Usage
Install prerequisites
System development libraries
sudo apt install libssl-dev libudev-dev
Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Minimum Solana Configuration
Initialize default keypair file
This is only needed as part of program's initialization.
SOL isn't used for audit mode. Only needed for cleanup mode to send actual
cleanup transactions if any.
solana-keygen new
Targeted vulnerable account cleanup
The following command will revoke any existing delegations on all wallet:mint
pairs provided. Specify addresses for all mints that your organization supports
as well as every user deposit SOL wallet generated before epoch 216. Wallets
must be specified as the path to a keypair file in solana-keygen new format.
It may be necessary to run this command in multiple batches if the command line
is too long for the shell.
Dry-run
First a dry-run to be sure everything looks OK
cargo run -- cleanup \
--dry-run \
--mint MINT1_ADDRESS \
--mint MINT2_ADDRESS \
... \
--mint MINTN_ADDRESS \
DEPOSIT_SOL_WALLET1_PATH \
DEPOSIT_SOL_WALLET2_PATH \
... \
DEPOSIT_SOL_WALLETN_PATH
Effective run
If everything looks OK from the dry-run, run the same command again
with the --dry-run argument removed.
Targeted transaction history audit
The following will generate an audit report for the transaction history of each
token account, flagging suspicious and malicious behavior. As with
cleanup, specify the addresses for every
mint your organization supports as well as every user deposit SOL wallet
generated before epoch 216. Wallets must be specified as the path to a keypair
file in solana-keygen new format. It may be necessary to run this command in
multiple batches if the command line is to long for the shell.
Run
cargo run -- audit \
--mint MINT1_ADDRESS \
--mint MINT2_ADDRESS \
... \
--mint MINTN_ADDRESS \
DEPOSIT_SOL_WALLET1_PATH \
DEPOSIT_SOL_WALLET2_PATH \
... \
DEPOSIT_SOL_WALLETN_PATH | tee report.csv
Expected output
audit
Summary Reassigned Token Account Report
Status,Account Address,Owner Address,Set Owner Signature,Delegation Signature,Possibly Fraudulent Transfer and Burn Signatures
<Records for each address with Safe or other status>
...
If you only see the headers with no records, the pointed RPC URL might not have
full transaction history. Try to use other RPC by the -u option or edit the
solana cli config file on your environment.
Full vulnerable account cleanup
It is possible that an attacker created vulnerable accounts for mints that your
organization does not yet support in the hope that one day they will be supported
and deposits can be exploited. To clean up all potentially vulnerable accounts,
re-run the cleanup command, this time
omitting all --mint ... arguments. This process may take quite some time depending
on how many unique tokens have been sent to each wallet.
Disclaimer
All claims, content, designs, algorithms, estimates, roadmaps, specifications, and performance measurements described in this project are done with the Solana Foundation's ("SF") good faith efforts. It is up to the reader to check and validate their accuracy and truthfulness. Furthermore nothing in this project constitutes a solicitation for investment.
Any content produced by SF or developer resources that SF provides, are for educational and inspiration purposes only. SF does not encourage, induce or sanction the deployment, integration or use of any such applications (including the code comprising the Solana blockchain protocol) in violation of applicable laws or regulations and hereby prohibits any such deployment, integration or use. This includes use of any such applications by the reader (a) in violation of export control or sanctions laws of the United States or any other applicable jurisdiction, (b) if the reader is located in or ordinarily resident in a country or territory subject to comprehensive sanctions administered by the U.S. Office of Foreign Assets Control (OFAC), or (c) if the reader is or is working on behalf of a Specially Designated National (SDN) or a person subject to similar blocking or denied party prohibitions.
The reader should be aware that U.S. export control and sanctions laws prohibit U.S. persons (and other persons that are subject to such laws) from transacting with persons in certain countries and territories or that are on the SDN list. As a project based primarily on open-source software, it is possible that such sanctioned persons may nevertheless bypass prohibitions, obtain the code comprising the Solana blockchain protocol (or other project code or applications) and deploy, integrate, or otherwise use it. Accordingly, there is a risk to individuals that other persons using the Solana blockchain protocol may be sanctioned persons and that transactions with such persons would be a violation of U.S. export controls and sanctions law. This risk applies to individuals, organizations, and other ecosystem participants that deploy, integrate, or use the Solana blockchain protocol code directly (e.g., as a node operator), and individuals that transact on the Solana blockchain through light clients, third party interfaces, and/or wallet software.