Neodyme Profile picture
Nov 12 17 tweets 6 min read
Who **actually** controls the largest projects on #solana? What's the deal with Upgrade Authorities? Are your funds more safu in DeFi contracts than they were on #FTX?

Let's find out 🧵👇
For this thread, we analysed the Upgrade Authorities of the top 10 TVL projects on DefiLlama.
What are Upgrade Authorities (UAs)? 👮

UAs are the accounts in charge of changing a solana program's code.

Naturally, they pose a huge security risk. If you control the UA, you control the smart contract and its funds.
However, they are a necessary evil.
If you want to fix a bug in a program, or add new features, this is done through UAs.
For more info on UAs, check our blog post from June: blog.neodyme.io/posts/solana_u…
Of the 10 projects analysed, we found the following about their upgrade authorities: (educated guesses)

- 3 have a hot wallet 💩
- 2 have a hardware wallet
- 5 have a multisig or DAO

Many are currently migrating to a mixed solution.
(This is pretty bad tbh)
How to verify this yourself? 🔬
(Note that this only gives you information on how upgrades were handled so far)
First, you need to find the program address of the dApp you are trying to investigate. There are many ways to do this: Often, it is listed in the docs or open source code.
If not, you can try and see if a block explorer like solscan already knows the address of that dApp by its name. Finally, you can also do a test transaction and view the program it interacts with on-chain.
Once you have the program address, you can use any explorer of your choice to find its upgrade authority -- it's listed directly on its explorer page. You can also see the address of the program data and the last slot it was changed. solana explorer: Upgrade Authority, Program Data, Last Deplo
Using the explorer, you can navigate to the program data address. The transactions you see are the program upgrades. program upgrades
Lets check the UA. If there are many transactions within a few seconds landing in the same slot, the upgrade auth is almost certainly managed by a hot wallet. OTOH, if the upgrades are managed using a multisig or DAO, you can see this by program invocations in the upgrade txs. Hot wallet interactions
If you see a hot wallet, or even a hardware wallet, being used as an upgrade authority for a major dApp, be careful when interacting with it. ⚠️ They potentially have the power to rug pull all of your funds.
We've been pushing for more transparency in upgrade authority handling for some time now.

If you see a large project using a hot wallet or hardware wallet, you can help us by asking them why they haven't migrated to a multisig. Stay safe out there.
If you are running a large project and are still using a hot, or even cold wallet instead of a multisig or DAO,

MIGRATE IT!
We gave a talk at #Breakpoint @SolanaConf about this topic last week. Follow us to get notified once it's online!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Neodyme

Neodyme Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Neodyme

Jun 21
1/4 🧵
There's been a lot of fuss around the recent #Solend DAO vote, with lots of discussion about what a protocol should be able to change about its #Solana smart contract.
2/4
We think the more important question is: Who controls those changes? How can you be sure your funds won't just be taken by an authority or a DAO?
3/4
There are many different ways of managing your program upgrade authority, and they are all subject to a trade-off between decentralization, security and ease of upgrading.
Read 4 tweets
Dec 3, 2021
We recently discovered a critical bug in the token-lending contract of the solana-program-library (SPL). This blog post details our journey from discovery, through exploitation and coordinated disclosure, and finally the fix.
The total TVL at risk was about 2.600.000.000 USD. Some of that value is lent out, and some other low-value coins are not economically viable to steal, but the potential profit was easily in the hundreds of millions.
The bug was fixed, and dapps updated promptly to close the vulnerability. We believe the most secure code is open-source, and as auditors we believe one of the best ways to write better code is to understand vulnerabilities.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(