Static analysis, formal verification, and audit firms.
Use Anchor constraints by default. Audit with OtterSec or Neodyme before mainnet.
Security in Solana programs centers on account validation — ensuring that the accounts passed into an instruction are what the program expects. Anchor's built-in constraints (has_one, constraint, owner, signer) handle the most common validation patterns declaratively and eliminate a large class of vulnerabilities by construction.
For automated scanning, Sec3 (formerly Soteria) provides static analysis against known Solana vulnerability patterns. For formal audits before mainnet deployment, OtterSec and Neodyme are two of the most respected firms in the ecosystem — both have audited Jupiter, Marinade, Drift, and other major protocols.
The Solana Security Workshop (sealevel-attacks) is the best starting point for developers learning about Solana-specific exploits. It contains deliberately vulnerable programs covering the full taxonomy of common attacks.
Automated smart contract auditing tool and security platform for Solana programs.
Leading Solana security auditing firm. Audited Jupiter, Marinade, Drift, and many top protocols.
Security research firm specializing in Solana. Known for discovering critical vulnerabilities in core programs.
Open-source collection of vulnerable Solana programs for learning common exploit patterns.
Read this first.