solana_fender 0.4.3

Static analysis tool for Solana smart contracts
Documentation

🛡️ Solana Fender

License: GPL v3 Crates.io

Solana static analysis tool built in rust for anchor programs. Can be used as a rust crate for unit testing or as a CLI tool.

CLI Tool

⚙️ Installation

Install via Cargo ( Recommended )

cargo install solana_fender

Install via Source

git clone https://github.com/honey-guard/solana-fender.git
cd solana-fender
cargo build

Usage

Tip: Clone sealevel-attacks as a test case to sample this program.

Cargo

solana_fender --program <path-to-program>

Source

cargo run -- --program <path-to-program>

Unit Testing Crate Usage

You can also use Solana Fender as a development dependency in your Anchor projects to run security checks as part of your unit tests.

Add as a Dev Dependency

Add Solana Fender to your program's Cargo.toml:

[dev-dependencies]
solana_fender = "0.4.3"  # Replace with the latest version

Example Usage in Tests

Check /examples for more examples.

#[cfg(test)]
mod tests {
    use super::*;
    use solana_fender;

    #[test]
    fn test_security() {
        // Pass a marker type that represents your program module
        struct MyProgramMarker;
        let findings = solana_fender::analyze_program(MyProgramMarker).unwrap();
        assert!(findings.is_empty(), "Security vulnerabilities found: {:?}", findings);
    }
    
    #[test]
    fn test_security_with_module_name() {
        // Alternatively, use a string to represent the module name
        let findings = solana_fender::analyze_program_by_name("my_program").unwrap();
        assert!(findings.is_empty(), "Security vulnerabilities found: {:?}", findings);
    }
}

This allows you to integrate security checks directly into your test suite, ensuring that your program remains secure as you develop it.

Comparison of Solana Static Analysis Tools

It is highly encouraged to use as many tools as possible to ensure the security of your program.

Below is a comparison of various static analysis tools available for Solana smart contracts written in Rust/Anchor:

Feature Fender l3x X-Ray radar
Languages Rust Rust C++ Python
Unit testing
Open Source Demo
Distribution Cargo Source Docker Docker
License GPL-3.0 AGPL-3.0 GPL-3.0

Security Checks

Security Check Fender l3x X-Ray radar
Missing Owner Check
Account Data Matching
Account Initialization
Arbitrary CPI
Closing Accounts 🚧
Duplicate Mutable Accounts
Missing Bump Seed Canonicalization
PDA Sharing
Type Cosplay
Invalid Sysvar Accounts
Reentrancy
Unauthorized Access
Integer Overflow
  • - Could not find documentation if supported.
  • 🚧 - Did not pass all sealevel-attacks

If there is any inaccuracy or updating needed, pull request or issue and we will try to update the table.