Which Solana vulnerabilities does this skill detect?

It scans for six critical patterns: Arbitrary CPI, improper PDA validation, missing ownership checks, missing signer checks, sysvar account spoofing, and improper instruction introspection.

How does it provide remediation advice?

For every vulnerability found, the skill provides a detailed report including the vulnerable code location, an attack scenario, and a recommended secure code implementation.

Does it support the Anchor framework?

Yes, the scanner is specifically designed to work with both native Solana programs written in Rust and programs built using the Anchor framework.

Can I use this for pre-launch security audits?

Absolutely. It is an ideal tool for developers and auditors to perform systematic security sweeps of their codebase before deploying to the Solana mainnet.

Solana Vulnerability Scanner

Name: Solana Vulnerability Scanner
Author: trailofbits

bytrailofbits

•

2,992

•

Security & Testing

Scans Solana and Anchor programs for critical security vulnerabilities including arbitrary CPI, improper PDA validation, and missing signer checks.

The Solana Vulnerability Scanner is a specialized security tool designed to systematically audit Solana programs, whether written in native Rust or using the Anchor framework. By encoding patterns for six critical, platform-specific vulnerability types—including cross-program invocation (CPI) security, program-derived address (PDA) validation, and account ownership checks—it provides developers with automated security research capabilities. It is particularly useful during pre-launch assessments or code reviews to ensure protocols adhere to Solana's unique account model and security best practices, helping prevent high-severity exploits before deployment.

Key Features

01Provides actionable remediation steps and secure code examples for identified issues

022,992 GitHub stars

03Detects arbitrary CPI vulnerabilities where program IDs are unchecked

04Identifies missing signer and ownership checks in account validation logic

05Validates Program-Derived Address (PDA) implementations for canonical bumps

06Scans for sysvar account spoofing and improper instruction introspection

Use Cases

01Code review automation for verifying cross-program invocation (CPI) logic

02Pre-deployment vulnerability scanning for decentralized finance (DeFi) protocols

03Security auditing of native Rust and Anchor-based Solana programs

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add trailofbits/skills solana-vulnerability-scanner

For use in Claude.ai and ChatGPT

Download Skill