Liquid Stake with compassSOL for an 9.66% APY from staking, MEV + fees

Enjoy the freedom of liquid staking in Solana Defi while delegating your stake to the high performance Solana Compass validator. Stake or unstake at any time here, or with a Jupiter swap.

Benefit from our high staking returns and over 2 years experience operating a Solana validator, and receive additional yield from priority fees + MEV tips

Earn 7.0% APY staking with Solana Compass

Help decentralize and secure the Solana network delegating your stake to us and earn an impressive 7.0% APY yield on your SOL, while supporting us to create new guides and tools. Learn more

Stake your SOL

  1. Click to connect your wallet
  2. Enter the amount you wish to stake
  3. Kick back and enjoy your returns
  4. Unstake from your wallet or our staking dashboard

Earn 7.0% APY staking with Solana Compass

Help decentralize and secure the Solana network delegating your stake to us and earn an impressive 7.0% APY yield on your SOL, while supporting us to create new guides and tools.

Learn more

Solana Program Security Audits and Bounties with David from MadShield - Solfate Podcast #27

By Solfate

Published on 2023-07-12

Learn about Solana program security from MadShield's David, covering audit processes, common vulnerabilities, and the future of blockchain adoption.

The notes below are AI generated and may not be 100% accurate. Watch the video to be sure!

The Rise of MadShield in Solana Security

In the rapidly evolving world of blockchain technology, security remains a paramount concern. Enter David, the founder of MadShield (formerly SolShield) and a prominent figure in the Solana ecosystem. Known on Twitter as @thehasheddude, David has made a name for himself by uncovering critical vulnerabilities in some of Solana's most high-profile protocols. His journey from a curious college student to a respected security auditor offers valuable insights into the world of blockchain security and the future of decentralized finance.

David's fascination with cryptocurrency began in his early teens with Bitcoin. He recalls a pivotal moment when a stranger approached him and demonstrated a Bitcoin transaction. Despite the hour-long confirmation time, David was captivated by the concept of sending money from point A to point B without intermediaries. This experience, which he likens to a "pigeon network," planted the seed for his future in blockchain technology.

The Evolution of Blockchain: From Bitcoin to Solana

As David's interest in cryptocurrency grew, he witnessed the emergence of Ethereum and smart contracts. The introduction of programmable money marked another significant milestone in his crypto journey. However, it wasn't until he encountered Solana that he experienced what he describes as his "third moment" of crypto enlightenment.

David explains his perspective on the evolution of blockchain technology:

"We got pigeon. We got rapid. And now we got light speed. So I don't have to wait. I don't have to wait for the pigeon or the rabbit. I can just send it faster than life."

This analogy perfectly encapsulates the leap in transaction speed and efficiency that Solana represents in the blockchain space. David's excitement about Solana's potential led him to create a new Twitter account that very night, declaring himself a "Solana maximalist."

Understanding Solana's Unique Architecture

Solana's architecture, which David describes as a "very, very kind of intriguing, tinkering design," sets it apart from other blockchain platforms. He likens it to a delicate database, with features like Program Derived Addresses (PDAs) and account structures that can be both powerful and challenging to navigate.

David's journey into Solana security began with the Metaplex program library. He spent nights poring over the code, fueled by Diet Coke and Red Bull, trying to understand the intricacies of the system. This deep dive led to his first major discovery – a vulnerability in the Candy Machine program that could have allowed an attacker to reinitialize every Candy Machine ever created.

The Birth of a Security Mindset

This initial discovery was a turning point for David. He realized that while he might not excel at building protocols, he had a knack for breaking them down and identifying vulnerabilities. As he puts it:

"I'm not a good builder, but I'm a very, very, very, very rich, rich, not breaker. Like I can, I can take your thing, decompose it and left curve the hell out of it and break it for you because building is very hard."

This realization shaped David's approach to security auditing and set him on the path to becoming one of Solana's most prominent security experts.

The MadShield Approach to Security Audits

David's approach to security audits is both methodical and creative. He emphasizes the importance of understanding the protocol thoroughly before attempting to break it. This process often involves spending a week or more just reading and re-reading the code, making notes, and identifying potential weak points.

The audit process, as David describes it, is not for the faint of heart:

"For like two weeks he absolutely had nothing. It's just pure misery man. It's absolute misery. Like you just come to the office. You just have to show up and you just like chew fucking glass for real."

However, this intense focus and dedication often lead to breakthrough moments where vulnerabilities become apparent. David likens this to a moment when "all those three monitors kind of just merge into one and you have this window into the protocol that you can break the whole thing."

Common Vulnerabilities in Solana Programs

Through his extensive experience auditing Solana programs, David has identified several common vulnerabilities that developers should be aware of:

  1. Account initialization issues
  2. Computational and numerical errors
  3. Complexity-induced vulnerabilities

David stresses the importance of developers taking a step back and critically examining their code from an attacker's perspective. He advises:

"Understand the protocol that you're building, take a step back and look at it. See where it can go wrong. It's usually you're going to get into the mindset of someone that is a little bit lazy, but he's crazy."

The Ethical Hacker's Dilemma

One of the most intriguing aspects of David's work is his commitment to ethical hacking. Despite discovering vulnerabilities that could potentially allow him to drain millions from protocols, he consistently chooses to report these issues to the teams rather than exploit them.

David explains his perspective:

"For me personally, I like to like the whole experience of talking to these teams build relationships with the people that works there is more rewarding. And they come back to you and then your business of an auditing thing keeps growing. Your network keeps growing."

This approach not only helps build trust within the community but also contributes to the overall security and stability of the Solana ecosystem.

The Future of Blockchain Adoption

Looking ahead, David is optimistic about the future of blockchain technology and its potential for widespread adoption. He identifies two key areas of excitement:

  1. The continued improvement and simplification of financial systems through blockchain technology.
  2. The power of NFTs and community-building tools to bring people together, even during bear markets.

David believes that as user experiences improve and more people recognize the potential of blockchain technology, we're on the brink of explosive growth in the sector.

MadShield's Evolution and Future Plans

As the Solana ecosystem grows, so does MadShield. David revealed that the company is rebranding from SolShield to MadShield, reflecting the "madness" required to effectively audit and secure blockchain protocols.

MadShield is expanding its focus to include bridging Web2 and Web3 technologies, recognizing the potential vulnerabilities that can arise in this intersection. David explains:

"We are probably working on, um, like bridging the web to web free, uh, like with backpack, a lot of the stuff that are coming in are kind of be the bridge between web free and web to, and that's where a lot of this stuff goes wrong."

This focus on securing the transition between traditional web technologies and blockchain applications highlights MadShield's forward-thinking approach to security in the evolving digital landscape.

Educating the Community on Solana Security

Recognizing the importance of education in improving overall ecosystem security, David and MadShield are committed to producing content that helps developers and users understand common vulnerabilities and best practices.

MadShield's Medium blog features articles with catchy titles like "Breaking the Candy Machine for Fun and Profit," which break down complex security concepts into more digestible formats. This educational initiative aims to raise awareness and improve security practices across the Solana ecosystem.

The Importance of Community in Bear Markets

David emphasizes the value of the connections formed during bear markets in the crypto cycle. He believes that the people who remain active and engaged during these downturns are often the most committed and valuable members of the community.

"We are now at the bottom of the bear, the people that are around you right now are the best people you will ever probably meet in the next three, four years, if there is ever to be another bull run."

This perspective highlights the importance of building strong relationships and communities within the blockchain space, regardless of market conditions.

The Potential of NFTs Beyond Digital Art

While NFTs have often been associated with digital art and collectibles, David sees their potential as powerful community-building tools. He believes that NFTs can bring people together around shared concepts or interests, creating strong bonds even in challenging market conditions.

David's excitement about the future of NFTs is palpable:

"We got this powerful tool of building communities, even during a bear market with like this skull group, we're like Gavirab. I've like met so many people with like this one thing like like state thoughts easy and I have a matte state that and a matte spot that."

This vision of NFTs as social glue aligns with broader trends in the Web3 space, where digital ownership and community participation are becoming increasingly intertwined.

Improving User Experience in Blockchain Applications

One of the key challenges facing widespread blockchain adoption is the often complex and unintuitive user experience of many decentralized applications. David recognizes this as a significant hurdle but sees promising developments on the horizon.

He specifically mentions projects like Backpack, which aim to simplify the user experience for blockchain interactions. David believes that once these UX improvements are implemented, there's enormous potential for attracting users from traditional social media platforms:

"I think there is a huge, huge potential for the people that do all this kind of content creation on TikTok, Instagram, all these stuff with all the good stuff, you know, all the good stuff. And they still just don't know there is it yet because the UX sucks."

This focus on user experience highlights the importance of making blockchain technology accessible to a broader audience, potentially catalyzing the next wave of adoption.

The Role of Artificial Intelligence in Blockchain Security

Looking to the future, David sees potential in leveraging artificial intelligence to enhance blockchain security. He proposes the idea of developing an AI model that could analyze past exploits and generate a checklist of potential vulnerabilities for developers to consider.

This AI-assisted approach to security auditing could help identify common vulnerabilities more efficiently, allowing human auditors to focus on more complex and nuanced security issues. As David puts it:

"AI also is this good, is this good thing that, uh, somehow comes up with all the madness in the humanity and turns them into a representable matter."

Advice for Aspiring Security Auditors

For those looking to follow in David's footsteps and become security auditors in the blockchain space, he offers some practical advice:

  1. Immerse yourself in code: Spend time reading and understanding a wide variety of blockchain protocols.
  2. Start small: Try to find and report even minor vulnerabilities to build your skills and reputation.
  3. Build relationships: Engage with development teams and learn from their coding styles and mindsets.
  4. Understand team cultures: Recognize that different teams have different approaches to development, which can influence the types of vulnerabilities that might arise.

David emphasizes the importance of persistence and continuous learning in this field:

"Drop everything else, uh, and just go over GitHub, uh, read a lot of code. Just read a lot of code until you understand 10 criticals and, uh, under, under, under back of your hand."

The Ethos of Blockchain Security

Throughout the interview, David returns to a core philosophy that drives his work in blockchain security:

"Wealth and culture by the free for the free and protected by by the free."

This ethos encapsulates the broader goals of the blockchain movement – creating financial and cultural systems that are open, accessible, and secure for all. It's a reminder that the work of security auditors like David is not just about finding and fixing vulnerabilities, but about safeguarding the promise of a more decentralized and equitable digital future.

Conclusion: The Ongoing Evolution of Solana Security

As the Solana ecosystem continues to grow and evolve, the importance of robust security practices cannot be overstated. David and MadShield represent a new breed of security professionals who combine deep technical knowledge with a passion for the transformative potential of blockchain technology.

Their work not only helps protect individual protocols and user funds but also contributes to the overall stability and credibility of the Solana ecosystem. As we look to the future of blockchain adoption, it's clear that the efforts of security experts like David will play a crucial role in building the trust and reliability necessary for mainstream acceptance.

The journey from Bitcoin's "pigeon network" to Solana's "light speed" transactions is a testament to the rapid pace of innovation in the blockchain space. With dedicated professionals like David working to secure this new financial frontier, the future of decentralized finance looks brighter – and safer – than ever.

Facts + Figures

  • David, known as @thehasheddude on Twitter, is the founder of MadShield (formerly SolShield), a company focused on Solana security audits and bounties.
  • David's journey in crypto began around 2014-2015 with Bitcoin, followed by Ethereum, before discovering Solana.
  • MadShield has audited top-tier Solana projects including Metaplex, Raydium, and Phoenix order books.
  • David discovered a critical vulnerability in the Candy Machine program that could have allowed reinitialization of every Candy Machine ever created.
  • A typical security audit process for MadShield takes about three weeks, with the first week dedicated to reading and understanding the code.
  • Common vulnerabilities in Solana programs include account initialization issues, computational and numerical errors, and complexity-induced vulnerabilities.
  • MadShield is rebranding from SolShield to reflect the "madness" required in effective security auditing.
  • David proposes the idea of using AI to analyze past exploits and generate vulnerability checklists for developers.
  • MadShield is expanding its focus to include securing the bridge between Web2 and Web3 technologies.
  • David emphasizes the importance of community-building during bear markets, viewing current active participants as valuable long-term contributors.
  • The podcast was recorded on July 12, 2023, during what David considers the "bottom of the bear" market in the crypto cycle.

Questions Answered

Who is David and what is MadShield?

David, known on Twitter as @thehasheddude, is the founder of MadShield (formerly SolShield), a company specializing in security audits and bounties for Solana protocols. With a background in software engineering and a long-standing interest in cryptocurrency, David has become a prominent figure in the Solana ecosystem, known for discovering critical vulnerabilities in high-profile projects.

What approach does MadShield take to security audits?

MadShield's approach to security audits is both methodical and creative. The process typically takes about three weeks, with the first week dedicated to thoroughly reading and understanding the code. David emphasizes the importance of getting into the mindset of a potential attacker, looking for areas where the code might be vulnerable. This intense focus often leads to breakthrough moments where vulnerabilities become apparent.

What are some common vulnerabilities in Solana programs?

David identifies several common vulnerabilities in Solana programs. These include account initialization issues, where improper setup can lead to security flaws. Computational and numerical errors are also frequent, particularly in complex financial calculations. Additionally, David notes that overly complex code can often introduce vulnerabilities, as it becomes harder for developers to anticipate all possible execution paths.

How does David balance the potential for exploiting vulnerabilities with ethical hacking?

Despite discovering vulnerabilities that could potentially allow him to drain millions from protocols, David consistently chooses to report these issues to the teams rather than exploit them. He finds the process of building relationships with teams and growing his network more rewarding than short-term financial gain. This ethical approach has helped him build trust within the community and contribute to the overall security of the Solana ecosystem.

What does David see as the future of blockchain adoption?

David is optimistic about the future of blockchain adoption, focusing on two key areas. First, he believes in the continued improvement and simplification of financial systems through blockchain technology. Second, he sees great potential in NFTs and community-building tools to bring people together, even during bear markets. He anticipates explosive growth in the sector as user experiences improve and more people recognize the potential of blockchain technology.

How is MadShield evolving to meet new security challenges?

MadShield is expanding its focus to include securing the bridge between Web2 and Web3 technologies, recognizing the potential vulnerabilities that can arise in this intersection. The company is also rebranding from SolShield to MadShield, reflecting the "madness" required to effectively audit and secure blockchain protocols. Additionally, MadShield is committed to producing educational content to help developers and users understand common vulnerabilities and best practices.

What advice does David offer for aspiring security auditors?

David advises aspiring security auditors to immerse themselves in code, reading and understanding a wide variety of blockchain protocols. He recommends starting small by finding and reporting even minor vulnerabilities to build skills and reputation. Building relationships with development teams and understanding different team cultures are also crucial. David emphasizes the importance of persistence and continuous learning in this field.

How does David view the role of NFTs beyond digital art?

While NFTs are often associated with digital art and collectibles, David sees their potential as powerful community-building tools. He believes that NFTs can bring people together around shared concepts or interests, creating strong bonds even in challenging market conditions. This vision of NFTs as social glue aligns with broader trends in the Web3 space, where digital ownership and community participation are becoming increasingly intertwined.

What role does David see for AI in blockchain security?

David sees potential in leveraging artificial intelligence to enhance blockchain security. He proposes developing an AI model that could analyze past exploits and generate a checklist of potential vulnerabilities for developers to consider. This AI-assisted approach could help identify common vulnerabilities more efficiently, allowing human auditors to focus on more complex and nuanced security issues.

What is David's overarching philosophy regarding blockchain security?

David's work in blockchain security is driven by the ethos of "Wealth and culture by the free for the free and protected by the free." This philosophy encapsulates the broader goals of the blockchain movement – creating financial and cultural systems that are open, accessible, and secure for all. It underscores that the work of security auditors is not just about finding and fixing vulnerabilities, but about safeguarding the promise of a more decentralized and equitable digital future.

Related Content

Community and Culture with Solana OG Based Charker

Dive into Solana's vibrant ecosystem with Chase Barker as he discusses NFTs, meme coins, and the future of blockchain innovation on the Midcurve podcast.

The State Of Solana In 2024 | Austin Federa

Explore the current state of Solana with Austin Federa, discussing economic security, meme coins, network growth, and the future of blockchain technology.

MEV on Solana with buffalu from Jito Labs

Dive deep into the world of MEV on Solana with Lucas from Jito Labs. Learn about validator clients, searchers, and the future of blockchain technology.

Solana DeFi borrow and lending with marginfi's founders - Solfate Podcast #26

Explore the future of DeFi on Solana with marginfi's founders as they discuss innovative lending protocols, market cycles, and the potential for new tokens in the ecosystem.

Music, Jiu Jitsu, and MEV with Zano from JitoLabs | Midcurve Offsight

Dive into the world of Solana with Zano from JitoLabs as he discusses MEV, multi-dimensional fee markets, and the future of blockchain technology.

Why Solana DeFi Is Crypto's Biggest Opportunity | Ansem

Crypto trader Ansem explains why Solana DeFi is poised for massive growth, outlines his bullish thesis on SOL, and shares insights on the future of blockchain ecosystems.

Building Solana: Chewing Glass with Toly (co-founder of Solana Labs) - Solfate Podcast #47

Solana co-founder Anatoly Yakovenko discusses asynchronous execution, personal motivations, and the future of blockchain technology in an insightful podcast interview.

Solana Foundation's Head of Developer Ecosystem (feat. Chase Barker) - Solfate Podcast #21

Discover insights from Chase Barker, Head of Developer Ecosystem at Solana Foundation, on developer education, community building, and the future of blockchain adoption.

Incubating Solana's Next Unicorns | Emon Motamedi

Discover how Solana Incubator is shaping the future of Web3 with insights from Emon Motamedi on startup selection, success stories, and the vision for blockchain adoption.

Will A Solana ETF Get Approved? | Matthew Sigel

VanEck's Head of Digital Assets Research discusses Solana ETF filing, crypto market dynamics, and the future of blockchain technology in finance.

Stronger DeFi and Better Tokenomics with Tommy J, Founder of PsyOptions - Solfate Podcast #34

Tommy Johnson of PsyOptions shares insights on DeFi development, tokenomics, and the future of finance on Solana in this in-depth Solfate podcast

The Solana End Game | Anatoly Yakovenko & Lucas Bruder

Anatoly Yakovenko and Lucas Bruder discuss Solana's scaling solutions, upcoming features like async execution, and the future of MEV on the network.

The Rise of Solana's Developer Ecosystem ft. Chase Barker

Discover how Solana is cultivating a thriving global developer community, with insights from Chase Barker on India's tech talent, ecosystem challenges, and the future of blockchain adoption.

Validated | From Anchor to Mad Lads and Beyond with Armani Ferrante

Explore Armani Ferrante's journey in Solana development, from Anchor to Mad Lads, and learn about the future of blockchain technology and user adoption.

Unveiling Solana's Validator Landscape with Gui from Latitude

Discover the intricacies of Solana's validator ecosystem, bare metal infrastructure, and the future of blockchain performance with Gui from Latitude.