How to do Solana Smart Contract Auditing Contrary to Rising Hacks

Solana claims to be the fastest-growing blockchain network due to its higher scalability. Operated on proof-of-history consensus is all the reason for its greater scalability in processing up to 710,000 transactions per second.

Despite Solana’s enormous popularity, the security of its smart contracts is not thoroughly tested. And testing is as much crucial in delivering the brand value as promised to the partners and fostering the investor’s reliability on your project.

In this article, we shall unwind the possible Solana coding defects and how Solana smart contract auditing helps identify and rectify them.

Different Scenarios Of Hacks On Solana Blockchain Explained

Wormhole Hack

Wormhole, a blockchain bridge that facilitates tokenized exchanges between different blockchains, joins the string of crypto projects hacked. The total loss of funds is around $320 million- one of the major money laundering events in the crypto field.

History of hack

As we know, Wormhole allows the transfer of assets between different blockchains. But, the question is, how it is done?

Token created on each chain, i.e. Ethereum or Solana, is managed by the smart contracts. And to transfer the tokens, the transactions are approved by Guardians who check whether the minted tokens are correctly generated by verifying their signatures.

In the Wormhole incident, the verify _signature function is exploited with which the hacker created an instruction with fake data to validate their transactions.

Through this, the hacker created a signature_set containing enough number of signatures required for Validator Action Approval (VAA). Thereby, the hacker gained access to initiate the unauthorized mint.

By this, the hacker was able to lay hands on 120,000 wrapped Ethereum worth $320 million, looting them away. 

Crema Finance Hack

Crema Finance, the liquidity protocol in the list of Solana blockchain projects, suffered a hack losing $8.78 million.

History of Hack

The hacker deployed a smart contract to take a flash loan on Solana and add liquidity on Crema. The pricing data was then manipulated, allowing the hackers to make it look like they own a huge fee amount— all with fake data.

The Crema team traced the flow of funds which the hacker managed to swap from Solana to Ethereum. The team immediately cautioned the hacker to return the stolen funds by accepting the bounty.

And soon after, the hacker returned the funds retaining $1.6M as a white hat bounty.

Cashio Hack

Cashio (CASH), a native algorithmically-backed stablecoin of Solana, lost a whopping $52.8 million due to infinite mint error. Following this, the value of the coin went from $1 to $0.00005, crashing the DeFi ecosystem.

History Of Hack

Exploiting Cashio’s codebase, the hacker first minted two billion CASH tokens. What was wrong with the code?

The Infinite Mint Glitch— This error in the protocol gives the user access to mint any number of tokens without placing any collateral. The user can then sell these minted tokens in the exchanges, which crashes the price of the coin.

In Cashio exploit, the hacker burnt from the two million CASH tokens for the Saber USDT-USDC LP tokens. The Liquidity Pair tokens are then swapped for USDC and USDT tokens resulting in the draining of $52.8M.

How To Safeguard Projects From Hacks And Thefts?

While security is always a work-in-progress, the tried and tested techniques adopted by developers and auditors can mitigate hackers from easily performing attacks.

Security measures have proved effective in eliminating governance attacks, price oracle manipulation, Reentrancy errors, etc. So, let’s now find the security measures that deter attackers from exploiting contracts and laundering money.

Smart coding of contracts: Write contracts using secure coding practices, which include the use of tested libraries, recommendable programming language, implementing special security on wallets, defining functions clearly and so on.

Actionize blockchain security checklist: Many well-researched resources are available which can be checked through to ensure protection from hacks.

Use of security audit tools: Utilizing open-source security scanners can automate vulnerability assessments on contracts, assisting in detecting potential flaws, although they may not catch all errors but are valuable for initial checks. Various audit tools are instrumental in identifying bugs in blockchain and smart contracts, including MythX, Echidna, Manticore, Oyente, and SmartCheck. Additionally, advanced security audit AI agents such as QuillShield and QuillCheck are becoming increasingly essential in enhancing the depth and effectiveness of contract security evaluations.

Undertake Pentesting and auditing services: Last but not least, auditing smart contracts can never be underrated. Minute loopholes help the hackers find a way to intrude and crash the contracts.

Security audits and periodic pentesting thoroughly analyse the project and eliminate even the slightest possibilities for the hackers. Having known that auditing and pentesting services hold greater significance in offering security, let’s step-wise understand how it’s done.

Role Of Auditing In Securing Smart Contracts

Auditing involves a series of steps from automated testing to manual review, widely covering all the aspects of coding and checking for any weak spots present in the code. Some of the specifications covered in the Solana auditing process include;

• Functionality checks
• Freezing of a contract

• Token supply manipulation
• User balance manipulation
• Kill-switch mechanism
• Operation trials & event generation, and so on

Steps Followed By QuillAudits to Audit a Solana Smart Contract

The auditing of Solana smart contracts is done with the utmost diligence, and a well-elaborative audit report is furnished with all the analysis from the auditing. The step-by-step workflow is given below.

Step 1- Gathering Details

The idea and the intended purpose of the project are collected and studied from the client to understand and gain complete knowledge of the code and its functioning. Once the discussions are over, the auditors freeze the code to move to the next step of the auditing process.

Step 2- Manual testing

Our experienced in-house auditors check for the intricacies and vulnerability concerns in the code. It includes looking out for mathematical errors, logical issues, etc.

Step 3- Functionality testing

This process comprises testing contracts under different conditions and verifying data fetched by the Solana smart contracts. The smart contract is tested to ensure the intended actions are performed correctly.

Step 4- Testing on latest attack vectors

The recent attacks are studied, and tests are carried out on smart contracts to make sure they offer full resistance to attacks. It includes checking for attacks such as market manipulation, LP pricing, front running vectors, etc.

Step 5- Automated tool testing

Tools such as Soteria, cargo-Clippy, cargo-audit and specialised tools for Solana smart contract auditing are implemented to look out for any errors. We also implement techniques like fuzzing to ensure that we may articulate real-world attack vectors as much as possible.

Step 6- Initial audit report

Initial audit report presents the bugs in the contract, and then we send it to the developer team to resolve them.

Step 7- Final audit report

The report is tested for the corrections made by the development team, and then the final audit report is submitted.

Final Thoughts

The emphasis on the need for Solana smart contract auditing services to resolve the conceivable flaws and technical mishaps to shield them from hackers is made clear from this.

And not to mention, QuillAudits have the expertise armed with all-advanced tools and techniques to undertake the auditing services and deliver assured results. You needn’t search elsewhere as we’re just a click away.