YEAR-END REPORT

Solana Security Ecosystem Review

2025

At a Glance

Exploits

Fewer on-chain smart contract Solana exploits in 2025 (US$ 8mn) down from peak in 2022 (US$ 550mn), even as activity and TVL grew

Audits Analyzed

163 Solana security reviews examined, spanning 1,669 recorded vulnerabilities

Finding Density

Average of 10 issues per audit, with 1.4 High or Critical vulnerabilities in each review

Vulnerability Themes

The most severe issues concentrate in business logic flaws, access control failures, and protocol design weaknesses

A Quick Note

We spend most of the year reviewing Solana programs one code base at a time. Across that work, patterns emerge - how bugs cluster, which security practices help, and where things can still go wrong even after an audit - but those patterns rarely live in one place.

This report is our attempt to put structure around what we are seeing: to quantify what audits actually uncover on Solana, place that evidence next to publicly reported incidents on-chain, and connect both to the design and operational choices development teams were making.

The aim is to give builders, reviewers and ecosystem participants a shared reference point for how Solana security is evolving and where attention is likely to matter most in the next year.

Security Reviews

Results

We analyzed 163 Solana security audits drawn from a mix of publicly released reports and anonymized Sec3 review engagements. Together these reviews produced 1,733 findings, of which 1,669 qualified as vulnerability-level issues.

10.3

Findings Per Review

Median Findings

1 to 112

Range Per Review

99.4% of audits in our dataset identified vulnerabilities

162 of 163 reviews identified at least one vulnerability

Severity Distribution

Distribution of 1,669 Vulnerabilities

Informational33.9%

Low32.2%

Medium20.2%

High8.4%

Critical5.3%

76%Medium+

of reviews contained at least one medium-or-higher issue

51%High+

of reviews contained at least one high-or-critical issue

23%Critical+

of reviews contained at least one critical issue

What Vulnerabilities Dominate

Among findings with clear classifications (approximately 70% of the total dataset):

All Classified Findings

Business Logic

38.5%

Input Validation & Data Hygiene

25%

Access Control & Authorization

19%

Data Integrity & Arithmetic

8.9%

Denial of Service & Liveness

8.5%

High + Critical Only

Business Logic

36.9%

Input Validation & Data Hygiene

27.9%

Access Control & Authorization

20.7%

Data Integrity & Arithmetic

8.9%

Denial of Service & Liveness

5.6%

Serious issues overwhelmingly stem from Business Logic, Permissions, and Validation Errors rather than low level arithmetic or liveness problems. Top 3 categories increased from 82.5% → 85.5% of all severe findings.

Download Full PDF Report

Access the complete 2025 Solana Security Ecosystem Review with detailed analysis, charts, and actionable insights.