Rust for Solana Best Practices
Habits that keep Solana programs safe, cheap to run, and easy to audit. Walk this list before mainnet deploy and during code review.
How to Use This List
- Use as a PR checklist for any instruction or account layout change.
- Pair with LiteSVM 0.6.x tests - rules here should have a test or lint where possible.
- Revisit after Agave or toolchain upgrades; CU costs and limits can shift.
A - Safety & Validation
- Validate every account's owner, signer, and writable flags before use. Prevents privilege escalation and account substitution.
- Use checked arithmetic for all token and lamport math. Eliminates wrap-based drain attacks.
- Reject duplicate account keys in financial instructions. Stops double-spend style confusions.
- Store canonical PDA bumps and verify seeds on-chain. Blocks bump hunting and PDA forgery.
- Return
ProgramErrorinstead of panicking. Fails cleanly with decodable codes.
B - Data & Layout
- Prefix accounts with a unique discriminator or version byte. Prevents type confusion attacks.
- Precompute
LENconstants and assertdata_len()at runtime. Avoids partial writes and parse panics. - Prefer fixed-size layouts for hot paths; use Borsh for variable tails. Balances CU and flexibility.
- Document and test schema migrations before upgrading programs. Protects live user funds.
- Zero account data on close and send rent to a defined recipient. Stops revival attacks.
C - Performance
- Cap loop bounds from user input length. Prevents CU exhaustion.
- Minimize
msg!and string formatting in production paths. Logs are expensive. - Audit
cargo treefor non-no_stddependencies. Keeps binaries building and small. - Measure CU with simulation in CI for critical instructions. Catches regressions early.
- Batch CPIs when semantics allow. Reduces per-invocation overhead.
FAQs
How is this different from Clippy?
Clippy covers Rust idioms; this list is Solana-specific security and ops.
Anchor vs native?
Many rules apply to both; native requires manual enforcement.
Minimum tests?
At least one happy path and one failure per instruction.
When to go zero-copy?
When profiling shows deserialize dominates CU.
Audit priority?
Focus validation, arithmetic, CPI, and PDA signing first.
Immutable programs?
Still matters - clients and indexers depend on stable errors.
Use rustfmt?
Yes - consistent layout helps reviewers.
Document account order?
Required for native; generate from Anchor IDL when possible.
CI build?
cargo build-sbf on every PR.
Surfpool in CI?
Recommended for fast integration tests with Agave 4.1.1 behavior.
semver for programs?
Version IDL and error tables with deployed program id.
Open source?
Publish verifiable build hashes with deploy.
Related
- Rust for Solana Basics - Section intro
- Native Programs Best Practices - Native-specific rules
- Program Security Auditing - Pre-audit prep
Stack versions: This page was written for Agave 4.1.1, Solana CLI 3.0.10, Anchor 0.32.1, anchor-lang 0.32.1, Rust 1.91.1, @solana/kit 7.0.0, Surfpool 0.12.0, and LiteSVM 0.6.x.