Breakpoint 2023: An Inside Look into the Past and Future of Solana Security

Summary

At Breakpoint 2023, Thomas Lambertz, CEO and co-founder of Neodyme, delivered a comprehensive overview of the evolution of security within the Solana blockchain ecosystem. His talk traced the journey from Solana's vulnerable early days to the robust security posture it has developed since. As a security research company specializing in Solana, Neodyme has been instrumental in identifying and mitigating security risks. Lambertz shared insights into the mechanisms that have led to improved contract security, the challenges that developers face, and the initiatives that aim to fortify the ecosystem from potential vulnerabilities.

Key Points:

The Evolution of Security in Solana

Initially, Solana was perceived as difficult to develop due to its complexity and the fledgling state of its security. In its early days back in 2020, the blockchain was fresh and teeming with bugs. Neodyme, under Lambertz's guidance, found hundreds of these bugs, which were mostly minor but still indicative of the ecosystem's immaturity. However, as time progressed and Solana began to mature, several events, such as inflation activation and the adoption of frameworks like Anchor, contributed to a more secure state. Despite setbacks from high-profile hacks in 2022, the ecosystem has learned and adapted, leading to a recovery of security posture and trust.

The Current State and the Path Forward

The present looks much brighter for Solana's security. The ecosystem now boasts over 6,000 contracts, an increase from the previous year, with most utilizing the Anchor framework. Lambertz highlights the pressing issue of contract upgrade authority as a potential vulnerability if not managed properly. Security tooling and education are essential for continued growth and stability. The upcoming initiative called "runtime with you" is poised to change the landscape by making smart contract development and auditing more efficient with typed contracts.

Challenges and Solutions for Security

Thomas Lambertz elaborated on the challenges developers face, such as rounding errors due to low transaction fees and the importance of checking account relationships. Additionally, he mentioned that the focus may shift from smart contracts to the ecosystem, including RPC security. Acknowledging the lack of comprehensive security tools, he advocates for community involvement in building and sharing resources.

Facts + Figures

• Solana was difficult to develop for in 2020, and many security issues were present at its inception.
• Neodyme discovered roughly 100 bugs in Solana's blockchain.
• Solana has gone through significant growth, with Solana's token (SOL) at one point reaching over $200 in value.
• The introduction of inflation in Solana's ecosystem marked a vital turning point for its development.
• There are over 6,000 deployed contracts on Solana, signifying a 30% increase since the last year.
• About two-thirds of these contracts use the Anchor framework.
• The issue of upgrade authorities poses a threat to contract security.
• In 2023, there were 22,000 contract upgrades, suggesting high development activity within Solana.
• The improvement of security tooling is critical for preventing bugs and verifying code.
• River Garden, a new tool for security, will be introduced to provide free resources to the community.

Top quotes

• "Has Solana become more secure?"
• "Solana is only like three years at mainnet. Not even that."
• "And then Solana starts picking up steam... And that led to like rushed code."
• "Contracts are upgradable. Many, many of the contracts just have like some upgrade authority which can like completely replace the implementation."
• "On Solana like the fees are like so insanely low and you can put so many instructions in a single transaction that rounding errors may become worth it."
• "That's a way to like prove that a transaction was included on chain and it was successful."
• "Because like once we do like kind of like these silo security implementations of like individual auditors I don't think that can be really like an ecosystem."
• "Please have a discussion about security come to our talks and I'm excited to be here."

Questions Answered

How has Solana's security evolved since its inception?

Initially, Solana faced myriad security issues, which was common for a new blockchain. However, with the advent of frameworks like Anchor and the active involvement of security companies like Neodyme, Solana's security has significantly improved. Despite high-profile hacks, the ecosystem has adapted, leading to a more secure network today.

What are the current security challenges faced by the Solana blockchain?

Solana developers grapple with issues such as rounding errors and account relationship checks, which are exacerbated by low transaction fees. Contract upgrades and inadequate security tools also pose challenges. The ecosystem is actively seeking solutions through better frameworks, documentation, and community-led projects.

Why are contract upgrades a point of concern in Solana’s security?

Contract upgrades can potentially introduce vulnerabilities if not scrutinized. In 2023, Solana experienced a high average rate of upgrades, with 22,000 across 6,000 contracts, limiting the time auditors have to review each change. This increased frequency makes thorough assessments more difficult, raising concerns about maintaining security.

What future developments are expected to enhance Solana's security further?

Initiatives like "runtime with you" will bring typed contracts to Solana, which promises to streamline development and auditing processes. Improvements to RPC security and transaction receipt verification, as well as community tools like River Garden, are all aimed at fortifying Solana's overall security infrastructure.

How does Neodyme contribute to the security of Solana?

Neodyme conducts security research specifically for the Solana blockchain, identifying vulnerabilities and helping to address them. The company was instrumental in finding numerous bugs in Solana's early days and continues to be involved in security education and tooling for the community.