home / skills / plurigrid / asi / solana-vulnerability-scanner

solana-vulnerability-scanner skill

safe

This skill scans Solana programs for critical vulnerabilities, helping auditors detect issues like arbitrary CPI and PDA validation gaps quickly.

npx playbooks add skill plurigrid/asi --skill solana-vulnerability-scanner

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

1.6 KB

---
name: solana-vulnerability-scanner
description: Scans Solana programs for 6 critical vulnerabilities including arbitrary CPI, improper PDA validation, missing signer/ownership checks, and sysvar spoofing. Use when auditing Solana/Anchor programs. (project, gitignored)
category: building-secure-contracts
author: Trail of Bits
source: trailofbits/skills
license: AGPL-3.0
trit: -1
trit_label: MINUS
verified: true
featured: false
---

# Solana Vulnerability Scanner Skill

**Trit**: -1 (MINUS)
**Category**: building-secure-contracts
**Author**: Trail of Bits
**Source**: trailofbits/skills
**License**: AGPL-3.0

## Description

Scans Solana programs for 6 critical vulnerabilities including arbitrary CPI, improper PDA validation, missing signer/ownership checks, and sysvar spoofing. Use when auditing Solana/Anchor programs. (project, gitignored)

## When to Use

This is a Trail of Bits security skill. Refer to the original repository for detailed usage guidelines and examples.

See: https://github.com/trailofbits/skills

## Related Skills

- audit-context-building
- codeql
- semgrep
- variant-analysis


## SDF Interleaving

This skill connects to **Software Design for Flexibility** (Hanson & Sussman, 2021):

### Primary Chapter: 3. Variations on an Arithmetic Theme

**Concepts**: generic arithmetic, coercion, symbolic, numeric

### GF(3) Balanced Triad

```
solana-vulnerability-scanner (+) + SDF.Ch3 (○) + [balancer] (−) = 0
```

**Skill Trit**: 1 (PLUS - generation)


### Connection Pattern

Generic arithmetic crosses type boundaries. This skill handles heterogeneous data.

Overview

This skill scans Solana programs for a focused set of critical vulnerabilities to accelerate secure audits. It detects six high-risk issues including arbitrary CPI, improper PDA validation, missing signer or ownership checks, and sysvar spoofing. The tool is implemented in Python and is intended for use during code review or security assessments of Solana and Anchor programs. It produces actionable findings that map to concrete remediation steps.

How this skill works

The scanner analyzes program source and metadata to identify unsafe patterns and missing checks that commonly lead to exploits. It statically inspects call sites, account validation logic, PDA derivation and comparisons, and sysvar usage to flag deviations from best practices. Results include the vulnerable code location, a brief description of the issue, and pointers about the expected fix. The tool is designed to be integrated into an audit workflow and run locally against projects.

When to use it

During a security audit of Solana or Anchor programs to find high-impact issues quickly.
Before deployment to detect dangerous CPI patterns and account validation gaps.
When performing code review for third-party smart contracts or dependencies.
As part of a pre-release checklist to catch missed signer/ownership checks.
When validating changes that interact with sysvars or program-derived addresses.

Best practices

Run the scanner early and often; treat findings as a prioritized checklist for fixes.
Combine static results with manual review and dynamic testing for full coverage.
Verify PDA derivations and use exact byte comparisons rather than loose checks.
Ensure every cross-program invocation enforces caller intent and account ownership.
Confirm sysvar sources are read-only and validated against expected values.

Example use cases

Audit an Anchor program to ensure all account constraints and signer checks are enforced.
Scan a legacy Solana codebase to find missing ownership or signer validations introduced over time.
Validate third-party dependencies before integrating them into a larger protocol.
Run on pull requests to catch regressions that introduce arbitrary CPI or sysvar spoofing risks.
Prioritize remediation work by focusing on findings that enable unauthorized fund movements.

FAQ

Which vulnerabilities are covered?

The scanner targets six critical classes: arbitrary CPI, improper PDA validation, missing signer checks, missing ownership checks, sysvar spoofing, and related account-validation flaws.

Is this a substitute for a full audit?

No. It speeds up detection of common, high-risk issues but should be used alongside manual review, fuzzing, and formal audits for comprehensive assurance.