We are systematizing everything we know about Solana security into one structured resource: the Solana Security Strategy. It’s a field-tested knowledge base for teams building serious products — packed with practical guidance, reference links, and strategy templates.
⚫️ Solana Application Security Roadmap
We are systematizing everything we know about Solana security into one structured resource: the Solana Security Strategy. It’s a field-tested knowledge base for teams building serious products — packed with practical guidance, reference links, and strategy templates.
⚫️ Security Strategy Overview
We've mapped security strategy into 3 main stages:
⚫️ I. Design & Development Stage
Protocol Documentation
Solana's account-based programming model introduces unique attack surfaces where malicious actors can inject arbitrary accounts into transactions. Comprehensive protocol documentation must explicitly:
- Map all privileged roles and their associated permissions
- Identify and list dependencies on external services (e.g., price oracles, cross-chain bridges)
- Specify validation checks for:
AccountInfo::is_signer
- Data structure integrity using Anchor's type constraints
- Cross-program invocation (CPI) authority delegation risks
Organizational Security
- ALWAYS conduct identity verification + background checks on all of your employees
- Define a team member who will be responsible for security operations
- Conduct Social Engineering resistance training and tests with simulated phishing campaigns (remember, humans are often one of the most vulnerable parts of any system)
DevSecOps Pipeline + Operational Security
- Hardware keys for production systems
- Secure your social media accounts against sim-swap and other attacks:
- Multi-person integrity security policy (MPC / Multisig) to eliminate single point of failure:
- Solana Assets Security:
Internal Security Testing
- Automated Scanning
- Solana Fuzz Testing
findprogramaddress usage can lead to seed collisions. Implement fuzz testing early using tools like Trident to simulate adversarial inputs
- Other SAST / DAST on every commit
⚫️ II. Pre-deployment / Testnet Stage
The pre-deployment stage is a pivotal checkpoint in a protocol's journey to mainnet. It's the point where theoretical risks meet practical implementation. Where undetected flaws can become multimillion-dollar vulnerabilities. At this stage, security should be proactive, layered, and aligned with the protocol's architecture. This includes threat modeling, fuzzing campaigns, formal verification, and security reviews. Rather than relying on a last-minute audit alone, teams should design security into their development cycle, ensuring their system is resilient before it ever touches users or capital.
If you're aiming to embed security into every stage of your development lifecycle, we encourage you to reach out. Our distributed network of top-tier security engineers offers comprehensive support across the entire engineering process. By streamlining your security strategy and applying our deep experience, we help reduce operational risk, so your team can stay focused on building and scaling with confidence.
External Security Testing
- Begin scheduling security reviews at least 8 weeks before your planned launch date
- Keep in mind: the effectiveness of a security audit is directly tied to your audit readiness. To get the most value from the review, we strongly recommend passing an audit readiness checklist beforehand
- Fuzzing as a Service
- Schedule an audit contest
- Web app audit / pentesting
- Stress Testing
- Formal Verification
Security Reviews
The most expert teams for Solana-based security reviews:
- Runtime Verification
- OtterSec
- Neodyme
- Sec3
- Zellic
- Ackee Blockchain
- Hexens
- Trail of Bits
- Kudelski Security
- Cantina
- Certora
- Sherlock
⚫️ III. Post-deployment / Monitoring Stage
The post-deployment stage is the time to improve, analyze, and prepare for emergent situations. It's critically important to understand that no defensive solution can guarantee 100% protection of your blockchain software against hacker activities. Your team should be prepared to respond reactively to prevent disasters swiftly. Developing an Incident Response Plan (IRP), launching bug bounty (BB), and integrating advanced on-chain monitoring technology with supportive SOC analysts can significantly improve outcomes in the event of malicious incidents.
You should never stop thinking about security. It is essentially a repetitive process. Even if your project has significantly evolved in reputational and operational maturity, continuous 24/7 analysis and monitoring remain mandatory.
Key Activities
- Launching a bug bounty program
- Incident Response Plan development
- Onchain Monitoring integration + SOC center 24/7 support
- Ongoing security reviews and formal verification for each new update/integration
⚫️ Strengthening
Do not think of security as a timestamp before deployment. When building financial infrastructure, security must be a way of thinking, writing code, managing teams, and scaling systems. At Rektoff, we’re restructurinng approach to security by embedding it across the entire engineering lifecycle. Through a distributed network of elite engineers and Rust security specialists, we make high-impact security knowledge, workflows, and tools accessible to every team - no matter their size or stage.
Stay Rektoff.