Fuzz on the Beach: Fuzzing Solana Smart Contracts
Sven Smolka, Jens-Rene Giesen, Pascal Winkler, Oussama Draissi, Lucas Davi, Ghassan Karame, Klaus Pohl
TL;DR
FuzzDelSol presents the first binary-only, coverage-guided fuzzing framework for Solana smart contracts to address Solana-specific security challenges arising from its stateless execution model. It builds a faithful Solana runtime ecosystem—including a blockchain emulator, a transaction generator, RunDelSol, and a transaction evaluator—paired with taint tracking and six vulnerability oracles to detect MSC, MOC, ACPI, MKC, and IB, plus a lamports-theft detector, all without source code. Evaluation on 6049 mainnet contracts uncovers 92 bugs across 52 programs (14 exploitable; 2 non-exploitable confirmed), with Wormhole-like vulnerabilities detectable and throughput reaching thousands of transactions per second on complex targets; the study also notes a low false-alarm rate in deeper analyses. Compared with VRust, FuzzDelSol delivers higher precision in a binary-only setting, offering reproducible vulnerability reports and actionable exploit-transactions, and establishing the largest security assessment of the Solana ecosystem to date. The work highlights practical implications for early vulnerability discovery in closed-source Solana programs and demonstrates a viable path toward more robust Solana security tooling and practices.
Abstract
Solana has quickly emerged as a popular platform for building decentralized applications (DApps), such as marketplaces for non-fungible tokens (NFTs). A key reason for its success are Solana's low transaction fees and high performance, which is achieved in part due to its stateless programming model. Although the literature features extensive tooling support for smart contract security, current solutions are largely tailored for the Ethereum Virtual Machine. Unfortunately, the very stateless nature of Solana's execution environment introduces novel attack patterns specific to Solana requiring a rethinking for building vulnerability analysis methods. In this paper, we address this gap and propose FuzzDelSol, the first binary-only coverage-guided fuzzing architecture for Solana smart contracts. FuzzDelSol faithfully models runtime specifics such as smart contract interactions. Moreover, since source code is not available for the large majority of Solana contracts, FuzzDelSol operates on the contract's binary code. Hence, due to the lack of semantic information, we carefully extracted low-level program and state information to develop a diverse set of bug oracles covering all major bug classes in Solana. Our extensive evaluation on 6049 smart contracts shows that FuzzDelSol's bug oracles find bugs with a high precision and recall. To the best of our knowledge, this is the largest evaluation of the security landscape on the Solana mainnet.