We are glad to announce the first release of Soteria Premium: an auto-auditing service offered by Soteria team to scan a large list of security vulnerabilities in Solana smart contracts.
Soteria Premium has a number of features:
It detects 25+ types of common security vulnerabilities in Solana programs written in Rust, including all the common pitfalls by Neodyme and all the insecure Anchor usages in sealevel-attacks. See a full list in the section “ Soteria Vulnerabilities and Exposures (SVE)”. The list is expanding. It is fast: typically generates a report in less than five minutes even for large projects such as metaplex. It works for both Anchor and non-Anchor based projects It provides a web UI to navigate the reported vulnerabilities It is available 7x24 …
A dashboard of Soteria Premium is shown below:
Soteria Vulnerabilities and Exposures (SVE)
The auto-auditor currently detects the following list of Solana-specific SVEs (accumulated by Soteria team):
The list of SVEs above will be expanded continuously as Soteria team audits more Solana projects.
How To Use Soteria Premium
Soteria Premium is currently open to a short list of Pilot (paid) customers.
Each pilot customer will receive an invitation link. The link provides a unique ID to access Soteria Premium service:
Following are the steps to use the service:
1. Click “Create a new task”:
2. Enter a “Task Name” and provide the “Source Code” (either by a Github url if it is open source, or upload a compressed folder):
3. Click “Create Task” and then “Confirm Payment and Run Task”:
4. Wait for task to complete and then “View Full Report”:
The analysis time for a typical project is less than two minutes
5. Finally, browse the reported vulnerabilities:
Annotations to ignore warnings Note: Most of the SVEs are semantic or logic issues, thus the reported vulnerabilities are only potential warnings but are not necessarily attacker-exploitable.
To ignore certain warnings: add annotation
Any statement annotated with it will be ignored. For example:
Relationship with full Soteria audit We expect that Soteria Premium will be used in the development phase to continuously audit Solana programs upon any code change at any time. It will significantly reduce the time and cost of a final manual audit. Note that the auto-auditor service is not the same as a full manual audit offered by Soteria team. Soteria’s full audit relies on human experts to perform exhaustive manual reviews (assisted by in-house Soteria tools).
The full audit is expected to discover vulnerabilities that are not covered by the auto-auditor.
Soteria is founded by leading minds in the fields of blockchain security and software verification.
We are pleased to provide full audit services to high-impact Dapps on Solana. Please visit
soteria.dev or email firstname.lastname@example.org