Abstract:Solana gained considerable attention as one of the most popular blockchain platforms for deploying decentralized applications. Compared to Ethereum, however, we observe a lack of research on how Solana smart contract developers handle security, what challenges they encounter, and how this affects the overall security of the ecosystem. To address this, we conducted the first comprehensive study on the Solana platform consisting of a 90-minute Solana smart contract code review task with 35 participants followed by interviews with a subset of seven participants. Our study shows, quite alarmingly, that none of the participants could detect all important security vulnerabilities in a code review task and that 83% of the participants are likely to release vulnerable smart contracts. Our study also sheds light on the root causes of developers' challenges with Solana smart contract development, suggesting the need for better security guidance and resources. In spite of these challenges, our automated analysis on currently deployed Solana smart contracts surprisingly suggests that the prevalence of vulnerabilities - especially those pointed out as the most challenging in our developer study - is below 0.3%. We explore the causes of this counter-intuitive resilience and show that frameworks, such as Anchor, are aiding Solana developers in deploying secure contracts.

What problem does this paper attempt to address?

The paper aims to explore and address the security challenges faced by Solana smart contract developers during the development process, and how these challenges impact the overall security of the Solana ecosystem. Specifically, the paper focuses on the following research questions: 1. **RQ1: Are Solana smart contract developers able to identify major security vulnerabilities in smart contracts?** - Through a code review task involving 35 participants and follow-up interviews with 7 of them, the paper finds that none of the participants were able to identify all significant security vulnerabilities in the code review task. This indicates that even if developers believe they are capable of handling these issues, they may not be able to fully identify and fix these vulnerabilities in practice. 2. **RQ2: What challenges do developers face when developing secure smart contracts?** - The study shows that the main challenges developers face include a lack of qualified Solana developers, insufficient documentation, inadequate code review, auditing, and testing, as well as the complexity of the Rust language. These factors lead developers to rely on frameworks like Anchor to assist in development. 3. **RQ3: Given these challenges, are vulnerabilities prevalent in Solana smart contracts?** - Despite the difficulties developers face in identifying and addressing security vulnerabilities, the paper finds through automated analysis of currently deployed Solana smart contracts that the actual proportion of vulnerabilities is very low (especially those considered most challenging by developers in the study). For example, the proportion of arbitrary cross-program invocation (ACPI) vulnerabilities detected through symbolic execution techniques is only 0.2%. **Main Contributions of the Paper:** - **First Comprehensive Study**: This is the first comprehensive study on the Solana platform, revealing the specific challenges developers face in dealing with security issues. - **Contradictory Results**: Despite the apparent shortcomings of developers in identifying and addressing security vulnerabilities, the proportion of vulnerabilities in actually deployed smart contracts is relatively low. This phenomenon suggests that frameworks like Anchor play a significant role in enhancing the security of Solana smart contracts. - **Importance of Frameworks**: The study highlights the critical role of frameworks (such as Anchor) in helping developers write secure smart contracts and suggests further research into these tools to improve the security of the entire ecosystem. In summary, the paper reveals the security challenges in Solana smart contract development through empirical research and proposes possible solutions, providing valuable references for future research and practice.

Defying the Odds: Solana's Unexpected Resilience in Spite of the Security Challenges Faced by Developers