Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In both EVM and Solana programs, a common security issue is not validating external calls properly. This can led to DOS issues, reentrancy or loss of funds bugs. This article has a list of 7 issues to consider.

There are many ways that calls can fail. "If you don't know how it can fail, you don't know enough" is a great title for this section. In EVM, contracts without receive() cannot receive ETH. In Solana, there are multiple ways this can happen that was already documented in another post. Apparently, ATA creation in Solana fails if the address has already been created.

In EVM, gas griefing can be used to make the main function work but have external calls fail. If the errors are not handled correctly then partial state updates can occur. This isn't possible in Solana because it will always completely rollback on errors.

In EVM, reentrancy is really the output of bad validation of the state and the caller. Sometimes, you do need to make calls to an arbitrary callee though. Solana doesn't have this specifically but it DOES have issues with account reloading. In Solana, once a runtime account has been loaded in an instruction, they are not automatically reloaded after making a CPI. So, if the CPI changes the data you will be left with accounts with stale data.

The final bug is the dreaded arbitrary CPI in Solana. This is when the address of a program being used for a CPI is not properly validated. I've talked a lot about this here already. This can be used to skip function calls, such as token transfers or be used to abuse permissions. Regardless, they can be very bad.

Overall, an interesting piece of literature. Most posts are very focused on one specific set of technology; I enjoy the back and forth between EVM and Solana. It's good to have this stuff documented!