New static analysis rules & test corpora for Anchor/Solana programs #3
Description
Summary
Following our discussion on Twitter, I’m opening this meta-issue to track a set of proposed static analysis rules and testing enhancements for the analyzer. These aim to strengthen detection of PDA/account-level security issues, arithmetic vulnerabilities, and protocol invariants, especially in complex Anchor-based programs.
Why it matters
The analyzer already has a strong foundation with asyn + anchor-syn for AST traversal and macro expansion. The following rules will extend coverage into high-impact areas where subtle bugs can lead to exploits in production Solana programs (e.g., AMMs, lending markets, governance systems).
Planned individual issues
Each will be filed separately with detailed examples, proposed approaches, and minimal test cases:
1. PDA seeds/signing consistency across CPIs
2. Taint user-controlled seed bytes without guard constraint
3. Bump/endianness drift + init/realloc/close hygiene
4. Math lints for unchecked u128 ops + Q64.64 precision + missing slippage/invariant bounds
5. Testing corpus including Anchor examples, SPL programs, and a “mutant” broken-seed suite
6. Real-world performance & accuracy test: Fluxa Protocol (~16k+ LOC)
7. Developer experience improvements: GitHub Action + SARIF output
Notes
• I can contribute real-world examples from Fluxa Protocol for stress testing.
• For PDA-related rules, I’ll provide minimal Anchor snippets that both trigger and pass the lint, so they can be used directly as unit tests.
• The goal is to automate as much logic as possible while minimizing false positives.