(Not So) Smart Contracts
This repository contains examples of common Solana smart contract vulnerabilities, including code from real smart contracts. Use Not So Smart Contracts to learn about Solana vulnerabilities, as a reference when performing security reviews, and as a benchmark for security and analysis tools.
Features
Each Not So Smart Contract includes a standard set of information:
- Description of the vulnerability type
- Attack scenarios to exploit the vulnerability
- Recommendations to eliminate or mitigate the vulnerability
- Real-world contracts that exhibit the flaw
- References to third-party resources with more information
Vulnerabilities
| Not So Smart Contract | Description |
|---|---|
| Arbitrary CPI | Arbitrary program account passed in upon invocation |
| Improper PDA Validation | PDAs are vulnerable to being spoofed via bump seeds |
| Ownership Check | Broken access control due to missing ownership validation |
| Signer Check | Broken access control due to missing signer validation |
| Sysvar Account Check | Sysvar accounts are vulnerable to being spoofed |
| Improper Instruction Introspection | Program accesses instruction using absolute index |
Credits
These examples are developed and maintained by Trail of Bits.
If you have questions, problems, or just want to learn more, then join the #solana channel on the Empire Hacking Slack or contact us directly.