OWASP Solana Top 10

Work in progress. Follow us on X (formerly Twitter) for updates.

About the Solana Top 10

The OWASP Solana Top 10 is a standard awareness document that intends to provide Solana developers and security teams with insight into the top 10 vulnerabilities found in Solana programs (aka smart contracts).

Top 10

  • S01:2023 - TBD
  • S02:2023 - TBD
  • S03:2023 - TBD
  • S04:2023 - TBD
  • S05:2023 - TBD
  • S06:2023 - TBD
  • S07:2023 - TBD
  • S08:2023 - TBD
  • S09:2023 - TBD
  • S10:2023 - TBD

Overview

Title Description
S01 - TBD ..
S02 - TBD ..
S03 - TBD ..
S04 - TBD ..
S05 - TBD ..
S06 - TBD ..
S07 - TBD ..
S08 - TBD ..
S09 - TBD ..
S10 - TBD ..

Planned Projects

  • Solana Top 10
  • Solana Security Cheat Sheet

If you have any suggestions, feedback or want to help improve our roadmap, we invite you to kickstart a dialogue by raising an issue or submitting a pull request.

All discussions take place on the OWASP Solana Top Ten GitHub repository.

2024 Sponsors

Click here to join your local Solana community

Contributors

Individuals that provided a significant contribution to the project:

Name Links Contribution
Daniel Zhukovsky X (formerly Twitter) Project Lead
OtterSec https://osec.io/ Top 10 Data

Top 10 Submissions

Proposed Solana Top 10 by Individuals or Organizations

Madshield

  1. Authority Mischecks
  2. Account Validation
  3. Web 2.5 Vulnerabilities
  4. Composability Issues
  5. Instruction Introspection Faults
  6. Account Ownership Violation
  7. Account reinitialization
  8. Non-Standard PDAs
  9. Time to Create vs Time to Read/Write
  10. Accounts in Vanilla Solana/ Remaining Accounts

Details: https://github.com/OWASP/www-project-solana-programs-top-10/blob/main/Madshield.pdf

OtterSec

  1. Missing Account Checks
  2. Rounding Bugs
  3. Duplicate Account Handling
  4. Overflow/Underflow DoS
  5. Remaining Accounts
  6. Arbitrary Program Invocation
  7. Token Account State Manipulation
  8. Non-Canonical PDAs
  9. Instruction Introspection Validation
  10. Overlapping Signer Seeds

QuillAudits

  1. Integer Overflow
  2. Missing Account Verification
  3. Missing Signer check
  4. Arithmetic Accuracy Deviation
  5. Arbitrary signed program invocation
  6. Solana account confusions
  7. Error not handled

Details: https://github.com/OWASP/www-project-solana-programs-top-10/issues/1

Sec3Dev

  1. Missing account correlation checks
  2. Missing account owner/signer/type check
  3. Rounding errors
  4. Integer overflow/underflow
  5. Arbitrary program invocation
  6. PDA seeds overlap/collision
  7. Internal/external price oracle manipulation
  8. Instruction Introspection validation
  9. Type confusion
  10. Multiple mutable accounts that may refer to the same account

Softstack

  1. Integer Overflows and Underflows
  2. Missing System Account Check
  3. Lack of Error Handling
  4. Insecure Randomness Generation
  5. Panic Due to Division by Zero
  6. Account Initialized Check
  7. Loss of Precision
  8. Concurrent State Manipulation
  9. Lack of Signature Validation
  10. Reentrancy Attacks

Details: https://github.com/OWASP/www-project-solana-programs-top-10/pull/2

Get Involved

We welcome all community members to actively participate and help enhance this project. If you have any suggestions, feedback or want to help improve the list, we invite you to kickstart a dialogue by raising an issue or submitting a pull request.

All discussions take place on the OWASP Solana Top Ten GitHub repository.

Watch Star