</span><span class="p">();</span> <span class="nf">invoke</span><span class="p">(</span> <span class="o">&amp;</span><span class="nn">system_instruction</span><span class="p">::</span><span class="nf">transfer</span><span class="p">(</span><span class="n">payer</span><span class="py">.key</span><span class="p">,</span> <span class="n">account</span><span class="py">.key</span><span class="p">,</span> <span class="n">additional</span><span class="p">),</span> <span class="o">&amp;</span><span class="p">[</span><span class="n">payer</span><span class="nf">.clone</span><span class="p">(),</span> <span class="n">account</span><span class="nf">.clone</span><span class="p">()],</span> <span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Use existing account</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// Account is empty - create normally</span> <span class="nf">invoke</span><span class="p">(</span> <span class="o">&amp;</span><span class="nn">system_instruction</span><span class="p">::</span><span class="nf">create_account</span><span class="p">(</span> <span class="n">payer</span><span class="py">.key</span><span class="p">,</span> <span class="n">account</span><span class="py">.key</span><span class="p">,</span> <span class="n">required_lamports</span><span class="p">,</span> <span class="n">space</span> <span class="k">as</span> <span class="nb">u64</span><span class="p">,</span> <span class="n">owner</span><span class="p">,</span> <span class="p">),</span> <span class="o">&amp;</span><span class="p">[</span><span class="n">payer</span><span class="nf">.clone</span><span class="p">(),</span> <span class="n">account</span><span class="nf">.clone</span><span class="p">(),</span> <span class="n">system_program</span><span class="nf">.clone</span><span class="p">()],</span> <span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="c1">// Alternative: Use allocate + assign if account has lamports</span> <span class="k">pub</span> <span class="k">fn</span> <span class="n">allocate_and_assign</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">(</span> <span class="n">account</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AccountInfo</span><span class="o">&lt;</span><span class="nv">'a</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">space</span><span class="p">:</span> <span class="nb">usize</span><span class="p">,</span> <span class="n">owner</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Pubkey</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="n">ProgramError</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="n">account</span><span class="py">.owner</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="nn">solana_program</span><span class="p">::</span><span class="nn">system_program</span><span class="p">::</span><span class="n">ID</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">ProgramError</span><span class="p">::</span><span class="n">IllegalOwner</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Allocate space</span> <span class="nf">invoke</span><span class="p">(</span> <span class="o">&amp;</span><span class="nn">system_instruction</span><span class="p">::</span><span class="nf">allocate</span><span class="p">(</span><span class="n">account</span><span class="py">.key</span><span class="p">,</span> <span class="n">space</span> <span class="k">as</span> <span class="nb">u64</span><span class="p">),</span> <span class="o">&amp;</span><span class="p">[</span><span class="n">account</span><span class="nf">.clone</span><span class="p">()],</span> <span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Assign to program</span> <span class="nf">invoke</span><span class="p">(</span> <span class="o">&amp;</span><span class="nn">system_instruction</span><span class="p">::</span><span class="nf">assign</span><span class="p">(</span><span class="n">account</span><span class="py">.key</span><span class="p">,</span> <span class="n">owner</span><span class="p">),</span> <span class="o">&amp;</span><span class="p">[</span><span class="n">account</span><span class="nf">.clone</span><span class="p">()],</span> <span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> </code></pre> </div> <p>Blockchain data is public. All of it. Use VRF or don't do randomness.</p> <h2> The Complete Security Checklist </h2> <p>Before deploying any Solana program, verify:</p> <h3> Access Control </h3> <ul> <li>[ ] Every privileged account requires signer check (<code>Signer</code> or <code>is_signer()</code>)</li> <li>[ ] Every program account is owned by your program (<code>Account&lt;T&gt;</code> or manual owner check)</li> <li>[ ] Token accounts validated for correct mint and owner</li> <li>[ ] All account relationships explicitly verified with constraints</li> </ul> <h3> Account Validation </h3> <ul> <li>[ ] Every account type has unique discriminator</li> <li>[ ] PDAs use canonical bump, stored and verified</li> <li>[ ] Initialize instructions reject already-initialized accounts</li> <li>[ ] No duplicate mutable accounts in transfers or updates</li> </ul> <h3> Cross-Program Security </h3> <ul> <li>[ ] All CPI targets use fixed, validated program IDs</li> <li>[ ] Never invoke user-supplied program IDs</li> <li>[ ] PDA seeds properly scoped to prevent collision</li> </ul> <h3> Arithmetic Safety </h3> <ul> <li>[ ] All balance/amount operations use checked arithmetic</li> <li>[ ] Overflow checks enabled in release builds</li> <li>[ ] Explicit bounds validation before math operations</li> </ul> <h3> State Management </h3> <ul> <li>[ ] Closed accounts have data zeroed</li> <li>[ ] Lamports properly transferred on close</li> <li>[ ] No revival of closed accounts possible</li> </ul> <h3> Randomness </h3> <ul> <li>[ ] No use of slot, timestamp, or blockhash for randomness</li> <li>[ ] VRF or commit-reveal for any random outcomes</li> <li>[ ] All on-chain data treated as public and predictable</li> </ul> <h2> Real Talk </h2> <p>Security isn't about perfect code. It's about recognizing that every missing check is money waiting to be stolen. Every unvalidated account is an open vault. Every assumption is a vulnerability.</p> <p>The programs in this repository show both sides: the vulnerable version that would lose everything, and the secure version that survives. The difference is often a single line of code. But that line is worth millions.</p> <p>You cannot test your way to security. You cannot hope attackers won't find bugs. You must validate everything, trust nothing, and assume every user is trying to rob you. Because on a blockchain, they probably are.</p> <p>This isn't paranoia. It's math. Your program is public. The money is real. The attackers are here.</p> <p>Build accordingly.</p> <h2> Implementation Details </h2> <p>This guide is accompanied by a repository containing:</p> <ul> <li> <p><strong>15 Complete Vulnerability Examples</strong></p> <ul> <li>Each with vulnerable and secure versions</li> <li>Implementation in both Anchor and Pinocchio</li> <li>Tests demonstrating the exploit and the fix</li> <li>Line-by-line annotations explaining what went wrong</li> </ul> </li> <li> <p><strong>Real Attack Simulations</strong></p> <ul> <li>Executable tests that actually perform the attacks</li> <li>Proof that vulnerable code fails</li> <li>Proof that secure code prevents the attack</li> </ul> </li> <li> <p><strong>Comparative Framework Analysis</strong></p> <ul> <li>Side-by-side Anchor vs Pinocchio implementations</li> <li>Framework-specific security features</li> <li>When to use each approach</li> </ul> </li> </ul> <p>All code is open source and designed for learning. Break it. Fix it. Learn from it. Then write code that can't be broken.</p> <p><strong><a href="https://github.com/mira4sol/solana-security-examples" rel="noopener noreferrer">The repository contains the examples. This guide explains why they matter</a>.</strong><br> <a href="https://github.com/mira4sol/solana-security-examples" rel="noopener noreferrer">https://github.com/mira4sol/solana-security-examples</a></p> solana security web3