Security Vulnerabilities Exposed in Solana Network

Solana is a fast-growing blockchain that allows decentralized apps to be developed and brought to market. Using a new analysis method, a research team from paluno - The Ruhr Institute for Software Technology at the University of Duisburg-Essen (UDE) and the Cluster of Excellence CASA - Cyber Security in the Age of Large-Scale Adversaries at Ruhr University Bochum (RUB) identified several vulnerabilities in the Solana network.

Copyright: kolonko

From decentralized finance (DeFI) to marketplaces for digital art - decentralized applications, or DApps for short, have a wide range of applications. They are becoming increasingly important as more and more users want to be independent of individual providers. With DApps, important data and code is executed decentrally in a network. This is realized with smart contracts that run in the background of DApps. These programmed contracts regulate, for example, the purchase of a digital artworks by automatically encoding the result of a transaction in immutable blocks on a blockchain without third-party intervention.

One of the best-known public blockchains for smart contracts is Ethereum. However, Solana is also gaining popularity in this space. Compared to Ethereum, this blockchain is characterized by its "stateless" architecture, which makes it very fast, scalable and cost-effective. However, this technology also has its downsides: It opens up new, specific attack possibilities on Solana, for which there are few defense mechanisms so far. In fact, attacks on Solana smart contracts have already caused significant asset losses. For example, in the famous Wormhole hack in February 2022, $320 million was lost.

New Analytics Technique Does Not Require Source Code
To make the Solana blockchain more secure, CASA Principal Investigators Prof. Dr. Lucas Davi (UDE) and Prof. Dr. Ghassan Karame (RUB) and their collaborators contributed in devising a solution to detect security vulnerabilities in the Solana blockchain. Their approach is based on fuzz testing, in which they confront the smart contracts with a large number of inputs to draw conclusions about the structure of the codes. "As the only solution for Solana so far, our analysis techniques work directly with the binary code of the smart contracts and can detect Solana-specific programming errors," explains Prof. Dr. Lucas Davi. "So we don't need source code, which is usually not accessible in Solana."

Using their testing method, the researchers conducted the most comprehensive security analysis to date on Solana's main network. They examined 6049 smart contracts and found bugs in 52 programs. 14 bugs were classified as serious and could potentially be exploited by hackers. The Solana Foundation was informed about these vulnerabilities. In November 2023, the researchers will present their solution at the Conference on Computer and Communications Security, or CCS, which will be held in Copenhagen from November 26-30, 2023.

Original Publication
Smolka, Sven; Giesen, Jens-Rene; Winkler, Pascal; Draissi, Oussama; Davi, Lucas; Karame, Ghassan; Pohl, Klaus: Fuzz on the Beach: Fuzzing Solana Smart Contracts. In: Proceedings of the 2023 ACM SIGSAC conference on Computer & communications security. Kopenhagen, Denmark 2023.

General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.