Solana security guidance · v1.0.1 · for Claude Code

Catch Solana bugs as you write them.

A drop-in security ruleset for Anthropic's Claude Code security-guidance plugin. Two files into your .claude/ folder and your IDE flags Solana-specific bug classes while you code — caller-controlled clock values, cross-market state asymmetry, wrapper handlers that drift from engine logic, missing Anchor constraints, and 16 more. SOL-001 covers two confirmed-exploitable bounty wins; the other 19 rules are documented Solana audit patterns.

SOL-001 firing on a vulnerable Solana handler — Bounty 6 H2 case study — SOL-001 firing on a vulnerable handler · drawn from Bounty 6 H2 (percolator-prog#107)

Install — 30 seconds

mkdir -p .claude && \ curl -sL https://raw.githubusercontent.com/Copenhagen0x/solana-security-guidance/v1.0.1/claude-security-guidance.md \ -o .claude/claude-security-guidance.md && \ curl -sL https://raw.githubusercontent.com/Copenhagen0x/solana-security-guidance/v1.0.1/security-patterns.yaml \ -o .claude/security-patterns.yaml

Then /plugin install security-guidance@claude-plugins-official + /reload-plugins in your Claude Code session. Source · MIT licensed →

Rules

Confirmed bounty wins (SOL-001)

Maintainer-acknowledged

Lean proofs

License

MIT

Sections

01What you get
02The 20 rules
03How it works
04Why these rules
05Examples
06Contribute

01 · What you get

Two files. Three review layers. 20 rules.

Anthropic's plugin reads two files from your repo's .claude/ folder. Our ruleset provides both, packaged for drop-in install.

`claude-security-guidance.md`

Plain-markdown threat model + 20-rule review checklist (7.4 KB, under Anthropic's 8 KB cap). Read by the plugin's model-backed reviews (end-of-turn diff review + commit review). Tells the reviewer what Solana-specific patterns to look for.

`security-patterns.yaml`

15 deterministic regex/substring patterns. Read by the plugin's per-edit pattern check (no model call — fires instantly when you save a file). Each rule has a one-line reminder under Anthropic's 1 KB cap, prefixed with Jelleo SOL-NNN: so you can trace any flag back to its source.

The two files work together. The YAML catches literal code patterns deterministically — fast, no model call, no cost. The Markdown extends the model-backed reviews with semantic guidance that catches the bug classes regex can't reach (cross-file reasoning, spec-vs-impl drift, authority confusion across modules).

02 · The 20 rules

Solana bug classes the plugin will flag.

SOL-001 covers two confirmed-exploitable bounty wins. The other 19 rules are documented Solana audit patterns — some from our disclosures (with maintainer-triage classifications noted), some from public bug-class taxonomy.

ID	Catches	Source
SOL-001	Unauthenticated `now_slot` / clock spoofing	2 bounty wins · #107 + #78 F33
SOL-002	Cross-market state asymmetry → counter inflation	Public class · #104
SOL-003	Wrapper handler re-implements engine logic	Pattern · #78 F1 (fixed in-flight)
SOL-004	Health/penalty terms omitted from calc	Pattern · #78 F2 (engine-side)
SOL-005	Anchor `realloc()` without guards	Latent · #78 F12
SOL-006	Missing signer check on privileged handler	Generic Solana
SOL-007	Missing `account.owner == program_id` check	Generic Solana
SOL-008	Unverified PDA derivation	Generic Solana
SOL-009	CPI without authority check	Generic Solana
SOL-010	Reinit attack via `init_if_needed`	Generic Solana
SOL-011	Lamport drain via account closure	Generic Solana
SOL-012	Rent exemption check missing	Generic Solana
SOL-013	Token Program ID confusion (Token vs Token-2022)	Generic Solana
SOL-014	Unchecked integer arithmetic	Generic Solana
SOL-015	Anchor `has_one`/`constraint=` missing	Generic Anchor
SOL-016	Bump seed not validated against canonical bump	Generic Solana
SOL-017	Raw `AccountInfo` without typed deserialize	Generic Solana
SOL-018	Hardcoded System Program ID literal	Generic Solana
SOL-019	Missing discriminator check on deserialize	Generic Solana
SOL-020	`SetAuthority` without prior verification	Generic Solana

03 · How it works

Three review layers, fired automatically by Claude Code.

Anthropic's plugin reviews Claude's code edits at three points. Our files extend layers 1 and 2 with Solana-specific rules.

Layer 1 · On each file edit

Fast pattern match. No model call. No cost. The plugin reads .claude/security-patterns.yaml for regex/substring rules. Our file provides 15 deterministic patterns covering the bug classes that have clean textual signatures (caller-controlled now_slot, hardcoded program IDs, raw account access, unchecked integer arithmetic, missing discriminator checks, etc.).

Layer 2 · At the end of each turn

Background model review of the full diff. The plugin reads .claude/claude-security-guidance.md for semantic context. Our file provides the Solana threat model + 20-item review checklist — the patterns regex can't cleanly catch (spec-vs-impl drift, cross-file authority confusion, missing penalty terms in financial calc paths, wrapper handlers re-implementing engine logic).

Layer 3 · On each commit Claude makes

Deeper agentic review that reads surrounding code. Uses the same guidance file. Validates findings against your codebase's context before reporting.

Every time a rule fires, the reminder text includes the rule ID (Jelleo SOL-001:) and a link back to the GitHub source so you can see the underlying bounty case study.

04 · Why these rules

Honest provenance.

SOL-001 covers two confirmed-exploitable bounty wins. The rest are documented Solana patterns — some surfaced in our disclosures and classified by the maintainer as already-fixed, engine-side, or latent. We list both kinds because all are real attack surfaces, but we don't claim bounty credit we didn't earn.

SOL-001 · Two confirmed-exploitable bounty wins, same class. ACTIVATE branch at percolator-prog#107 (fixed in 6512fa1). RETIRE branch at percolator-cli#78 F33 (fixed in 3fd9b1d). Both maintainer-acknowledged via Lean theorem-prover models. Our suggested authenticated_slot_or_fallback patch shipped verbatim.
SOL-002 · Public class, not our bounty. The cross-market pnl_pos_bound_tot inflation class was publicly disclosed at percolator-prog#104 by another researcher. Included because the pattern is reproducible across perp-DEX programs.
SOL-003 · Pattern from our bounty 5 disclosure. F1 was in our #78 submission. Maintainer triage: F1 was independently fixed in 0925ed4 before our submission was triaged. Real pattern, not a paid bounty.
SOL-004 · Pattern from our bounty 5 disclosure. F2 in #78. Maintainer classified as engine-side, not reproduced at the wrapper layer; separate disclosure pending at aeyakovenko/percolator.
SOL-005 · Latent pattern from our bounty 5 disclosure. F12 in #78. Maintainer classified as latent — reachable only when the per-program 14-asset cap is lifted.

All published cycle reports with PoCs, LiteSVM tests, Kani proofs, and Ed25519 signatures: /cycles.

The remaining 15 rules (SOL-006 through SOL-020) cover documented Solana audit patterns — signer/owner/PDA verification, Anchor constraints, CPI authority, lamport drains, Token Program ID confusion, integer overflow, etc. Standard auditor checklist territory.

05 · Examples

Paired vulnerable / fixed snippets.

5 paired examples in the GitHub repo — one per headline rule. Read the vulnerable.rs first, then compare against fixed.rs.

06 · Contribute

PRs welcome. Especially new rules from your own audits.

This ruleset compounds with every cycle. Each new bounty finding becomes a new rule. PRs from the community are how it grows beyond what one team can audit.

New rules from your own audits — include a reference to the disclosed finding so reviewers can validate the case
Tightened regexes that reduce false positives on real codebases
Additional vulnerable/fixed example pairs

Open an issue first if you're proposing a new rule category. Keep rules focused: each one should catch a single bug class with a low false-positive rate.

Source · github.com/Copenhagen0x/solana-security-guidance · MIT licensed.