DEV Community: Hasip Timurtas The latest articles on DEV Community by Hasip Timurtas (@hasiptimurtas). https://dev.to/hasiptimurtas https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F273043%2F59cd4056-e7f0-4d65-8ce0-e5ab7638813a.jpg DEV Community: Hasip Timurtas https://dev.to/hasiptimurtas en Catch Solana smart contract bugs before they hit mainnet - Solsec CLI tool in Rust Hasip Timurtas Wed, 25 Jun 2025 14:02:42 +0000 https://dev.to/hasiptimurtas/catch-solana-smart-contract-bugs-before-they-hit-mainnet-solsec-cli-tool-in-rust-3931 https://dev.to/hasiptimurtas/catch-solana-smart-contract-bugs-before-they-hit-mainnet-solsec-cli-tool-in-rust-3931 <p>Hey Solana devs 👋</p> <p>I built <a href="https://github.com/hasip-timurtas/solsec" rel="noopener noreferrer">Solsec</a>, a Rust-powered CLI that performs <strong>static analysis</strong> on your Solana smart contracts and catches real vulnerabilities before they hit mainnet.</p> <p>This isn't just a basic linter. It runs deep security checks and flags critical issues based on actual exploit patterns.</p> <h1> 🚨 What it detects: </h1> <ul> <li>🔴 <strong>Critical</strong>: <ul> <li>Unchecked account access (e.g., unsafe <code>transmute</code>, raw pointers)</li> <li>Privilege escalation (e.g., admin/owner changes without checks)</li> </ul> </li> <li>🟠 <strong>High</strong>: <ul> <li>Reentrancy issues (CPI followed by state changes)</li> <li>Missing signer validations</li> <li>PDA validation issues</li> <li>Insufficient input validation</li> </ul> </li> <li>🟡 <strong>Medium</strong>: <ul> <li>Integer overflow</li> <li>Unsafe arithmetic (division by zero, unchecked subtraction)</li> </ul> </li> <li>🔵 <strong>Other checks</strong>: <ul> <li>Lamport manipulation</li> <li>Program ID validation</li> <li>Missing bump seeds</li> </ul> </li> </ul> <h1> ⚙️ Features: </h1> <ul> <li>Instant scanning of whole projects</li> <li>Smart file system traversal (multi-contract layout supported)</li> <li>Clear CLI output with line numbers</li> <li>No config required</li> <li>CI/CD ready (<code>--fail-on-critical</code>, <code>--format json/html</code>)</li> <li>Built in Rust, open source, fast as hell</li> </ul> <p>📦 <a href="https://crates.io/crates/solsec" rel="noopener noreferrer">crates.io</a><br><br> 🛠 <a href="https://github.com/hasip-timurtas/solsec" rel="noopener noreferrer">GitHub</a></p> <h1> Sample output: </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🔍 Running checks… ⚠️ Unchecked unwrap() at programs/myapp/src/lib.rs:42 ❌ Missing account validation for ‘ctx.accounts.authority’ ⚠️ Potential panic detected in match statement ✅ All other checks passed! </code></pre> </div> <p>If you're building Solana programs especially with Anchor Solsec can save you from hours of painful audits and dangerous bugs.</p> <p>Would love your thoughts:</p> <ul> <li>Which rules should I add next?</li> <li>Would you use this in your pipeline?</li> <li>Got any repos I should test it on?</li> </ul> <p>Let’s make Solana development more secure, together 🛡️</p> <p>#Solana #RustLang #BlockchainSecurity #Web3Dev #AnchorLang</p>