Liquid Stake with compassSOL for an 7.15% APY from staking, MEV + fees

Enjoy the freedom of liquid staking in Solana Defi while delegating your stake to the high performance Solana Compass validator. Stake or unstake at any time here, or with a Jupiter swap.

Benefit from our high staking returns and over 2 years experience operating a Solana validator, and receive additional yield from priority fees + MEV tips

Earn 6.5% APY staking with Solana Compass

Help decentralize and secure the Solana network delegating your stake to us and earn an impressive 6.5% APY yield on your SOL, while supporting us to create new guides and tools. Learn more

Stake your SOL

  1. Click to connect your wallet
  2. Enter the amount you wish to stake
  3. Kick back and enjoy your returns
  4. Unstake from your wallet or our staking dashboard

Earn 6.5% APY staking with Solana Compass

Help decentralize and secure the Solana network delegating your stake to us and earn an impressive 6.5% APY yield on your SOL, while supporting us to create new guides and tools.

Learn more

Breakpoint 2023: The Good, The Bad, and The Vulnerable

Published on 2023-11-09

An insightful presentation on secure programming practices for developing Solana blockchain programs

The notes below are AI generated and may not be 100% accurate. Watch the video to be sure!

Summary

"Breakpoint 2023: The Good, The Bad, and The Vulnerable" is an informative video presented by Will, a software engineer from ORCA, focusing on the common pitfalls and best practices in Solana program development. With the growing complexity of blockchain applications, secure and robust development is essential to prevent exploitable vulnerabilities. The talk provides a deep dive into the "10 commandments" for security in Solana smart contract development, touching upon the importance of verification, program account ownership, correct interaction with secondary programs, and handling integer math operations. The speech not only covers technical details but also discusses the tools and practices that can help developers ensure the security of their Solana programs.

Key Points:

Signer Verification

Will stresses the significance of verifying the signer of a transaction in Solana applications. While there may be instances where a programmer might consider skipping this step, Will counters that the benefits of including it outweigh the minimal compute budget costs. This ensures that even in permissionless instructions or when delegating checks to other programs, the origin of a transaction is always validated, improving security.

Program Account Ownership and Interaction

A critical practice in Solana development is verifying the ownership of program accounts when accessing their data. Since only the owning program can write to an account, this verification ensures the reliability of the data. Similarly, when interacting with secondary programs, it is important to verify that the correct program is being addressed. Will points out that this prevents adversaries from manipulating the program's interactions.

Math Operations and Rounding Policies

Math operations in blockchain programs frequently involve integers, and special care must be taken to prevent overflows and underflows. Using checked arithmetic and correctly ordering operations to maintain precision are vital. Will also advises a consistent rounding policy to avoid discrepancies that could be exploited, particularly on a blockchain like Solana where affordable transaction fees could make even small vulnerabilities profitable for attackers.

Closing Program Accounts and Handling Errors

Closing program accounts can lead to vulnerabilities if not handled properly. Developers are advised to mark accounts closed in a recapitable manner. Additionally, errors should be meticulously handled; otherwise, a failed operation might silently allow a transaction to proceed, potentiating undesired effects.

PDA Seeds and Tools

The importance of unique and non-colliding Program Derived Addresses (PDAs) seeds is discussed, suggesting the use of prefixes to prevent address clashes. Will also recommends tools like Anchor for account validation and Solana Bankran for simulating various testing scenarios, which can assist developers in creating secure Solana applications.

Facts + Figures

  • Always verify the signer of a transaction in Solana programs, even in permissionless situations.
  • Verify the ownership of a program account to ensure the integrity and trustworthiness of the data.
  • Ensure interaction with the correct secondary program to avoid adversarial insertion of incorrect ones.
  • Utilize identifiers for Solana program accounts to separate different types of data accounts.
  • Use checked arithmetic to avoid integer overflow and underflow in smart contracts.
  • Preserve precision in integer math by performing magnifying operations before reducing ones.
  • Adopt a consistent rounding policy to prevent rounding discrepancies in token transfers.
  • Properly write boolean or identifiers before closing a program account to mark it as such even if reopened.
  • Always handle errors to prevent unintended continuation of execution despite failures.
  • Prefix PDA seeds to prevent collisions between different data accounts.

Top quotes

  • "Always make sure that you verify the signer of a transaction."
  • "Every time you read from a program account, make sure to check their owner."
  • "Always use identifiers for your program accounts."
  • "Check math pretty much always is the rule."
  • "Use a consistent rounding policy."
  • "Only the program that owns the account can actually write data."
  • "Always prefix your PDA seeds."
  • "Anchor forces you to be very explicit about the accounts and the validation."

Questions Answered

What is a common security practice when developing Solana programs?

Always ensure verification of the signer for transactions to authenticate the proper source, regardless of the transaction type.

Why is it important to verify program account ownership?

Verifying account ownership is crucial because it confirms that the data within a program account is trustworthy and has not been tampered with.

How can Solana developers avoid issues with integer math operations?

Developers should use checked arithmetic to prevent overflow and underflow and should structure their operations to perform magnifying actions before reducing ones to maintain numerical precision.

What should be done before closing a program account in Solana?

Before closing, write a boolean or an identifier to signal that the account is intended to be closed, to ensure that even if the account is reopened, it is still recognizable as previously closed.

What tool can help Solana developers with secure and explicit account validation?

Anchor is a tool that assists developers by enforcing clear validation and account handling practices, which can prevent many common programming errors in Solana's development environment.

Related Content

Breakpoint 2023: Star Atlas Session

A visionary presentation on Star Atlas's intersection of gaming and blockchain on the Solana platform.

Breakpoint 2023: How Helium Migrated to Solana

The migration of the Helium network to Solana blockchain.

Breakpoint 2023: How to Store Solana NFTs On-Chain - A Brief Overview

An insightful exploration into the essentials of storing NFTs on Solana's blockchain.

Breakpoint 2023: Auditor's Panel

Insights from leading blockchain auditors on the importance of security in the Solana ecosystem.

Breakpoint 2023: The Global State Machine

Breakpoint 2023 provides insight into the advancements and future of the Solana Blockchain and its ecosystem.

Breakpoint 2023 Recap - Day 3

The video discusses the potential of Web3 gaming and its economic impact through Solana's blockchain technology.

Breakpoint 2023: Building Blocks of a Regenerative Economy

An insightful discussion on blockchain's role in establishing a regenerative economy.

Breakpoint 2023: Solana RPC 2.0 Roundtable

Key insights from industry experts on the future of RPC 2.0 in Solana and its impact on blockchain development.

Breakpoint 2023: The Future of Finance and Blockchains with Visa

Experts from Visa and Worldpay discuss the advancement of finance using blockchains.

Breakpoint 2023: ZK on Solana: Private Solana Programs

An exploration of zero-knowledge proofs for enhanced privacy on the Solana blockchain.

Breakpoint 2023: tBTC comes to Solana

Discussions on the integration of tBTC, a decentralized Bitcoin, into the Solana ecosystem.

Breakpoint 2023: Payments on Solana, The Digital Commerce Revolution

Exploring the potential of Solana for revolutionizing digital payments and commerce.

Breakpoint 2023: Composable Privacy with Sandwiching

Exploring the innovation of 'sandwiching' for enhanced privacy in the blockchain through composable privacy.

Breakpoint 2023: Introducing the New Web3.js

Steven Luscher presents the new Web3.js with enhanced features and performance improvements.

Breakpoint 2023: The Creator Economy in Web3 vs. Web2

Exploring the challenges and opportunities for creators transitioning from Web2 to Web3 ecosystems.