[Code] Add Common Exploits/Security Section #189
Comments
|
Sounds good. I really like how Armani laid out the sealevel attacks of This would probably be a new Reference titled |
|
@jacobcreech Okay, you can create the project to do card and assign it to me. I'll start working on this. Add any additional notes that you might have if you want me to do anything a certain way, otherwise, I'll build it with what I believe is best from my pov. |
|
Having an OWASP top 10 kind of security page is a nice little addition to the cookbook. But it would be helpful for the people in the security field eg bug bounty hunters/auditors. But the cookbook is meant for new developers, as building dapps can be done in different programming languages rust, python, c/c++, or frameworks such as anchor (don't know if other frameworks exist, if they do please let me know). Each and every language/framework has its own security risks and checks for identifying potential vulnerabilities. I would suggest creating guides for writing code securely for language and framework including checks. And set up a guide for threat modeling their application on how to assess the risks based on the attack surface on entrypoint and cpi's. In addition to that adding tutorials on how to set up a test environment locally using solana-test-validator or the PoC framework. To give you an output of the following addition I am looking to build something like consensys did for Ethereum contracts https://consensys.github.io/smart-contract-best-practices. Because there are no open-source tools for security testing of the Solana contract. I hope this guide would act as a base to build such tools for the Solana environment (Mostly referring sast or fuzzing). |
|
@chhajershrenik This would be awesome to have for Solana. A guide is a great place for it. Let's see it built out! |
|
@jacobcreech quick question I just wanted to know whether this repo is completely community driven or managed by solana-labs because I want to make sure that the security documentation catches up with the current documentation. For example it does not make sense to include python examples right now as the cookbook is still developing in that aspect. I would create a project outline for the documentation I proposed and then we can start building it out and release it as the documentation evolves. Also would appreciate any assistance on collecting documentation regards to security vulnerabilities which are been actively exploited currently. |
|
@chhajershrenik Ideally I want this repo community driven long term, but I currently have no community maintainers. For now it is just me, who works at labs. There's some great information on security issues by |
Might be useful to:
A) have a new page/section for common exploits in programs and code snippets for how they’re fixed
B) have a new page/section for program security as a whole which would include common exploits and code snippets for fixing them
C) have common exploits displayed with their use case. Such as listing common exploits when dealing with accounts on the Accounts page, etc.
An example of a common exploit might be forgetting to validate account ownership, etc.
Side note: on the contribution doc, contribution rewards section, “contributed” and "exclusive" are spelled wrong.
If we decide we want to implement any of these options I’m happy to get started myself, or someone else can take it up if they’d like.
The text was updated successfully, but these errors were encountered: