Defying the Odds: Solana's Unexpected Resilience in Spite of the Security Challenges Faced by Developers

TL;DR

This study investigates Solana's smart contract security, revealing developers' challenges, vulnerability detection gaps, and the ecosystem's surprising resilience due to frameworks like Anchor, despite prevalent security concerns.

Contribution

First comprehensive analysis of Solana smart contract security challenges, developer practices, and ecosystem resilience, highlighting the role of frameworks like Anchor in enhancing security.

Findings

Developers often miss critical vulnerabilities during code reviews.

Majority of developers are likely to release vulnerable contracts.

Automated analysis shows low vulnerability prevalence in deployed contracts.

Abstract

Solana gained considerable attention as one of the most popular blockchain platforms for deploying decentralized applications. Compared to Ethereum, however, we observe a lack of research on how Solana smart contract developers handle security, what challenges they encounter, and how this affects the overall security of the ecosystem. To address this, we conducted the first comprehensive study on the Solana platform consisting of a 90-minute Solana smart contract code review task with 35 participants followed by interviews with a subset of seven participants. Our study shows, quite alarmingly, that none of the participants could detect all important security vulnerabilities in a code review task and that 83% of the participants are likely to release vulnerable smart contracts. Our study also sheds light on the root causes of developers' challenges with Solana smart contract development, suggesting the need for better security guidance and resources. In spite of these challenges, our automated analysis on currently deployed Solana smart contracts surprisingly suggests that the prevalence of vulnerabilities - especially those pointed out as the most challenging in our developer study - is below 0.3%. We explore the causes of this counter-intuitive resilience and show that frameworks, such as Anchor, are aiding Solana developers in deploying secure contracts.