Native Programs Best Practices
Native code owns every security check. These practices keep programs small, readable, and resistant to common Solana exploits.
How to Use This List
- Review every new instruction against section A before merge.
- Maintain an account meta table in repo docs.
- Run
cargo build-sbfand LiteSVM tests in CI.
A - Explicit Validation
- Document account order in a table per instruction. Clients and auditors share one source of truth.
- Validate signers before writable data mutations. Stops unauthorized state changes.
- Verify PDAs with canonical bumps stored on-chain. Blocks seed brute-force attacks.
- Reject duplicate pubkeys in token paths. Prevents balance manipulation.
- Load sysvars via typed getters, not passed accounts. Avoids fake sysvar injection.
B - Structure & Clarity
- One handler function per instruction variant. Simplifies audits and testing.
- Centralize parse + dispatch in processor module. Single entry for instruction bytes.
- Keep helpers pure where possible. Easier unit tests on host.
- Publish error code enum matching on-chain values. Clients decode failures consistently.
- Version instruction schema with explicit byte. Supports upgrades without ambiguity.
C - Deploy & Ops
- Pin solana-program SDK to Agave 4.1.1 toolchain. Reproducible builds.
- Produce verifiable build artifacts. Users trust deployed bytecode.
- Snapshot CU per instruction in tests. Regression detection.
- Minimize dependencies in program crate. Smaller attack and binary surface.
- Zero data on close; route rent deliberately. Prevents revival attacks.
FAQs
Anchor team going native?
Often only hot paths, not whole app.
How many reviewers?
At least one Solana-security-focused reviewer.
IDL required?
Strongly recommended for clients.
Fuzz targets?
Instruction parser and account validator.
Use macros?
Small internal macros OK; avoid hidden control flow.
Module layout?
instruction, processor, state, error standard.
Clippy on SBF?
Run on host cfg tests.
Document CPIs?
List callee programs and privilege changes.
Immutable deploy?
Extra scrutiny before burning upgrade key.
Native + Token-2022?
Validate extension layouts explicitly.
Surfpool local?
Default dev environment per manifest.
Open source?
Encouraged for auditability.
Related
- Manual Account Validation - Checklist details
- Rust for Solana Best Practices - Language habits
- Program Security Auditing - Audit prep
Stack versions: This page was written for Agave 4.1.1, Solana CLI 3.0.10, Anchor 0.32.1, anchor-lang 0.32.1, Rust 1.91.1, @solana/kit 7.0.0, Surfpool 0.12.0, and LiteSVM 0.6.x.