A comprehensive guide to common vulnerabilities in Rust-based smart contracts, designed specifically for auditors and security researchers.
This repository provides examples, explanations, and detection techniques for various vulnerabilities commonly found in Rust-based smart contracts, particularly those deployed on platforms such as Solana, NEAR, and other blockchains supporting Rust-based contracts.
Each vulnerability is explained with:
- Detailed description and impact
- Vulnerable code examples
- Secure code alternatives
- Detection methodologies
- Real-world examples (where applicable)
-
Reentrancy
- Cross-program invocation vulnerabilities
- How they differ from Ethereum's reentrancy issues
-
Integer Overflow/Underflow
- Arithmetic operation safety
- Rust's handling vs. explicit checks
-
Unchecked Inputs
- Missing validation
- Deserialization vulnerabilities
-
Oracle Manipulation
- Price oracle vulnerabilities
- Data feed tampering
-
Access Control
- Privilege escalation
- Missing authorization checks
-
Denial of Service
- Resource exhaustion
- Logic-based DoS
-
Illicit Fee Collection
- Fee redirection
- Hidden fee structures
-
Flash Loan Attacks
- Temporary asset control exploitation
- Market manipulation
-
Logic Errors
- Incorrect state transitions
- Business logic flaws
-
Random Number Manipulation
- Predictable randomness
- Seed manipulation
-
Signature Verification Bypass
- Improper signature validation
- Replay attack vulnerabilities
-
Account Confusion
- Incorrect account validation
- Cross-instance attacks on Solana
-
Front-Running
- Transaction ordering exploitation
- MEV vulnerabilities in Rust contexts
-
Inadequate Event Emissions
- Missing critical events for off-chain monitoring
- Insufficient logging for security audit trails
-
Storage/Account Management
- Memory safety issues specific to blockchain contexts
- Account data validation failures
The repository is structured to allow easy navigation between vulnerability types. Each vulnerability has:
- Explanatory documentation in markdown
- Code examples showing both vulnerable and secure implementations
- Test cases demonstrating exploitation and mitigation
- Account validation issues
- Cross-Program Invocation (CPI) security concerns
- PDAs and bump seeds validation
- Instruction data validation
- Compute budget considerations
- Cross-contract call vulnerabilities
- Storage management issues
- Gas efficiency concerns
- Promise chain vulnerabilities
- Message passing vulnerabilities
- State management issues
- Contract migration risks
- Runtime module interactions
- Governance mechanism vulnerabilities
- Parachain-specific concerns
This repository includes several tools to enhance the learning experience:
- Vulnerability Scanner CLI: A command-line tool that can scan Rust smart contract code for potential security issues.
- Exploitation Sandbox: Interactive examples where you can safely experiment with exploiting vulnerabilities.
- Security Checklist Generator: Creates a tailored security checklist based on your project's characteristics.
We provide comprehensive security checklists for auditors reviewing Rust smart contracts:
- General Rust Smart Contract Checklist: Universal security considerations for all Rust-based smart contracts
- Solana-Specific Checklist: Focusing on Account validation, PDAs, and CPIs
- NEAR-Specific Checklist: Addressing cross-contract calls and storage concerns
- Audit Preparation Checklist: How to prepare a Rust smart contract codebase for a security audit
Learn from historical vulnerabilities discovered in production systems:
- Case Study 1: Cross-program invocation vulnerability in a Solana protocol
- Case Study 2: Integer overflow exploit in a NEAR application
- Case Study 3: Access control bypass in a CosmWasm contract
- Case Study 4: Logic error in a high-value DeFi application
This repository serves as both a reference and a training tool for auditors specializing in Rust-based smart contracts. We recommend:
- Start by understanding the fundamental differences between Rust smart contracts and those written in other languages like Solidity
- Review each vulnerability type and understand its specific manifestation in Rust
- Use the test cases to practice identifying these vulnerabilities
- Contribute your findings and improvements
Contributions are welcome! Please see CONTRIBUTING.md for guidelines.
This project is licensed under the MIT License - see the LICENSE file for details.
The code examples in this repository demonstrate vulnerabilities for educational purposes. They should not be used in production environments.
Example 1 - CWE-285:Improper Authorization (Not supported)
- Source: Line 114
- Sink: Line 122
Example 2 - CWE-285:Improper Authorization (Not supported)
- Source: Line 128
- Sink: Line 146
Example 3 - CWE-285:Improper Authorization (Not supported)
- Source: Line 152
- Sink: Line 170
Example 1 - CWE-285:Improper Authorization (Not supported)
- Source: Line 133
- Sink: Line 159
Example 1 - CWE-400:Uncontrolled Resource Consumption (Not supported)
- Source: Line 111
- Sink: Line 127
Example 2 - CWE-400:Uncontrolled Resource Consumption (Not supported)
- Source: Line 111
- Sink: Line 131
Example 3 - CWE-400:Uncontrolled Resource Consumption (Not supported)
- Source: Line 137
- Sink: Line 151
Example 1 - CWE-841:Improper Enforcement of Behavioral Workflow (Not supported)
- Source: Line 181
- Sink: Line 206
Example 2 - CWE-345:Insufficient Verification of Data Authenticity (Not supported)
- Source: Line 220
- Sink: Line 227
Example 1 - CWE-359:Exposure of Private Personal Information to an Unauthorized Actor (Not supported)
- Source: Line 138
- Sink: Line 164
Example 1 - CWE-285:Improper Authorization (Not supported)
- Source: Line 133
- Sink: Line 141
Example 2 - CWE-1284:Improper Validation of Specified Quantity in Input (Not supported)
- Source: Line 147
- Sink: Line 159
Example 3 - CWE-1284:Improper Validation of Specified Quantity in Input (Not supported)
- Source: Line 165
- Sink: Line 195
Example 1 - CWE-778:Insufficient Logging (Not supported)
- Source: Line 124
- Sink: Line 131
Example 2 - CWE-778:Insufficient Logging (Not supported)
- Source: Line 137
- Sink: Line 149
Example 1 - CWE-703:Improper Check or Handling of Exceptional Conditions (Not supported)
- Source: Line 152
- Sink: Line 166
Example 2 - CWE-754:Improper Check for Unusual or Exceptional Conditions (Not supported)
- Source: Line 172
- Sink: Line 198
Example 3 - CWE-440:Expected Behavior Violation (Not supported)
- Source: Line 205
- Sink: Line 218
Example 4 - CWE-754:Improper Check for Unusual or Exceptional Conditions (Not supported)
- Source: Line 205
- Sink: Line 227
Example 5 - CWE-705:Incorrect Control Flow Scoping (Not supported)
- Source: Line 237
- Sink: Line 262
Example 1 - CWE-345:Insufficient Verification of Data Authenticity (Not supported)
- Source: Line 144
- Sink: Line 152
Example 1 - CWE-190:Integer Overflow or Wraparound (Not supported) - We could implement coverage for CWE-190.
- Source: Line 99
- Sink: Line 104
Example 2 - CWE-191:Integer Underflow (Wrap or Wraparound) (Not supported) - We could implement coverage for CWE-191.
- Source: Line 110
- Sink: Line 125
Example 1 - CWE-330:Use of Insufficiently Random Values (Not supported)
- Source/Sink: Line 164
Example 2 - CWE-330:Use of Insufficiently Random Values (Not supported)
- Source: Line 177
- Sink: Line 184
Example 3 - CWE-330:Use of Insufficiently Random Values (Not supported)
- Source: Line 211
- Sink: Line 216
Example 1 - CWE-696:Incorrect Behavior Order (Not supported)
- Source: Line 97
- Sink: Line 112
Example 1 - CWE-345:Insufficient Verification of Data Authenticity (Not supported)
- Source: Line 103
- Sink: Line 120
Example 1 - CWE-1284:Improper Validation of Specified Quantity in Input (Not supported)
- Source: Line 152
- Sink: Line 196
Example 2 - CWE-1284:Improper Validation of Specified Quantity in Input (Not supported)
- Source: Line 176
- Sink: Line 186
Example 1 - CWE-20:Improper Input Validation (Not supported)
- Source: Line 99
- Sink: Line 116
Example 2 - CWE-20:Improper Input Validation (Not supported)
- Source: Line 129
- Sink: Line 140