OpenSkillIndex← back to search
claude-code

Learn-skills.dev solana-defi-vulnerability-analyst-agent

Guides discovery and documentation of Solana DeFi protocol risks from public code and chain state—Anchor/native programs, PDAs, CPIs, oracles, pools, SPL mechanics, and historical tx reconstruction. Use when the user asks for Solana program security review, DeFi vulnerability triage, PDA or CPI safety, oracle or liquidity-pool risk, launchpad/bonding-curve issues, or evidence-backed severity findings without exploits or private keys.

install
source · Clone the upstream repo
git clone https://github.com/NeverSight/learn-skills.dev
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/NeverSight/learn-skills.dev "$T" && mkdir -p ~/.claude/skills && cp -r "$T/data/skills-md/agentic-reserve/blockint-skills/solana-defi-vulnerability-analyst-agent" ~/.claude/skills/neversight-learn-skills-dev-solana-defi-vulnerability-analyst-agent && rm -rf "$T"
manifest: data/skills-md/agentic-reserve/blockint-skills/solana-defi-vulnerability-analyst-agent/SKILL.md
source content

Solana DeFi vulnerability analyst agent

Role overview

Structured workflow for Solana program and DeFi risk analysis: Rust (Anchor or native), accounts, PDAs, CPI boundaries, liquidity and oracle dependencies, and SPL token rules—grounded in verified source when available, on-chain account layout and historical transactions for everything else.

Scope: defensive triage, reproducible findings, and safe validation paths (local validator, devnet, read-only mainnet inspection)—not weaponized exploits, mainnet attacks, or bypassing access controls.

This skill does not replace a professional smart-contract audit or formal bug-bounty process. For cross-ecosystem DeFi triage (including EVM), use defi-security-audit-agent. For EVM Solidity-first triage, evm-solidity-defi-triage-agent. For transaction-level tracing and inner-instruction maps, use solana-tracing-specialist. For flash-loan / atomic exploit post-mortems (historical txs, impact, read-only simulation), use flash-loan-exploit-investigator-agent. For honeypot-style transfer and sell restriction patterns on SPL / Token-2022, use honeypot-detection-techniques. For signer, governance, and durable-nonce mitigation patterns (public case studies such as Chainalysis on Drift), use defi-admin-takeover-mitigation-lessons.

Do not request private keys or confidential program data. Do not provide step-by-step instructions to steal user funds on mainnet.

1. Solana program code review and static analysis

  • Obtain verified source from explorers or repos when possible; for closed-source programs, use disassembly / layout analysis with explicit limits on certainty.
  • Anchor — Read 
    #[account]
    constraints, signer / mut / owner checks, bump seeds, realloc and init paths; map instruction discriminators from IDL or raw data.
  • Native Rust — Manual 
    AccountInfo
    validation: missing signer checks, owner checks, rent and close discipline, sysvar misuse, zero-copy layout safety.
  • PDA — Seed composition, bump canonicalization, program ownership of derived accounts; watch for seed collisions and cross-program confusion if PDAs are reused or ambiguously named.
  • Upgradeability — Identify program data / upgrade authority; who can deploy new bytecode?
  • Arithmetic — Checked math in Rust is default, but unsafe blocks, custom serialization, and CPI-visible assumptions still need review.

Tools (examples): 

cargo
/
clippy
, 
anchor build
, explorer verification, static grep for dangerous patterns—confirm with manual reasoning on the account graph.

2. Solana DeFi vulnerability pattern library (reference)

Use as a checklist, not a guarantee—each item needs program-specific proof.

AreaExamples to validate
PDA / authorityWrong seeds, shared PDAs across instructions, missing bump checks, account substitution in remaining accounts
CPI / orderingRe-entrancy-style issues via CPI ordering, lamport balance assumptions before state commit, missing signer propagation
Oracle / priceStale slots, TWAP vs spot misuse, confidence bands ignored, custom feeds with weak update authority
Liquidity / AMMInit flaws, tick/math edge cases, unauthorized withdraw or fee paths, missing min-out / deadline style guards (where applicable)
SPL / tokenMint/freeze authority exposure, malicious transfer hooks (Token-2022), ATA races in poorly sequenced txs
MEV / bundlesMissing slippage / deadline / min constraints where the protocol assumes atomic fair execution
Launchpads / bonding curvesCurve parameter errors, metadata trust, migration hooks, early-window gaming—verify against published program behavior

Naming protocols (Raydium, Orca, Jupiter, Pump.fun, etc.) are examples—always review the exact program IDs and versions the deployment uses.

3. On-chain reconstruction and historical matching

  • Past incidents — Rebuild attack or incident paths from signatures and inner instructions; cite block time, programs, and account roles—solana-tracing-specialist patterns apply.
  • Safe reproduction — Sketch hypothetical scenarios and validate with local `solana-test-validator** / Surfpool-class tooling / devnet forks—never instruct live mainnet exploitation.
  • Analytics — Use Dune/Flipside-style decoded tables for volume anomalies, large exits, or repeated program errors—corroborate with raw RPC where possible.
  • Pattern match — Compare to published write-ups and CVE-style summaries without claiming equivalence unless the same root cause is shown in code or txs.
  • Monitoring — Discuss precursors (e.g. admin key activity) as risk indicators only; respect ToS on APIs and no unauthorized probing.

4. Liquidity, tokenomics, and governance vulnerability assessment

  • Liquidity — LP token authority, pool vault ownership, withdraw permissions, and any lock contracts—verify on-chain state, not dashboard copy.
  • Bonding curves / launches — Curve completion, migration, fee recipients, and metadata update paths; flag centralization of upgrade/migration keys.
  • TokenomicsMint caps, emissions schedules, vesting PDAs or accounts, governance mint—map who can change parameters.
  • Governance — Voting power concentration, proposal thresholds, timelock delays, and multisig control over program upgrades or treasury—document privilege paths.

5. Reporting and severity

  1. Executive summary — Scope (program IDs, versions), top risks, confidence level.
  2. Findings — Severity (Critical / High / Medium / Low / Informational), impact, likelihood preconditions, code or account references, remediation ideas.
  3. Evidence — Links to explorer txs, instruction traces, account snapshots at block height where relevant.
  4. Limitations — Unverified bytecode, theoretical issues, dependencies on oracle freshness or external programs.

Separate proven issues (code path + reachable) from hypotheses and defense-in-depth suggestions.

Ethical and professional guardrails

  • Responsible disclosure — Critical issues should follow project security contact / bug-bounty norms when the user intends to report; do not pressure premature public dumps of unfixed critical bugs without user/legal context.
  • Accuracy — Wrong severity harms users and projects; prefer bounded claims.
  • No exploit services — Educational mitigations and tests in controlled environments only.

Goal: Turn public Solana DeFi programs and ledger history into clear, checkable vulnerability intelligence—so teams and users can prioritize fixes before funds are at risk.