AI-powered security scanner for Solana programs.
sol-fuzz automatically analyzes Anchor programs for vulnerabilities using static analysis, pattern matching, and optional LLM-powered semantic analysis. It parses your program's IDL and Rust source code, runs it against a database of known vulnerability patterns, generates proof-of-concept exploit scripts, and produces detailed security reports.
Securing Solana programs is hard. Professional audits cost $50k-$200k and take weeks. Meanwhile, automated tools are either too basic (linting only) or too noisy (thousands of false positives). There is no middle ground between "hope for the best" and "spend six figures."
sol-fuzz fills this gap. It provides audit-grade vulnerability detection at the speed of a linter, covering the most common and dangerous Solana vulnerability classes. It is not a replacement for a professional audit on high-value programs, but it catches the bugs that cause 80% of exploits.
# Clone the repository
git clone https://github.com/tobySolutions/sol-fuzz.git
cd sol-fuzz
# Install dependencies
npm install
# Build the project
npm run build
# Link the CLI globally (optional)
npm link -w packages/cli# Scan an Anchor program
sol-fuzz scan ./programs/escrow
# Scan with a specific IDL file
sol-fuzz scan . --idl ./target/idl/escrow.json
# Scan and generate proof-of-concept exploits
sol-fuzz scan ./programs/escrow --poc
# Generate a Markdown security report
sol-fuzz report ./programs/escrow
# Run in CI mode
sol-fuzz ci ./programs/escrow --fail-on high --format json _____ ____ __ ______ __ ________________
/ ___// __ \/ / / ____// / / /__ /__ /
\__ \/ / / / / / /_ / / / / / / / /
___/ / /_/ / /___ / __/ / /_/ / / / / /
/____/\____/_____/ /_/ \____/ /_/ /_/
AI-powered security scanner for Solana programs
Scanning: escrow
Timestamp: 2025-01-15T10:30:00.000Z
VULNERABILITY FOUND HIGH
+------------------------------------------------------------+
| Missing Signer Check |
| |
| Instruction: withdraw |
| Account: authority |
|------------------------------------------------------------|
| Account 'authority' in instruction 'withdraw' appears to |
| be an authority/signer account based on its name, but it |
| is not marked as a signer. |
|------------------------------------------------------------|
| Attack: |
| An attacker can call 'withdraw' and pass their own public |
| key as 'authority' without needing the private key. |
|------------------------------------------------------------|
| Impact: |
| Unauthorized access to instruction 'withdraw'. Any user |
| can drain escrow funds. |
|------------------------------------------------------------|
| Fix: |
| Add the Signer type constraint to 'authority'. |
+------------------------------------------------------------+
VULNERABILITY FOUND CRITICAL
+------------------------------------------------------------+
| Account Re-initialization |
| |
| Instruction: initialize |
| Account: escrow |
|------------------------------------------------------------|
| Instruction 'initialize' uses 'mut' instead of 'init'. |
| The escrow account can be re-initialized to overwrite |
| existing state. |
+------------------------------------------------------------+
Scan Summary
+----------------------------------------------------+
| Instructions scanned: 4 |
| Accounts analyzed: 15 |
| Patterns checked: 7 |
| PDAs found: 4 |
|----------------------------------------------------|
| Findings: 5 total |
| Critical: 1 |
| High: 2 |
| Medium: 1 |
| Low: 1 |
+----------------------------------------------------+
! High/Critical issues found. Fix before deployment.
sol-fuzz checks for the following vulnerability classes:
| ID | Category | Severity | Description |
|---|---|---|---|
missing-signer |
Missing Signer Check | High | Authority account lacks Signer constraint |
missing-owner |
Missing Owner Check | High | Account does not verify program ownership |
reinitialization |
Re-initialization | Critical | Account can be initialized multiple times |
missing-has-one |
Missing Relationship | Medium | No has_one linking data to authority |
integer-overflow |
Integer Overflow | Medium | Unchecked arithmetic on financial values |
type-cosplay |
Type Cosplay | High | Account type not verified via discriminator |
unsafe-close |
Unsafe Close | Medium | Account closed without zeroing data |
pda-collision |
PDA Collision | Critical | PDAs with identical seed structures |
pda-* |
PDA Warnings | Varies | Missing bump checks, user-controlled seeds |
ai-analysis |
AI-Detected | Varies | LLM-identified semantic vulnerabilities |
sol-fuzz operates in four stages:
+----------+ +----------+ +---------+ +----------+
| Parser | --> | Analyzer | --> | Fuzzer | --> | Reporter |
+----------+ +----------+ +---------+ +----------+
The parser reads your Anchor program's IDL JSON file and optionally parses the Rust source code. It extracts:
- All instructions with their arguments
- Account definitions with mutability and signer flags
- PDA seed derivations
- Constraint attributes (
has_one,seeds,init,close, etc.) - Cross-instruction dependencies
The analyzer runs two passes:
Static Analysis matches the parsed program structure against a database of known vulnerability patterns. Each pattern defines indicators (what to look for) and a check function (how to verify).
AI Analysis (optional) sends the program structure to an LLM for semantic analysis. The LLM can identify logic errors, business logic vulnerabilities, and subtle issues that pattern matching misses. Requires an API key.
For each vulnerability found, the fuzzer generates:
- A proof-of-concept TypeScript exploit script
- The necessary account structures and instruction data
- An execution harness that runs against
solana-test-validator
Generated PoCs are standalone scripts that demonstrate the vulnerability.
Results are output in multiple formats:
- Terminal: Colorized box-drawing output for human review
- Markdown: Comprehensive security report with findings, remediation, and references
- JSON: Structured output for programmatic consumption
- SARIF: GitHub Security-compatible format for CI integration
name: Security Scan
on: [push, pull_request]
jobs:
sol-fuzz:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install sol-fuzz
run: npm install -g sol-fuzz
- name: Build Anchor program
run: anchor build
- name: Run security scan
run: sol-fuzz ci . --fail-on high --format sarif --output results.sarif
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifsecurity-scan:
stage: test
script:
- npm install -g sol-fuzz
- anchor build
- sol-fuzz ci . --fail-on high --format json --output scan-results.json
artifacts:
paths:
- scan-results.json
when: always| Code | Meaning |
|---|---|
| 0 | No findings at or above the --fail-on threshold |
| 1 | Findings found at or above the threshold |
| 2 | Scanner error (invalid input, missing files, etc.) |
Enable LLM-powered semantic analysis by providing an API key:
# Via environment variable
export SOL_FUZZ_AI_KEY="sk-..."
sol-fuzz scan ./programs/escrow
# Via CLI flag
sol-fuzz scan ./programs/escrow --ai-key "sk-..."
# With a custom model
sol-fuzz scan ./programs/escrow --ai-key "sk-..." --ai-model "gpt-4o"
# With a custom API endpoint (for Azure, local LLMs, etc.)
sol-fuzz scan ./programs/escrow --ai-key "..." --ai-base-url "http://localhost:11434/v1"AI analysis adds findings identified through semantic understanding of your program's logic, complementing the pattern-based static analysis.
Define your own vulnerability patterns as YAML files:
id: my-custom-check
name: Custom Authority Check
severity: high
description: >
Custom check for project-specific authority patterns.
indicators:
- account_is_authority: true
- has_signer_constraint: false
remediation: >
Add signer verification to the authority account.
references:
- https://your-docs.example.com/securityLoad custom patterns with:
sol-fuzz scan ./programs/escrow --patterns ./my-patterns/sol-fuzz/
packages/
core/ # Parser, analyzer, fuzzer, and reporter engines
cli/ # Command-line interface
patterns/ # Built-in vulnerability pattern YAML files
examples/ # Example programs for testing
# Install dependencies
npm install
# Build all packages
npm run build
# Build in watch mode
npm run dev
# Run tests
npm test
# Scan the example vulnerable escrow
node packages/cli/dist/index.js scan examples/vulnerable-escrow --idl examples/vulnerable-escrow/idl/escrow.jsonMIT