Liquid Stake with compassSOL for an 7.15% APY from staking, MEV + fees

Enjoy the freedom of liquid staking in Solana Defi while delegating your stake to the high performance Solana Compass validator. Stake or unstake at any time here, or with a Jupiter swap.

Benefit from our high staking returns and over 2 years experience operating a Solana validator, and receive additional yield from priority fees + MEV tips

Earn 6.7% APY staking with Solana Compass

Help decentralize and secure the Solana network delegating your stake to us and earn an impressive 6.7% APY yield on your SOL, while supporting us to create new guides and tools. Learn more

Stake your SOL

  1. Click to connect your wallet
  2. Enter the amount you wish to stake
  3. Kick back and enjoy your returns
  4. Unstake from your wallet or our staking dashboard

Earn 6.7% APY staking with Solana Compass

Help decentralize and secure the Solana network delegating your stake to us and earn an impressive 6.7% APY yield on your SOL, while supporting us to create new guides and tools.

Learn more

Breakpoint 2023: Back to The Future: What Bugs You Can Expect in Your Project

Published on 2023-11-09

Director of Security at Halborne, Piotr Cielas, discusses recurring bugs in projects and proposes a blockchain-specific vulnerability scoring system.

The notes below are AI generated and may not be 100% accurate. Watch the video to be sure!

Summary

At Breakpoint 2023, Piotr Cielas, the Director of Security at Halborne, offered a comprehensive look at common vulnerabilities that appear in projects across various industries. He explained the universality of certain bugs irrespective of the particular market or industry and emphasized the importance of probability when predicting the future occurrence of these issues. Focusing on blockchain technology, he critiqued current security metrics for their lack of sophistication and offered Halborne's more nuanced approach, which adapts the Common Vulnerability Scoring System. He elaborated on the necessity to understand the nature of bugs, their likelihood, and potential impact, breaking down some Solana-specific examples of what could go wrong and how to prevent such occurrences.

Key Points:

The Prevalence of Reoccurring Bugs

Piotr Cielas shed light on how bugs tend to reoccur across various projects despite industry or product specificity. He suggests that an analysis of past bugs is critical in preventing future ones. He draws from Bayesian probability to argue that understanding existing data helps in projecting future occurrences with greater accuracy.

Critique of Current Security Metrics

Cielas discusses the inadequacy of current two-dimensional security metrics in capturing the complex nature of vulnerabilities. These metrics fall short when it comes to multidimensional evaluation, consequently offering limited information. They typically combine variables that should be independent, such as probability and impact, which can result in an oversimplified assessment.

Halborne's Blockchain Vulnerability Scoring System

Halborne's approach enriches the Common Vulnerability Scoring System (CVSS) with blockchain-specific metrics. The new system adds categories like deposit effect, yield effect, reversibility, and whether the issue is isolated or systemic. This nuanced breakdown fosters a better understanding of how vulnerabilities function in the blockchain environment.

Common Solana Vulnerabilities

Cielas explains the common vulnerabilities found in programs running on Solana and the importance of proper checks and validations to avoid them. He points out that bug prevention is essential—even for well-known issues—to maintain integrity and security in blockchain projects.

Facts + Figures

  • Piotr Cielas is the Director of Security at Halborne, responsible for enterprise security and serving as a security engineer and advisor for blockchain projects.
  • The talk focuses on using historical data to predict and prevent future security issues in projects.
  • The Bayesian probability concept is highlighted as a mathematical approach to forecasting potential project vulnerabilities.
  • Cielas critiques commonly used two-dimensional risk matrices for their oversimplified representation of risks.
  • Halborne developed a Blockchain Vulnerability Scoring System, improving upon the CVSS by adding blockchain-specific metrics.
  • One in five vulnerabilities has some impact on a project's deposit funds.
  • If a vulnerability does affect the yield, 40% of the time, it can be devastating to the project.
  • Integrity appears to be the most affected attribute by vulnerabilities in projects.
  • Most attacks are simple to execute and predominantly involve local issues rather than systemic ones.
  • Piotr Cielas discussed specific types of vulnerabilities related to Solana, such as account owner check missing and signer check missing.

Top quotes

  • "We see, time and time again, there are similarities across projects."
  • "The bugs that we see do seem to occur in projects regardless even of the industry and the product's fit in the market."
  • "Convenience matters more, it's easier to convey the message to people that are not so fixed on mathematics."
  • "We sort of took the best of both worlds and came up with a blockchain vulnerability scoring system."
  • "Most of the attacks are rather simple to exploit."
  • "Unfortunately, most of the attacks are irreversible, and there's nothing you can do to recover the funds."
  • "Every single auditor that I've talked to, the very first advice that they give is never to forget the common Solana vulnerabilities."

Questions Answered

What is the main focus of Piotr Cielas's talk at Breakpoint 2023?

The main focus of Piotr Cielas's talk is to provide insight into common vulnerabilities across projects and industries and introduce a more sophisticated, blockchain-specific vulnerability scoring system to predict and prevent future security issues more effectively.

Why are current security metrics considered inadequate by Piotr Cielas?

Current two-dimensional security metrics are considered inadequate because they fail to capture the multifaceted nature of vulnerabilities and often mix independent variables, leading to oversimplified risk assessments. Piotr Cielas proposes a more comprehensive approach that takes into account various dimensions of blockchain-specific vulnerabilities.

How does Halborne's Blockchain Vulnerability Scoring System differ from CVSS?

Halborne's Blockchain Vulnerability Scoring System builds upon the Common Vulnerability Scoring System but includes additional categories tailored to blockchain-specific concerns, including deposit effect, yield effect, reversibility, and systemic impact, allowing for a deeper understanding and analysis of vulnerabilities in blockchain projects.

Why is it essential to understand common vulnerabilities in Solana-based programs?

Understanding common vulnerabilities in Solana-based programs is crucial because these bugs, if unchecked, can severely compromise the security of a blockchain project. Proper validation and checks can prevent these vulnerabilities and protect the integrity and funds within the ecosystem.

What practical advice does Piotr Cielas offer to prevent security breaches in blockchain projects?

Piotr Cielas advises that developers should not assume common vulnerabilities are universally addressed. Instead, they should actively include necessary validations and checks, such as signer verification and avoiding account type confusion, as part of their code to ensure the security and stability of blockchain projects.

Related Content

Breakpoint 2023: Auditor's Panel

Insights from leading blockchain auditors on the importance of security in the Solana ecosystem.

Breakpoint 2023: Composable Privacy with Sandwiching

Exploring the innovation of 'sandwiching' for enhanced privacy in the blockchain through composable privacy.

Breakpoint 2023: NFT Past & The Future

Max Zhuang, CEO of Sniper Labs, discusses the evolution of NFTs and Sniper's role in the growing market.

Breakpoint 2023: DeFi is Broken. How to Fix It on Solana

Eugene Chen of Ellipsis Labs discusses DeFi's drawbacks and proposes solutions on Solana.

Breakpoint 2023: When Are You Going to Get Serious About Security?

A compelling call for developers to prioritize security in the Web3 ecosystem.

Breakpoint 2023: Enabling High Performance Interoperability for Solana

Gal Stern discusses how deBridge streamlines interoperability with zero TVL for the Solana ecosystem.

Breakpoint 2023: How Web3 Games Can Innovatively Acquire Users

Web3 gaming experts discuss user acquisition strategies and community engagement in the blockchain gaming space.

Breakpoint 2023: Exploring the Forthcoming Innovations with TOKEN22

A detailed discussion about the future of blockchain token functionality with TOKEN22 and how it can impact various industries.

Breakpoint 2023: Creating Great Content

Content creator Solandy shares insights on producing engaging and educational content, specifically for Solana development.

Breakpoint 2023: Gaming in Web3 Panel

Leaders in the Web3 gaming space discuss the challenges and opportunities within the industry.

Breakpoint 2023: Building Blocks of a Regenerative Economy

An insightful discussion on blockchain's role in establishing a regenerative economy.

Breakpoint 2023: How to Store Solana NFTs On-Chain - A Brief Overview

An insightful exploration into the essentials of storing NFTs on Solana's blockchain.

Breakpoint 2023: The Future of Finance and Blockchains with Visa

Experts from Visa and Worldpay discuss the advancement of finance using blockchains.

Breakpoint 2023: Journey to Becoming a Validator

Explore the intriguing world of blockchain validation and the journey of becoming a validator on Solana's network.

Breakpoint 2023: Star Atlas Session

A visionary presentation on Star Atlas's intersection of gaming and blockchain on the Solana platform.