Solana Checklist
Release: Version 2.0
| # | Item | Description |
|---|---|---|
| 1 | Missing rent exemption checks | All Solana accounts holding an Account Mint or Multisig must contain enough SOL to be considered rent exempt. Otherwise the accounts may fail to load. |
| 2 | Signed invocation of unverified programs | The program does not verify the pubkey of any program called via the invoke_signed() API. |
| 3 | Solana account confusions | The program fails to ensure that the account data has the type it expects to have. |
| 4 | Redeployment with cross-instance confusion | The program fails to ensure that the wasm code has the code it expects to have |
| 5 | Missing freeze authority checks | When freezing is enabled but the program does not verify that the freezing account call has been signed by the appropriate freeze_authority |
| 6 | Insufficient SPL-Token account verification | Finding extra checks that should not exist with the given type of accounts |
| 7 | Anti-pattern to transfer the ownership of an Associated Token Account | Note that it is an anti-pattern to transfer the ownership of an Associated Token Account: In that case the best practice is to create an associated token account for the recipient's wallet transfer the tokens and then close the first account. |
| 8 | As-of-yet Solana blockchain unknown classes of vulnerabilities | Checking for any other as-of-yet unknown classes of vulnerabilities arising from the structure of the Solana blockchain. |