Breakpoint 2024: Technical Talk: Fuzzing Comes to Solana (Viktor Fischer)

In a groundbreaking presentation at Breakpoint 2024, Viktor Fischer unveiled Trident, the first open-source fuzzing tool for Solana. This innovative security measure is set to revolutionize smart contract development and fortify the Solana ecosystem against potential hacks.

Summary

Viktor Fischer, a long-standing member of the Solana ecosystem since 2018, introduced Trident, an open-source fuzzing tool developed by Aki, a company he co-founded. Fuzzing is a dynamic testing method that generates random inputs to identify vulnerabilities in code. While common in Web2 and Ethereum environments, Trident is the first of its kind for Solana.

The presentation highlighted the growing need for advanced security measures in the Solana ecosystem. With blockchain hacks becoming increasingly prevalent and Solana's expanding value proposition, tools like Trident are crucial for preemptive security testing. Fischer demonstrated how Trident works, emphasizing its user-friendly nature and the importance of incorporating fuzzing into the development process.

Fischer also shared insights about Aki, the company behind Trident. Aki not only develops security tools but also runs programming and auditing schools for Solana, contributing significantly to the ecosystem's growth and security. The presentation underscored the importance of good code quality, proper testing, and the use of fuzzing before seeking expensive audits.

Key Points:

Introduction to Fuzzing and Trident

Fuzzing is a dynamic testing method that compiles code and generates random inputs to test it over thousands or millions of iterations. Trident, developed by Aki, is the first open-source fuzzing tool specifically designed for Solana. This tool is crucial as the value locked in Solana's ecosystem grows, potentially attracting more hacking attempts.

Fuzzing is already widely used in Web2 and Ethereum environments, with tools like Echidna, Foundry, Medusa, and Wake. Trident brings this essential security practice to Solana, allowing developers to continuously test their smart contracts for vulnerabilities.

Aki: The Company Behind Trident

Aki was founded in 2021 by Viktor Fischer and his business partner, Tushan. The company emerged from a collaboration with professors at the Czech Technical University, leveraging the country's rich history in antivirus software development. Aki has since grown to a team of 20 people and focuses on three main areas: smart contract auditing, running programming and auditing schools for Solana, and developing open-source auditing tools like Trident.

Aki has conducted 134 audits for around 40 clients, including prominent projects in both Solana and EVM ecosystems. Their educational initiatives have seen significant success, with over 3,400 applicants to their programs and 150 graduates from their Solana programming schools.

Importance of Fuzzing in Blockchain Security

Fischer emphasized the growing importance of security measures like fuzzing in the blockchain space. While Ethereum-based chains have seen the majority of hacks (around $8 billion), Solana has also experienced significant losses (about $1 billion). As Solana's ecosystem continues to grow and provide more value, the risk of hacks is likely to increase.

Fuzzing provides a proactive approach to security, allowing developers to identify and fix vulnerabilities before they can be exploited. By integrating fuzzing into the development process, projects can significantly enhance their security posture and protect user funds.

Implementing Trident in Development Workflow

Fischer provided a step-by-step demonstration of how to use Trident in a development workflow. He emphasized that while fuzzing is a powerful tool, it works best when combined with other best practices. These include maintaining good code quality, using the Anchor framework, conducting peer reviews, writing well-documented and structured code, and implementing thorough unit and integration tests.

The presentation showed how to set up Trident, configure it, and run fuzz tests on a simple "Hello World" program. Fischer highlighted the tool's ability to identify issues and provide detailed feedback, allowing developers to quickly locate and fix vulnerabilities in their code.

Facts + Figures

• Aki has conducted 134 audits for around 40 clients in both Solana and EVM ecosystems
• Aki's educational programs have had over 3,400 applicants
• 150 students have graduated from Aki's Solana programming schools
• The current auditor's bootcamp has 750 students enrolled
• Approximately $10 billion worth of crypto has been hacked across all blockchains
• Solana accounts for about $1 billion (13%) of all blockchain hacks
• Trident has been in development for three years and was launched in May 2024
• Wake, Aki's fuzzing tool for EVM, already protects around $30 billion of Total Value Locked (TVL)
• Wake discovered a medium severity bug in Lido, a protocol with $10 billion TVL

Top quotes

1. "Fuzzing is basically a software tool which is dynamically testing your code."
2. "We think as we provide more value on Solana, this [hacking risk] will increase."
3. "Fuzzing is actually useful. Lido, XLR, safe, they use fuzzing constantly."
4. "You cannot just fuzz your code if it's not very well written."
5. "Please do the fuzzing before the hackers do of your code."

Questions Answered

What is fuzzing and why is it important for Solana?

Fuzzing is a dynamic testing method that generates random inputs to test code for vulnerabilities. It's important for Solana because as the ecosystem grows and provides more value, it becomes a more attractive target for hackers. Fuzzing allows developers to proactively identify and fix potential security issues before they can be exploited, thereby enhancing the overall security of Solana-based projects.

What is Trident and who developed it?

Trident is the first open-source fuzzing tool specifically designed for Solana. It was developed by Aki, a company co-founded by Viktor Fischer and his partner Tushan. Aki is a smart contract auditing firm that also runs programming and auditing schools for Solana. Trident is the result of three years of development and was launched in May 2024.

How does Trident compare to fuzzing tools for other blockchains?

Trident is unique in that it's the first open-source fuzzing tool specifically for Solana. Other blockchains, particularly Ethereum-based ones, have several fuzzing tools available such as Echidna, Foundry, Medusa, and Wake. Trident brings this essential security practice to the Solana ecosystem, allowing developers to perform thorough security testing that was previously only available for other blockchain environments.

How can developers start using Trident?

Developers can start using Trident by following a few steps: First, they should watch instructional videos and read the documentation available on the Aki GitHub repository. They can then download Trident and start experimenting with it in their development environment. Fischer recommends joining the dedicated Telegram group "Aki Breakpoint Fuzzing with Trident" for support and to ask questions. The tool is designed to be user-friendly and can be integrated into existing development workflows.

What are the best practices for using fuzzing in smart contract development?

While fuzzing is a powerful tool, it's most effective when combined with other best practices. Developers should maintain good code quality, use frameworks like Anchor, conduct peer reviews, write well-documented and structured code, and implement thorough unit and integration tests. Fuzzing should be used as part of this comprehensive approach to security, ideally before seeking expensive external audits.