Announcing Soteria Premium: Auto Auditor for Solana Smart Contracts

February 28, 2022

We are glad to announce the first release of Soteria Premium: an auto-auditing service offered by Soteria team to scan a large list of security vulnerabilities in Solana smart contracts.

Soteria Premium has a number of features:

  • It detects 25+ types of common security vulnerabilities in Solana programs written in Rust, including all the common pitfalls by Neodyme and all the insecure Anchor usages in sealevel-attacks. See a full list in the section “Soteria Vulnerabilities and Exposures (SVE)”. The list is expanding.
  • It is fast: typically generates a report in less than five minutes even for large projects such as metaplex.
  • It works for both Anchor and non-Anchor based projects
  • It provides a web UI to navigate the reported vulnerabilities
  • It is available 7x24

A dashboard of Soteria Premium is shown below:

Soteria Vulnerabilities and Exposures (SVE)

The auto-auditor currently detects the following list of Solana-specific SVEs (accumulated by Soteria team):

SVE Checker Description Explanation
SVE1001 MissingSignerCheck The account is missing signer check Example
SVE1002 MissingOwnerCheck The account is missing owner check Example
SVE1003 IntegerAddOverflow The add operation may result in overflows Example
SVE1004 IntegerUnderflow The sub operation may result in underflows Example
SVE1005 IntegerMulOverflow The mul operation may result in overflows Example
SVE1006 IntegerDivOverflow The div operation may result in overflows Example
SVE1007 UnverifiedParsedAccount The account is not validated before parsing its data Example
SVE1008 DuplicateMutableAccount These two accounts are both mutable and may be the same account Example
SVE1009 InsecureAccountClosing The account is not securely closed Example
SVE1010 TypeFullCosplay These two account data types are fully compatible and can be used to launch type confusion attacks Example
SVE1011 TypePartialCosplay These two account data types are partially compatible and may be exploited by type confusion attacks Example
SVE1012 DivideByZero The arithmetic operation may result in a div-by-zero error Example
SVE1013 AccountReInitialization The account is vulnerable to program re-initialization Example
SVE1014 BumpSeedNotValidated The account's bump seed is not validated and may be vulnerable to seed canonicalization attacks, Example
SVE1015 InsecurePDASharing The PDA sharing with these seeds may be insecure Example
SVE1016 ArbitraryCPI The spl_token account may be arbitrary Example
SVE1017 MaliciousSimulation The program may contain malicious simulation Example
SVE1018 UnsafeSysVarAPI The sysvar instructions API is unsafe and deprecated (wormhole exploit) Example
SVE1019 UnvalidatedAccount The account is not properly validated and may be untrustful Example
SVE1020 OutdatedDependency The program has outdated and vulnerable dependencies Example
SVE1021 UnsafeRust The program contains unsafe Rust code Example
SVE1022 OverPayment The code misses checking to prevent over payment Example
SVE1023 StalePriceFeed The code may use a stale price feed (solend loss) Example
SVE1024 MissInitTokenMint The init instruction misses minting pool tokens Example
SVE1025 MissRentExempt The account misses rent exempt check Example
SVE1026 MissFreezeAuthority The account misses checking for freeze authority Example
SVE1027 FlashLoanRisk The instruction may suffer from flash loan attacks Example
SVE1028 InconsistentRounding The arithmetics here have inconsistent rounding Example
SVE1029 CastTruncation The cast operation here may lose precision due to truncation Example
SVE2001 IncorrectLogic Loop break instead of continue (jet-v1 exploit) Example
SVE2002 IncorrectCalculation Liquidation condition should be > instead of >= Example
SVE2003 ExponentialCalculation The calculation has exponential complexity Example
SVE3001 BestSecurityPractice The code does not follow best security practices Example
SVE3002 RedundantCode The code is redundant or unused Example
SVE3003 InconsistentAnchor The program uses Anchor inconsistently across different instructions Example
SVE3004 InconsistentConfig The configuration and initialization data are inconsistent Example

The list of SVEs above will be expanded continuously as Soteria team audits more Solana projects.

How To Use Soteria Premium

Soteria Premium is currently open to a short list of Pilot (paid) customers.

Each pilot customer will receive an invitation link. The link provides a unique ID to access Soteria Premium service:

Following are the steps to use the service:

1. Click “Create a new task”:

2. Enter a “Task Name” and provide the “Source Code” (either by a Github url if it is open source, or upload a compressed folder):

3. Click “Create Task” and then “Confirm Payment and Run Task”:

4. Wait for task to complete and then “View Full Report”:

The analysis time for a typical project is less than two minutes

5. Finally, browse the reported vulnerabilities:

Annotations to ignore warnings

Note: Most of the SVEs are semantic or logic issues, thus the reported vulnerabilities are only potential warnings but are not necessarily attacker-exploitable.

To ignore certain warnings: add annotation //#[soteria(ignore)]

Any statement annotated with it will be ignored. For example:

//#[soteria(ignore)]
let system_program_info = next_account_info(account_info_iter)?;

For Anchor:

#[derive(Accounts)]
pub struct Withdraw<'info> {
//#[soteria(ignore)]
pub authority: AccountInfo<'info>,

Relationship with full Soteria audit

We expect that Soteria Premium will be used in the development phase to continuously audit Solana programs upon any code change at any time. It will significantly reduce the time and cost of a final manual audit.

Note that the auto-auditor service is not the same as a full manual audit offered by Soteria team. Soteria’s full audit relies on human experts to perform exhaustive manual reviews (assisted by in-house Soteria tools).

The full audit is expected to discover vulnerabilities that are not covered by the auto-auditor.


Soteria Audit

Soteria is founded by leading minds in the fields of blockchain security and software verification.

We are pleased to provide full audit services to high-impact Dapps on Solana. Please visit soteria.dev or email contact@soteria.dev