Liquid Stake with compassSOL for an 7.15% APY from staking, MEV + fees
Enjoy the freedom of liquid staking in Solana Defi while delegating your stake to the high performance Solana Compass validator. Stake or unstake at any time here, or with a Jupiter swap.
Benefit from our high staking returns and over 2 years experience operating a Solana validator, and receive additional yield from priority fees + MEV tips
Earn 6.5% APY staking with Solana Compass
Help decentralize and secure the Solana network delegating your stake to us and earn an impressive 6.5% APY yield on your SOL, while supporting us to create new guides and tools. Learn more
Stake your SOL
- Click to connect your wallet
- Enter the amount you wish to stake
- Kick back and enjoy your returns
- Unstake from your wallet or our staking dashboard
Earn 6.5% APY staking with Solana Compass
Help decentralize and secure the Solana network delegating your stake to us and earn an impressive 6.5% APY yield on your SOL, while supporting us to create new guides and tools.
Breakpoint 2023: The Good, The Bad, and The Vulnerable
Published on 2023-11-09
An insightful presentation on secure programming practices for developing Solana blockchain programs
Summary
"Breakpoint 2023: The Good, The Bad, and The Vulnerable" is an informative video presented by Will, a software engineer from ORCA, focusing on the common pitfalls and best practices in Solana program development. With the growing complexity of blockchain applications, secure and robust development is essential to prevent exploitable vulnerabilities. The talk provides a deep dive into the "10 commandments" for security in Solana smart contract development, touching upon the importance of verification, program account ownership, correct interaction with secondary programs, and handling integer math operations. The speech not only covers technical details but also discusses the tools and practices that can help developers ensure the security of their Solana programs.
Key Points:
Signer Verification
Will stresses the significance of verifying the signer of a transaction in Solana applications. While there may be instances where a programmer might consider skipping this step, Will counters that the benefits of including it outweigh the minimal compute budget costs. This ensures that even in permissionless instructions or when delegating checks to other programs, the origin of a transaction is always validated, improving security.
Program Account Ownership and Interaction
A critical practice in Solana development is verifying the ownership of program accounts when accessing their data. Since only the owning program can write to an account, this verification ensures the reliability of the data. Similarly, when interacting with secondary programs, it is important to verify that the correct program is being addressed. Will points out that this prevents adversaries from manipulating the program's interactions.
Math Operations and Rounding Policies
Math operations in blockchain programs frequently involve integers, and special care must be taken to prevent overflows and underflows. Using checked arithmetic and correctly ordering operations to maintain precision are vital. Will also advises a consistent rounding policy to avoid discrepancies that could be exploited, particularly on a blockchain like Solana where affordable transaction fees could make even small vulnerabilities profitable for attackers.
Closing Program Accounts and Handling Errors
Closing program accounts can lead to vulnerabilities if not handled properly. Developers are advised to mark accounts closed in a recapitable manner. Additionally, errors should be meticulously handled; otherwise, a failed operation might silently allow a transaction to proceed, potentiating undesired effects.
PDA Seeds and Tools
The importance of unique and non-colliding Program Derived Addresses (PDAs) seeds is discussed, suggesting the use of prefixes to prevent address clashes. Will also recommends tools like Anchor for account validation and Solana Bankran for simulating various testing scenarios, which can assist developers in creating secure Solana applications.
Facts + Figures
- Always verify the signer of a transaction in Solana programs, even in permissionless situations.
- Verify the ownership of a program account to ensure the integrity and trustworthiness of the data.
- Ensure interaction with the correct secondary program to avoid adversarial insertion of incorrect ones.
- Utilize identifiers for Solana program accounts to separate different types of data accounts.
- Use checked arithmetic to avoid integer overflow and underflow in smart contracts.
- Preserve precision in integer math by performing magnifying operations before reducing ones.
- Adopt a consistent rounding policy to prevent rounding discrepancies in token transfers.
- Properly write boolean or identifiers before closing a program account to mark it as such even if reopened.
- Always handle errors to prevent unintended continuation of execution despite failures.
- Prefix PDA seeds to prevent collisions between different data accounts.
Top quotes
- "Always make sure that you verify the signer of a transaction."
- "Every time you read from a program account, make sure to check their owner."
- "Always use identifiers for your program accounts."
- "Check math pretty much always is the rule."
- "Use a consistent rounding policy."
- "Only the program that owns the account can actually write data."
- "Always prefix your PDA seeds."
- "Anchor forces you to be very explicit about the accounts and the validation."
Questions Answered
What is a common security practice when developing Solana programs?
Always ensure verification of the signer for transactions to authenticate the proper source, regardless of the transaction type.
Why is it important to verify program account ownership?
Verifying account ownership is crucial because it confirms that the data within a program account is trustworthy and has not been tampered with.
How can Solana developers avoid issues with integer math operations?
Developers should use checked arithmetic to prevent overflow and underflow and should structure their operations to perform magnifying actions before reducing ones to maintain numerical precision.
What should be done before closing a program account in Solana?
Before closing, write a boolean or an identifier to signal that the account is intended to be closed, to ensure that even if the account is reopened, it is still recognizable as previously closed.
What tool can help Solana developers with secure and explicit account validation?
Anchor is a tool that assists developers by enforcing clear validation and account handling practices, which can prevent many common programming errors in Solana's development environment.
On this page
- Summary
- Key Points:
- Facts + Figures
- Top quotes
-
Questions Answered
- What is a common security practice when developing Solana programs?
- Why is it important to verify program account ownership?
- How can Solana developers avoid issues with integer math operations?
- What should be done before closing a program account in Solana?
- What tool can help Solana developers with secure and explicit account validation?
Related Content
Breakpoint 2023: Star Atlas Session
A visionary presentation on Star Atlas's intersection of gaming and blockchain on the Solana platform.
Breakpoint 2023: How Helium Migrated to Solana
The migration of the Helium network to Solana blockchain.
Breakpoint 2023: How to Store Solana NFTs On-Chain - A Brief Overview
An insightful exploration into the essentials of storing NFTs on Solana's blockchain.
Breakpoint 2023: Auditor's Panel
Insights from leading blockchain auditors on the importance of security in the Solana ecosystem.
Breakpoint 2023: The Global State Machine
Breakpoint 2023 provides insight into the advancements and future of the Solana Blockchain and its ecosystem.
Breakpoint 2023 Recap - Day 3
The video discusses the potential of Web3 gaming and its economic impact through Solana's blockchain technology.
Breakpoint 2023: Building Blocks of a Regenerative Economy
An insightful discussion on blockchain's role in establishing a regenerative economy.
Breakpoint 2023: Solana RPC 2.0 Roundtable
Key insights from industry experts on the future of RPC 2.0 in Solana and its impact on blockchain development.
Breakpoint 2023: The Future of Finance and Blockchains with Visa
Experts from Visa and Worldpay discuss the advancement of finance using blockchains.
Breakpoint 2023: ZK on Solana: Private Solana Programs
An exploration of zero-knowledge proofs for enhanced privacy on the Solana blockchain.
Breakpoint 2023: tBTC comes to Solana
Discussions on the integration of tBTC, a decentralized Bitcoin, into the Solana ecosystem.
Breakpoint 2023: Payments on Solana, The Digital Commerce Revolution
Exploring the potential of Solana for revolutionizing digital payments and commerce.
Breakpoint 2023: Composable Privacy with Sandwiching
Exploring the innovation of 'sandwiching' for enhanced privacy in the blockchain through composable privacy.
Breakpoint 2023: Introducing the New Web3.js
Steven Luscher presents the new Web3.js with enhanced features and performance improvements.
Breakpoint 2023: The Creator Economy in Web3 vs. Web2
Exploring the challenges and opportunities for creators transitioning from Web2 to Web3 ecosystems.
- Our Validator
- Borrow / Lend
- Liquidity Pools
- Token Swaps & Trading
- Yield Farming
- Solana Explained
- Is Solana an Ethereum killer?
- Transaction Fees
- Why Is Solana Going Up?
- Solana's History
- What makes Solana Unique?
- What Is Solana?
- How To Buy Solana
- Solana's Best Projects: Dapps, Defi & NFTs
- Choosing The Best Solana Validator
- Staking Rewards Calculator
- Liquid Staking
- Can You Mine Solana?
- Solana Staking Pools
- Staking On Solana
- How To Unstake Solana
- How To Unstake Solana
- How validators earn
- Best Wallets For Solana