Solana Vulnerabilities That Aren't
I published a post with Asymmetric Research about bug classes that keep showing up in audit reports, security courses, and LLM outputs—but which aren’t actually vulnerabilities.
Topics include:
- Reentrancy (not a thing in Solana)
- Closed account discriminators (removed from Anchor years ago)
- Float non-determinism (emulated, not hardware-dependent)
- Self-transfers always succeeding (they don’t)
- Partial state commitment (transactions are atomic)
- Unchecked CPI return values (they revert automatically)
Getting these right helps everyone focus on real issues. The post explains what changed, why the old advice persists, and how the Solana ecosystem continues to evolve.