We are systematizing everything we know about Solana security into one structured resource: the Solana Security Strategy. It’s a field-tested knowledge base for teams building serious products — packed with practical guidance, reference links, and strategy templates.
We've mapped security strategy into 3 main stages:
Solana's account-based programming model introduces unique attack surfaces where malicious actors can inject arbitrary accounts into transactions. Comprehensive protocol documentation must explicitly:
-
Map all privileged roles and their associated permissions
-
Identify and list dependencies on external services (e.g., price oracles, cross-chain bridges)
-
Specify validation checks for:
- Account ownership via
AccountInfo::is_signer - Data structure integrity using Anchor's type constraints
- Cross-program invocation (CPI) authority delegation risks
- Account ownership via
-
ALWAYS conduct identity verification + background checks on all of your employees
-
Define a team member who will be responsible for security operations
-
Conduct Social Engineering resistance training and tests with simulated phishing campaigns (remember, humans are often one of the most vulnerable parts of any system)
-
Hardware keys for production systems
- Best Hardware Securit Keys
- Use Semi-Airgapped Device (This explainw what an airgap device is: AIRGAP Device) - A Semi-Airgapped device is a device that can connect to network when needed and that does not have any app installed other than the ones intended for production work.
-
Secure your social media accounts against sim-swap and other attacks:
-
Multi-person integrity security policy (MPC / Multisig) to eliminate single point of failure:
-
Solana Assets Security:
-
Automated Scanning
-
Solana Fuzz Testing
- Trident
- Honggfuzz-rs
- Rust Fuzzers
- Lessons from fuzzing a smart contract compiler
- The Helius Security Guide emphasizes boundary condition testing for program-derived addresses (PDAs), as incorrect
find_program_addressusage can lead to seed collisions. Implement fuzz testing early using tools like Trident to simulate adversarial inputs
-
Other SAST / DAST on every commit
The pre-deployment stage is a pivotal checkpoint in a protocol's journey to mainnet. It's the point where theoretical risks meet practical implementation. Where undetected flaws can become multimillion-dollar vulnerabilities. At this stage, security should be proactive, layered, and aligned with the protocol's architecture. This includes threat modeling, fuzzing campaigns, formal verification, and security reviews. Rather than relying on a last-minute audit alone, teams should design security into their development cycle, ensuring their system is resilient before it ever touches users or capital.
If you're aiming to embed security into every stage of your development lifecycle, we encourage you to reach out. Our distributed network of top-tier security engineers offers comprehensive support across the entire engineering process. By streamlining your security strategy and applying our deep experience, we help reduce operational risk, so your team can stay focused on building and scaling with confidence.
-
Begin scheduling security reviews at least 8 weeks before your planned launch date
-
Keep in mind: the effectiveness of a security audit is directly tied to your audit readiness. To get the most value from the review, we strongly recommend passing an audit readiness checklist beforehand
-
Fuzzing as a Service
- using Trident
-
Schedule an audit contest
-
Web app audit / pentesting
-
Stress Testing
-
Formal Verification
The most expert teams for Solana-based security reviews:
- Runtime Verification
- OtterSec
- Neodyme
- Sec3
- Zellic
- Ackee Blockchain
- Hexens
- Trail of Bits
- Kudelski Security
- Cantina
- Certora
- Sherlock
The post-deployment stage is the time to improve, analyze, and prepare for emergent situations. It's critically important to understand that no defensive solution can guarantee 100% protection of your blockchain software against hacker activities. Your team should be prepared to respond reactively to prevent disasters swiftly. Developing an Incident Response Plan (IRP), launching bug bounty (BB), and integrating advanced on-chain monitoring technology with supportive SOC analysts can significantly improve outcomes in the event of malicious incidents.
You should never stop thinking about security. It is essentially a repetitive process. Even if your project has significantly evolved in reputational and operational maturity, continuous 24/7 analysis and monitoring remain mandatory.
-
Launching a bug bounty program
-
Incident Response Plan development
- Crisis Handbook during smart contract hacks - This was tailored for EVM but most of them work for Solana as well.
-
Onchain Monitoring integration + SOC center 24/7 support
-
Ongoing security reviews and formal verification for each new update/integration
Do not think of security as a timestamp before deployment. When building financial infrastructure, security must be a way of thinking, writing code, managing teams, and scaling systems. At Rektoff, we’re restructurinng approach to security by embedding it across the entire engineering lifecycle. Through a distributed network of elite engineers and Rust security specialists, we make high-impact security knowledge, workflows, and tools accessible to every team - no matter their size or stage.
Stay Rektoff.
