Liquid Stake with compassSOL for an 8.82% APY from staking, MEV + fees

Enjoy the freedom of liquid staking in Solana Defi while delegating your stake to the high performance Solana Compass validator. Stake or unstake at any time here, or with a Jupiter swap.

Benefit from our high staking returns and over 2 years experience operating a Solana validator, and receive additional yield from priority fees + MEV tips

Earn 7.0% APY staking with Solana Compass

Help decentralize and secure the Solana network delegating your stake to us and earn an impressive 7.0% APY yield on your SOL, while supporting us to create new guides and tools. Learn more

Stake your SOL

  1. Click to connect your wallet
  2. Enter the amount you wish to stake
  3. Kick back and enjoy your returns
  4. Unstake from your wallet or our staking dashboard

Earn 7.0% APY staking with Solana Compass

Help decentralize and secure the Solana network delegating your stake to us and earn an impressive 7.0% APY yield on your SOL, while supporting us to create new guides and tools.

Learn more

Breakpoint 2024: Product Keynote: Safe Solana Stack Smashing by OtterSec (Robert Chen)

By breakpoint-24

Published on 2024-09-20

OtterSec's Robert Chen reveals critical Solana compiler bug causing stack corruption and potential security risks

The notes below are AI generated and may not be 100% accurate. Watch the video to be sure!

In a revealing presentation at Breakpoint 2024, Robert Chen of OtterSec exposes a critical bug in the Solana compiler that's been causing headaches for developers over the past year. This pervasive issue, known as stack smashing, can lead to mysterious state changes in Solana programs, potentially compromising their security and functionality.

Summary

Robert Chen's talk at Breakpoint 2024 sheds light on a significant bug in the Solana compiler that has been affecting developers for about a year. The bug, related to stack corruption, can cause Solana programs to unexpectedly change their state, leading to potential security vulnerabilities and unpredictable behavior.

The presentation delves into the technical details of how this bug manifests, using assembly-level explanations to illustrate the problem. Chen demonstrates how seemingly safe Rust code can lead to stack overflows and variable corruption due to the compiler's mishandling of stack allocations.

Importantly, Chen offers practical advice for developers to detect and mitigate this issue. He emphasizes the importance of paying attention to compiler warnings, especially those related to stack frame sizes, and suggests enabling stack frame gaps as a preventive measure.

This revelation is crucial for the Solana ecosystem, as it affects the reliability and security of smart contracts and other programs running on the blockchain. Developers need to be aware of this issue to ensure the integrity of their applications and the safety of user funds and data.

Key Points:

Root Cause of the Bug

The root cause of the stack smashing bug lies in the Solana compiler itself. This bug has been present for about a year and affects how the compiler handles stack allocations. When a program allocates memory on the stack that exceeds the standard stack frame size (4096 bytes or 0x1000 in hexadecimal), it can lead to corruption of variables in the previous stack frame.

This issue is particularly insidious because it can occur in code that appears completely safe and valid Rust. The compiler does not prevent these allocations but instead issues warnings that can be easily overlooked by developers. As a result, programs may exhibit unexpected behavior or even crash without any apparent reason in the source code.

Manifestation of the Bug

Chen provides several examples to demonstrate how this bug manifests. In one case, a function allocates a large array on the stack, just exceeding the stack frame size by one byte (4097 bytes or 0x1001). This seemingly innocuous allocation causes the program to crash, overwriting variables from the previous stack frame.

The presentation goes into detail about the assembly-level operations that occur during these function calls. Chen explains how the stack pointer (R10 register) is manipulated and how memory allocations that exceed the stack frame size can overwrite data from previous function calls. This low-level explanation helps developers understand why their programs might be experiencing mysterious state changes or crashes.

Detection and Prevention

To help developers detect and prevent this issue, Chen offers several practical recommendations. First and foremost, he emphasizes the importance of paying close attention to compiler warnings, especially those related to stack frame sizes. These warnings, which are not errors and thus don't prevent compilation, can be crucial indicators of potential stack overflow issues.

Chen also introduces the concept of stack frame gaps as a preventive measure. Enabling stack frame gaps causes the compiler to insert protected memory areas between stack frames, making it much more likely to catch stack overflow issues before they cause data corruption or crashes. This feature can be a powerful tool in a developer's arsenal for ensuring the stability and security of their Solana programs.

Lastly, for those willing to dive deep into the issue, Chen suggests analyzing the assembly code generated by the compiler. While this approach requires a higher level of technical expertise, it can provide valuable insights into how the program is actually managing memory and stack allocations.

Facts + Figures

  • The stack smashing bug has been affecting Solana developers for approximately one year
  • Standard stack frame size in Solana is 4096 bytes (0x1000 in hexadecimal)
  • Allocating just one byte over the stack frame size (4097 bytes) can cause program crashes
  • The bug can cause unexpected state changes in Solana programs
  • Compiler warnings about stack frame sizes are crucial indicators of potential issues
  • Enabling stack frame gaps can help catch almost every stack overflow issue
  • The bug affects seemingly safe Rust code, making it particularly dangerous
  • Assembly-level analysis reveals how stack pointer (R10 register) manipulation leads to data corruption
  • The issue is not caught as an error during compilation, only as a warning

Top quotes

  • "This is a pretty pervasive problem since around a year ago. The root cause is a bug in the Solana compiler."
  • "If you are a Solana developer, you might have seen this if your Solana program randomly and mysteriously changes its state."
  • "The purpose of this talk is to hopefully make this issue legible to more Solana developers."
  • "Importantly, this is a warning, not an error. If you don't look carefully at your compilation logs, you can end up ignoring this."
  • "If you're writing a Solana program, the implication here is that your code can-- this is completely safe Rust code. You're not doing anything magical here, but because you allocated a lot of bytes on the stack, you overwrote a very-- one of the previous functions."

Questions Answered

What is the stack smashing bug in Solana?

The stack smashing bug is a critical issue in the Solana compiler that has been affecting developers for about a year. It occurs when a program allocates memory on the stack that exceeds the standard stack frame size of 4096 bytes, leading to corruption of variables in the previous stack frame. This can cause Solana programs to unexpectedly change their state or crash, even with seemingly safe Rust code.

How does the stack smashing bug manifest in Solana programs?

The bug manifests when a function allocates a large amount of memory on the stack, typically just exceeding the stack frame size. For example, allocating 4097 bytes (one byte over the limit) can cause the program to crash by overwriting variables from the previous stack frame. This occurs because the compiler doesn't prevent these allocations but only issues warnings that can be easily overlooked by developers.

What are the potential consequences of the stack smashing bug?

The consequences of this bug can be severe. It can lead to unexpected state changes in Solana programs, potentially compromising their security and functionality. This could result in unpredictable behavior, data corruption, or even vulnerabilities that could be exploited by malicious actors. For decentralized applications and smart contracts, this could mean loss of funds or unauthorized access to sensitive information.

How can Solana developers detect and prevent the stack smashing bug?

Developers can detect and prevent this issue by paying close attention to compiler warnings, especially those related to stack frame sizes. Enabling stack frame gaps is also recommended, as it causes the compiler to insert protected memory areas between stack frames, making it easier to catch stack overflow issues. For more in-depth analysis, developers can examine the assembly code generated by the compiler to understand how memory and stack allocations are being managed.

Why is the stack smashing bug particularly dangerous?

This bug is especially dangerous because it can occur in code that appears completely safe and valid Rust. It's not caught as an error during compilation, only as a warning, which means it can easily slip through code reviews and testing. The bug can cause subtle and hard-to-reproduce issues, making it challenging to diagnose and fix. For the Solana ecosystem, this poses a significant risk to the reliability and security of smart contracts and other blockchain applications.


Related Content

Breakpoint 2023: Explorers, Interpreting Information for the Masses

Key figures in the Solana ecosystem discuss the challenges and the future of data interpretation for users and developers.

Breakpoint 2023: Leveraging AI To Bolster Smart Contract Security

Discover how a security research firm is utilizing AI to enhance the security of smart contracts in blockchain.

Solana Changelog - August 15th, 2022 - Stack Exchange, Token 2022 & MinContext Slot

Exciting Solana ecosystem updates: Stack Exchange public beta, Token 2022 release, MinContext Slot improvements, and Seahorse lang gaining traction

Breakpoint 2024: Product Keynote: Data Transfers at the Speed of Light

David Rhodus introduces Pipe Network, a revolutionary content delivery system for Solana

Breakpoint 2024: Product Keynote: In the Blink of an Eye

Chris Osborn introduces Blinks, a revolutionary technology changing how we interact with the internet

Breakpoint 2023: Program Runtime v2

The latest updates on Solana's Program Runtime v2 aim to enhance efficiency, composability, and ease of use for developers.

Breakpoint 2024: Product Keynote: Code Wallet (Tanner Philp)

Code Wallet introduces innovative tip carts, enabling content creators to build authentic communities and monetize their work on Solana.

Breakpoint 2023: Account Abstraction on Solana

Squads Labs presents the innovative account abstraction protocol on Solana, revolutionizing security and usability for developers and users.

Breakpoint 2023: Creating Great Content

Content creator Solandy shares insights on producing engaging and educational content, specifically for Solana development.

Breakpoint 2024: Keynote: ZK Compression (Swen Schaeferjohann, Nicolas Pennie)

Solana introduces ZK compression to scale the network, reduce costs, and enable new use cases

Breakpoint 2024: Product Keynote: Kamino (Marius C.)

Kamino announces major upgrades and expansion plans for its DeFi protocol on Solana

Solana Changelog - Token Extensions and Transaction Size Fees

Discover the latest Solana updates including token extensions, transaction size fees, and developer resources in this comprehensive changelog.

Breakpoint 2023: Measuring Solana's Carbon Footprint in Real Time

A look at how TriCarbonara measures Solana's network carbon emissions in real-time.

Breakpoint 2023: Ensuring the Safety of SBF Programs Through Formal Verification

A deep dive into making Solana contracts safer with Sertora's formal verification tool.

Breakpoint 2023: Under The Hood: Wallets and The Tech That Powers Them

An insightful peek into the Solana ecosystem's wallets and the innovative technologies ensuring both safety and user convenience.