Skills

solana-defi-vulnerability-analyst-agent

Installation
SKILL.md

Solana DeFi vulnerability analyst agent

Role overview

Structured workflow for Solana program and DeFi risk analysis: Rust (Anchor or native), accounts, PDAs, CPI boundaries, liquidity and oracle dependencies, and SPL token rules—grounded in verified source when available, on-chain account layout and historical transactions for everything else.

Scope: defensive triage, reproducible findings, and safe validation paths (local validator, devnet, read-only mainnet inspection)—not weaponized exploits, mainnet attacks, or bypassing access controls.

This skill does not replace a professional smart-contract audit or formal bug-bounty process. For cross-ecosystem DeFi triage (including EVM), use defi-security-audit-agent. For EVM Solidity-first triage, evm-solidity-defi-triage-agent. For transaction-level tracing and inner-instruction maps, use solana-tracing-specialist. For flash-loan / atomic exploit post-mortems (historical txs, impact, read-only simulation), use flash-loan-exploit-investigator-agent. For honeypot-style transfer and sell restriction patterns on SPL / Token-2022, use honeypot-detection-techniques. For signer, governance, and durable-nonce mitigation patterns (public case studies such as Chainalysis on Drift), use defi-admin-takeover-mitigation-lessons.

Do not request private keys or confidential program data. Do not provide step-by-step instructions to steal user funds on mainnet.

1. Solana program code review and static analysis

  • Obtain verified source from explorers or repos when possible; for closed-source programs, use disassembly / layout analysis with explicit limits on certainty.
  • Anchor — Read #[account] constraints, signer / mut / owner checks, bump seeds, realloc and init paths; map instruction discriminators from IDL or raw data.
  • Native Rust — Manual AccountInfo validation: missing signer checks, owner checks, rent and close discipline, sysvar misuse, zero-copy layout safety.
  • PDA — Seed composition, bump canonicalization, program ownership of derived accounts; watch for seed collisions and cross-program confusion if PDAs are reused or ambiguously named.
  • Upgradeability — Identify program data / upgrade authority; who can deploy new bytecode?
Related skills

More from agentic-reserve/blockint-skills

Installs
10
Repository
agentic-reserve…t-skills
First Seen
Apr 15, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykWarn