How Secure Is Solana, Really? Industry Analysts Weigh in
Solana has popped up in the news frequently over the past several months in connection with a variety of outages and breaches, most recently a breach of Slope wallets that led to the theft of several million dollars’ worth of SOL.
Any concerns about the project’s reliability were compounded by a recent DeFiSafety report that gave Solana a technical risk score of 12 out of 100.
Still, as The New Stack’s Lawrence Hecht noted earlier this year, Solana’s project velocity is notable — the Cloud Native Computing Foundation recently listed it as one of the top projects in the open source community.
And Solana co-founder Anatoly Yakovenko suggested on Reddit that some growing pains are to be expected, writing, “What no one wants to talk about on this space is that if something took 2 years to build, it’s going to take 2 years to stabilize.”
Amid all the noise, it can be challenging to get a clear sense of the security and reliability of the project itself.
In a post summarizing his report’s findings, DeFiSafety protocol analyst Nick Sheaf warned, “Anyone who uses this chain subjects themselves to massive and at this point seemingly inherent technical risk and trust.”
Still, Sheaf wrote, “This is not to say that things won’t change: we know some of the biggest brains in this industry work on Solana. They just need to show the development process the respect it deserves.”
In the report, Solana’s total score dropped from 48 to 12 due to three incidents earlier this year: April 29 (a seven-hour outage when the network was flooded by an NFT project with a fixed floor), May 26 (Solana’s blockchain clock lost track of time), and May 31 (a four-hour outage due to a consensus failure).
Mohamad Abdulrazak, head of marketing at DeFiSafety, told The New Stack that in addition to those outages, transparency is also a key issue for the project, including lack of public data on archive nodes. “The thing about our scores is, we want to be transparent with everyone,” he said. “The space is open source — why can’t you be open on information?”
DeFiSafety’s scores, Abdulrazak said, are focused on raising standards of security and transparency, rather than an audit analysis of the code. “What we document, and then we give a score, is how they document the testing, security, oracles, and more,” Abdulrazak said. “Have they done or not, was there an audit performed by a third party? And is it a sufficient audit, such as a Token or Staking Audit?”
Overall, Abdulrazak said that Solana’s key strength lies in its low fees and transactions per second, due to its use of the PoH (Proof of History) algorithm. However, he said that advantage isn’t likely to last. “Everyone is tackling Ethereum on the gas fees at the moment, but once they merge, there will not be a miner fee to pay,” he said. “Everything will be done with [a] proof of stake network, which is more efficient, with less power consumption; and 90% of the issuance paid to miners will disappear.”
At that point, he suggested that Solana will no longer have much to offer. “They’re not trying to make something different,” he said. “Maybe they could say, ‘We’re not a copy of Ethereum because we’re not written in Solidity; we’re written in Rust’ — but they’re trying to do what Ethereum is projecting to do, which is faster transactions.”
Still, Jessica Groopman, industry analyst and founding partner at Kaleido Insights, told The New Stack that Solana’s challenges aren’t all that unusual in this space. “It’s not particularly abnormal or atypical, in terms of the security issues, and certainly the transparency issues, across the Web3 space and even DeFi generally,” she said.
Some of that can be attributed to the rushed timeline Yakovenko pointed to on Reddit. “Startups, long before blockchain and crypto, have struggled with security, have prioritized other things, and have been beholden to venture capital levels of growth — demands to prioritize growth over everything else,” Groopman said.
However, Groopman said there are some changes that Solana can and should make moving forward. “This could probably apply to too much of tech: slowing down and prioritizing not just security, but governance and accountability and transparency, much earlier on, as first principles of how things are built, deployed, and reevaluated over time,” she said.
It’s not too late to do so. “Obviously, Solana is up and running — it’s not a brand-new tool — but that doesn’t mean that it can’t be evaluated, audited, and reconfigured towards that,” she said.
It’s important to keep in mind, Groopman said, that the Web3 space is facing an entirely new range of security threats. “If we were to draw a line between traditional security threats like phishing or endpoint attacks, versus Web3 security attacks like rug pulls or ice phishing or cryptojacking or even bridge exploits, it’s a whole new world — not just in terms of security mitigations, but also security risks,” she said.
That’s partially due to the fact that hackers no longer have to do anything to monetize stolen data. “When we’re talking about the financialization of IT architecture — as in millions or billions of dollars literally tracked by blockchain-enabled applications — that encloses significant value directly into the hack,” Groopman said.
And that makes it all the more important to address any potential vulnerabilities, adding weight to some of the concerns raised by DeFiSafety. “This is something that is fundamentally unique, in terms of what’s in it for bad actors, or even from a standpoint of human error — not going over code, not inviting third-party audits as much as possible, not being transparent,” Groopman said.
At the same time, Jared Klee, an analyst in residence at Futurum Research, told The New Stack that in looking at Solana, it’s crucial to consider the blockchain trilemma, Ethereum co-founder Vitalik Buterin’s idea that there’s an inevitable tradeoff between decentralization, scalability, and security. “So the question is, when you go to build a new system, a layer one network, what do you optimize for? And there’s no right answer to that,” he said.
Seen through that lens, Klee said, Solana simply picked a different focus from, say, Bitcoin or Ethereum. “They said, first, we’re going to be willing to give up on some of that decentralization — we’re willing to tolerate something slightly more centralized — and two, rather than have transaction fees go up, when lots of transactions get sent to the network, we’re basically just going to fall over.”
Stellar, Klee said, made a similar choice regarding optimization. “They gave up on availability and uptime — you can overwhelm the Stellar network,” he said. “You can continue to guarantee, even as the network falls over, that all of the nodes stay in sync, meaning that the ledger for the transactions that have been successfully processed — the transactional history — is the same across the entire network.”
Seen from that perspective, the issues regarding uptime raised by DeFiSafety don’t speak to security — they just speak to uptime. And Solana, Klee said, is never going to have the uptime of, say, an IBM mainframe. “That would be a different optimization from saying, ‘I can guarantee that transactions will always be cheap, and the ledger will always be consistent, but I’m willing to tolerate the thing falling over from time to time.’”
Still, Klee said that Solana does have some shortcomings. “Where I think they’ve fallen down is they’ve traded off, short-term — I hope short-term — more centralization, not great documentation, not all the Ts and Cs that you would want, not all of the crossed t’s and dotted i’s in terms of getting stuff audited,” he said.
However, Klee said, the absence of some of those operational processes is unsurprising for such a fast-moving company. “Would I expect a two-year-old company to have them? Absolutely not. Would I expect something the size and value of Solana, supporting the volume of stuff they do, to have them? Absolutely. And so we’re kind of at this halfway point — we’ve got a bit of both worlds.”
At that halfway point, Klee said, any popular open source project like Solana has a lot of eyeballs examining it on daily basis, which is both a positive and a negative. “Over time, it becomes hardened, which is great, because you have more people looking at it,” he said. “Near term, you have more people looking at it so there’s a bigger chance of nefarious actors screwing things up.”
From an ecosystem standpoint, Klee said, it would certainly be better if Solana proceeded more slowly. “But let’s assume that Solana did that,” he said. “Someone else would fork the code, move quickly, scale up, raise the money, and just beat them to the punch. So I get why they’re pursuing this strategy. They took money off the table when it was available, and they scaled up per user demand.”
In the interim, Klee said, the issues observed by DeFiSafety aren’t particularly surprising. “Yes, I wish they would do it better — and yes, I understand the trade-off that they made,” he said. “It looks, feels, acts like a growing pain, and I expect it to be solved in a two-, three-, four-year timeframe — ideally faster, but realistically, they’ve got to support continually exponential user growth while they’re doing all the things it means to become a grown-up, hardened platform.”