5 releases (3 breaking)
| new 0.4.1 | Mar 1, 2025 |
|---|---|
| 0.4.0 | Mar 1, 2025 |
| 0.3.0 | Feb 28, 2025 |
| 0.2.0 | Feb 26, 2025 |
| 0.1.0 | Feb 25, 2025 |
#373 in Magic Beans
146 downloads per month
Used in anchor-mcp
170KB
3K
SLoC
🛡️ Solana Fender
Solana static analysis tool built in rust for anchor programs. Can be used as a rust crate for unit testing or as a CLI tool.
CLI Tool
⚙️ Installation
Install via Cargo ( Recommended )
cargo install solana_fender
Install via Source
git clone https://github.com/honey-guard/solana-fender.git
cd solana-fender
cargo build
Usage
Tip: Clone sealevel-attacks as a test case to sample this program.
Cargo
solana_fender --program <path-to-program>
Source
cargo run -- --program <path-to-program>
Unit Testing Crate Usage
You can also use Solana Fender as a development dependency in your Anchor projects to run security checks as part of your unit tests.
Add as a Dev Dependency
Add Solana Fender to your program's Cargo.toml:
[dev-dependencies]
solana_fender = "0.2.0" # Replace with the latest version
Example Usage in Tests
Check /examples for more examples.
#[cfg(test)]
mod tests {
use super::*;
use solana_fender;
#[test]
fn test_security() {
// Pass a marker type that represents your program module
struct MyProgramMarker;
let findings = solana_fender::analyze_program(MyProgramMarker).unwrap();
assert!(findings.is_empty(), "Security vulnerabilities found: {:?}", findings);
}
#[test]
fn test_security_with_module_name() {
// Alternatively, use a string to represent the module name
let findings = solana_fender::analyze_program_by_name("my_program").unwrap();
assert!(findings.is_empty(), "Security vulnerabilities found: {:?}", findings);
}
}
This allows you to integrate security checks directly into your test suite, ensuring that your program remains secure as you develop it.
Comparison of Solana Static Analysis Tools
It is highly encouraged to use as many tools as possible to ensure the security of your program.
Below is a comparison of various static analysis tools available for Solana smart contracts written in Rust/Anchor:
| Feature | Fender | l3x | X-Ray | radar |
|---|---|---|---|---|
| Languages | Rust | Rust | C++ | Python |
| Unit testing | ✅ | ❌ | ❌ | ❌ |
| Open Source | ✅ | ✅ | Demo | ✅ |
| Distribution | Cargo | Source | Docker | Docker |
| License | GPL-3.0 | ❌ | AGPL-3.0 | GPL-3.0 |
Security Checks
| Security Check | Fender | l3x | X-Ray | radar |
|---|---|---|---|---|
| Missing Owner Check | ✅ | ✅ | ✅ | ✅ |
| Account Data Matching | ✅ | ✅ | ✅ | ✅ |
| Account Initialization | ✅ | ✅ | ✅ | ✅ |
| Arbitrary CPI | ✅ | ✅ | ❓ | ✅ |
| Closing Accounts | ✅ | ✅ | ❓ | 🚧 |
| Duplicate Mutable Accounts | ✅ | ✅ | ❓ | ✅ |
| Missing Bump Seed Canonicalization | ✅ | ✅ | ✅ | ✅ |
| PDA Sharing | ✅ | ✅ | ✅ | ✅ |
| Type Cosplay | ✅ | ✅ | ✅ | ✅ |
| Invalid Sysvar Accounts | ✅ | ✅ | ❓ | ✅ |
| Reentrancy | ✅ | ❓ | ❓ | ❓ |
| Unauthorized Access | ✅ | ✅ | ❓ | ❓ |
| Integer Overflow | ✅ | ✅ | ✅ | ❓ |
❓- Could not find documentation if supported.🚧- Did not pass all sealevel-attacks
If there is any inaccuracy or updating needed, pull request or issue and we will try to update the table.
Dependencies
~3–11MB
~119K SLoC