← ClaudeAtlas

solana-program-reviewlisted

Specialized review for Solana on-chain programs — Anchor framework, raw BPF, account constraints, signer/owner checks, CPI safety, PDA derivation, compute budget. Use this skill on any PR touching `programs/*` directories, `*.rs` files declaring `#[program]` or `entrypoint!`, Anchor account structs, or smart contracts handling funds. Critical for [Project B] and [Project A] where on-chain logic governs medical/procurement records.
Xipher-Labs/walter-os · ★ 5 · AI & Automation · score 67
Install: claude install-skill Xipher-Labs/walter-os
# Solana Program Review On-chain Solana code review. Different threat model than RPC code: bugs ship to immutable contracts (or upgradeable but with auditable history), exploits drain real funds, and you can't patch in production without governance overhead. ## The big seven (most-exploited bug classes) Every PR is reviewed against these. Any miss is BLOCKING. ### 1. Missing signer check **The bug**: an instruction trusts that an account is signed without asserting it. Attacker passes a different (unsigned) account; the program treats it as authorized. ```rust // BAD pub fn withdraw(ctx: Context<Withdraw>, amount: u64) -> Result<()> { // No check that ctx.accounts.authority is a signer! transfer_lamports(&ctx.accounts.vault, &ctx.accounts.recipient, amount) } // GOOD - Anchor #[derive(Accounts)] pub struct Withdraw<'info> { #[account(mut)] pub vault: Account<'info, Vault>, pub authority: Signer<'info>, // <-- Anchor enforces is_signer pub recipient: SystemAccount<'info>, } ``` For raw BPF: explicit `if !account.is_signer { return Err(...); }`. ### 2. Missing owner check **The bug**: program reads an account's data without checking that the program owns it. Attacker passes an arbitrary account; deserialization succeeds with attacker-controlled data. ```rust // BAD - raw BPF let vault = Vault::try_from_slice(&account.data.borrow())?; // Account data could be ANYTHING the attacker put there. // GOOD - Anchor handles via #[account(owner = crat