Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SseRex: Practical Symbolic Execution of Solana Smart Contracts

Tobias Cloosters, Pascal Winkler, Jens-Rene Giesen, Ghassan Karame, Lucas Davi

Abstract

Solana is rapidly gaining traction among smart contract developers and users. However, its growing adoption has been accompanied by a series of major security incidents, which have spurred research into automated analysis techniques for Solana smart contracts. Unfortunately, existing approaches do not address the unique and complex account model of Solana. In this paper, we propose SseRex, the first symbolic execution vulnerability detection approach for finding Solana-specific bugs such as missing owner checks, missing signer checks, and missing key checks, as well as arbitrary cross-program invocations. Our evaluation of 8,714 bytecode-only contracts shows that our approach outperforms existing approaches and identifies potential bugs in 467 different contracts. Additionally, we analyzed 120 open-source Solana projects and conducted in-depth case studies on four of them. Our findings reveal that subtle, easily overlooked issues often serve as the root cause of severe exploits, further highlighting the need for specialized analysis tools like SseRex.

SseRex: Practical Symbolic Execution of Solana Smart Contracts

Abstract

Solana is rapidly gaining traction among smart contract developers and users. However, its growing adoption has been accompanied by a series of major security incidents, which have spurred research into automated analysis techniques for Solana smart contracts. Unfortunately, existing approaches do not address the unique and complex account model of Solana. In this paper, we propose SseRex, the first symbolic execution vulnerability detection approach for finding Solana-specific bugs such as missing owner checks, missing signer checks, and missing key checks, as well as arbitrary cross-program invocations. Our evaluation of 8,714 bytecode-only contracts shows that our approach outperforms existing approaches and identifies potential bugs in 467 different contracts. Additionally, we analyzed 120 open-source Solana projects and conducted in-depth case studies on four of them. Our findings reveal that subtle, easily overlooked issues often serve as the root cause of severe exploits, further highlighting the need for specialized analysis tools like SseRex.
Paper Structure (42 sections, 7 figures, 1 table)

This paper contains 42 sections, 7 figures, 1 table.

Table of Contents

  1. Introduction
  2. Background
  3. Solana's Threat Model
  4. Differences to Ethereum
  5. Related Work
  6. Vulnerability Detection in Ethereum
  7. Vulnerability Detection in Solana
  8. Design of SseRex
  9. Initial Symbolic Account Structure
  10. Deserialization
  11. String Formatting
  12. Exploration for Critical Actions
  13. Vulnerability Analysis
  14. Signer Checks
  15. Owner and Key Checks
  16. ...and 27 more sections

Figures (7)

  • Figure 1: Malicious attack transactions in Solana and their targets.
  • Figure 2: Architecture of SseRex
  • Figure 3: The position of the second account is symbolized with the fixed offset of all preceding fixed metadata sizes and each account's maximum storage data size.
  • Figure 4: Coverage ratio over time per contract. Violins summarize the individual runs at each point in time. Color encodes total contract size in basic blocks.
  • Figure : Architecture of SseRex
  • ...and 2 more figures