Scale or Die at Accelerate 2025: Decompiling Solana Programs

In a groundbreaking presentation at Accelerate 2025, Robert Chen from Ottersec unveiled revolutionary tools for decompiling Solana programs, potentially transforming the landscape of blockchain security and transparency.

Summary

Robert Chen, representing Ottersec, introduced a suite of tools designed to decompile Solana programs, addressing a critical need in the ecosystem where 96.9% of programs (by compute) are closed-source. This toolset aims to enhance transparency and security by allowing developers and users to understand the inner workings of these programs.

The presentation showcased the practical application of these tools in a real-world scenario, analyzing the recent BoopScale hack on Solana. Chen demonstrated how their decompilation framework was instrumental in understanding the attacker's program and its functionality.

The tools leverage existing reverse engineering frameworks, particularly Binary Ninja, and employ custom plugins to translate Solana's BPF code into a more readable format. Chen also introduced an innovative approach using AI, specifically Claude, to further enhance the readability and interpretation of decompiled code.

This development marks a significant step forward in Solana's ecosystem, potentially improving security audits, fostering trust, and enabling more informed interactions with closed-source programs on the platform.

Key Points:

The Problem of Closed-Source Programs on Solana

Robert Chen began by highlighting a significant challenge in the Solana ecosystem: the prevalence of closed-source programs. According to data presented by Jonas from the Solana Foundation, a staggering 96.9% of compute on Solana is not verified, meaning the vast majority of programs users interact with are closed-source in some way. This lack of transparency raises critical questions about security and trust within the ecosystem.

The closed-source nature of these programs makes it difficult for users and developers to understand exactly what they're interacting with, potentially exposing them to unknown risks. This situation underscores the need for tools and methods to analyze and understand these programs, even without access to their source code.

Decompilation Tools and Techniques

Chen introduced Ottersec's solution to this problem: a suite of decompilation tools designed specifically for Solana programs. These tools aim to transform the closed-source BPF (Berkeley Packet Filter) files of Solana programs into more readable and understandable formats.

The process involves several steps:

1. Dumping the program from the Solana CLI
2. Disassembling the BPF code using LLVM object dump
3. Using a custom plugin for Binary Ninja, a reverse engineering framework, to translate the BPF code into an intermediate language (IL)
4. Further processing to produce human-readable pseudo-C code

This approach leverages existing reverse engineering techniques and adapts them to the specific architecture and requirements of Solana programs. Chen emphasized that while the resulting code might not be perfect, it provides valuable insights into the program's functionality.

AI-Assisted Interpretation

One of the most innovative aspects of Ottersec's approach is the use of AI, specifically Claude, to enhance the readability and interpretation of decompiled code. Chen explained that while the decompilation process can produce pseudo-C code, it often lacks important elements like struct definitions, variable types, and meaningful symbol names.

To address this, they feed the decompiled output to Claude, allowing the AI to make educated guesses about these missing elements. The AI can:

1. Define structs
2. Rename variables
3. Infer function signatures

Chen argued that this approach, while not guaranteed to be 100% accurate, aligns well with the goals of reverse engineering, where the primary aim is to gain a high-level understanding of the program's functionality rather than perfect reconstruction of the original code.

Real-World Application: The BoopScale Hack

To demonstrate the practical value of their tools, Chen presented a case study of the recent BoopScale hack on Solana. The hack, which resulted in a loss of approximately $5 million, involved an attacker deploying a program that spoofed an oracle on the BoopScale lending market.

Using their decompilation framework, Ottersec was able to analyze the attacker's program quickly. The decompiled and AI-interpreted code revealed that the program was relatively simple, consisting of just a few lines that set a hardcoded return value. This insight was crucial in understanding the nature of the attack and the method used to spoof the oracle.

This real-world application showcases the potential of these tools in rapid incident response and security analysis within the Solana ecosystem.

Facts + Figures

• 96.9% of compute on Solana is not verified, indicating a high prevalence of closed-source programs
• The BoopScale hack resulted in a loss of approximately $5 million
• Ottersec's decompilation framework uses Binary Ninja as its base reverse engineering tool
• The framework includes a custom plugin to translate Solana BPF code into an intermediate language
• Four main memory regions in the Solana Virtual Machine: Program code, stack data, heap data, and input region
• Claude, an AI model, is used to enhance the readability of decompiled code
• The attacker's program in the BoopScale hack was decompiled to just three significant lines of code
• Ottersec's tools can extract IDLs (Interface Description Language) to provide additional context for decompilation
• The presentation demonstrated decompilation of both a simple attacker program and a more complex program from Kamino

Top quotes

1. "Unfortunately, most programs on Solana are closed source."
2. "How can you know what you're actually interacting with?"
3. "We wrote a plugin that turns Solana BPF code into something human readable, using existing reverse engineering tooling."
4. "When we are reverse engineering a program, we kind of just want a high level intuition of what the program does."
5. "Even when you are a human, you don't know for sure what the variable names are or what the struct types are."
6. "We were pretty skeptical when we saw this, but it's actually really amazing how it works."
7. "We're really excited to share this with the community, and hopefully, if there's some closed source program that you see that you don't know what it's doing, you can give this a try."

Questions Answered

What is the main problem Ottersec is addressing with their new tools?

Ottersec is addressing the prevalence of closed-source programs on Solana, which account for 96.9% of compute on the platform. These tools aim to decompile and analyze these programs, enhancing transparency and allowing users and developers to understand what they're interacting with. This is crucial for security and trust within the Solana ecosystem.

How does Ottersec's decompilation framework work?

Ottersec's decompilation framework uses a multi-step process. First, it dumps the Solana program from the CLI. Then, it disassembles the BPF code using LLVM object dump. Next, it uses a custom plugin for Binary Ninja to translate the BPF code into an intermediate language. Finally, it processes this further to produce human-readable pseudo-C code. The framework also leverages AI to enhance the readability of the decompiled code.

What role does AI play in Ottersec's decompilation process?

AI, specifically Claude, plays a crucial role in enhancing the readability and interpretation of decompiled code. It helps define structs, rename variables, and infer function signatures - elements that are typically lost during compilation. While not guaranteed to be 100% accurate, this AI-assisted approach provides valuable insights into the program's functionality, aligning with the goals of reverse engineering.

How was Ottersec's tool used in the BoopScale hack analysis?

Ottersec used their decompilation framework to analyze the attacker's program in the BoopScale hack. The tools quickly decompiled the program, revealing that it was relatively simple and consisted of just a few lines that set a hardcoded return value. This insight was crucial in understanding the nature of the attack and how the oracle was spoofed, demonstrating the tool's value in rapid incident response and security analysis.

What are the limitations of Ottersec's decompilation tools?

While powerful, Ottersec's tools have some limitations. They can't perfectly reconstruct the original source code, as certain elements like struct definitions, variable types, and symbol names are lost during compilation. Additionally, for complex programs, the decompiled output can be lengthy and potentially confusing. However, the tools aim to provide a high-level understanding rather than perfect reconstruction, which is often sufficient for reverse engineering purposes.