Know your Solana program is secure before mainnet.
Proktor is the world's most advanced formal verification and security suite for Solana smart contracts. It combines 28 phases of mathematical proof, AI-driven "Thinking Mode" research, and lattice-based taint analysis to provide absolute confidence in your program's safety.
Proktor doesn't just "scan" code; it builds a multi-layered mathematical model of your program and attempts to prove safety properties across 4 specialized batches.
graph TD
subgraph "Phase 1: Extraction & Parsing"
A[Rust Source] --> B[syn AST Parsing]
B --> C[Anchor Schema Extraction]
C --> D[Instruction Logic Mapping]
end
subgraph "Phase 2: Core Analysis (Batch 1-11)"
D --> E[Lattice Taint Tracking]
D --> F[CFG & Dominator Proofs]
D --> G[Abstract Interpretation]
D --> H[Must-Not-Alias Analysis]
end
subgraph "Phase 3: Formal Verification (Batch 12-23)"
E & F & G & H --> I[Z3 SMT Constraint Gen]
I --> J{SMT Solver}
J -- SAT --> K[Exploit Found]
J -- UNSAT --> L[Proven Safe]
end
subgraph "Phase 4: Advanced Mathematical Proofs (Batch 24-28)"
L --> M[Octagon Relational Domain]
M --> N[Separation Logic Heap Proofs]
N --> O[CTL Temporal Logic Checking]
end
subgraph "Phase 5: AI-Enhanced Triage"
K --> P[Kimi K2.5 Thinking Mode]
P --> Q[Proof-of-Concept Exploit]
Q --> R[Secure Code Fix]
end
R --> S[Final Security Report]
L --> S
Proktor converts Rust arithmetic and access control predicates into Z3 Bitvector (BV64) constraints.
- Automated Overflow Proofs: Prove
a + bcannot overflow for anyu64input. - Division-by-Zero Freedom: Mathematically guarantee divisors are never zero.
- Counterexample Generation: If a bug exists, Z3 finds the exact inputs needed to trigger it.
Implements a formal information-flow system over a 6-level security lattice:
- Lattice:
Untainted (⊥) ⊑ AccountInput ⊑ ExternalData ⊑ Tainted (⊤) - Detects untrusted user data reaching privileged "sinks" like
invoke_signedortransfer. - Uses a chaotic iteration worklist algorithm to find the least fixed point of data contamination.
- Interval Domain: Tracks
[min, max]ranges for every variable, including loop widening/narrowing. - Octagon Domain: Captures relational constraints like
amount ≤ balanceusing Difference Bound Matrices (DBMs).
- Builds a full Control Flow Graph from the AST.
- Computes Dominator Trees to prove that an authorization check must execute before any token transfer.
- Validates Checks-Effects-Interactions via state-mutation dominance over CPI calls.
Proktor includes a specialized supply chain security engine that protects against malicious dependencies.
| Layer | Technique | Protection |
|---|---|---|
| Advisory | Hash-matching | Blocks known backdoors (e.g., @solana/web3.js 1.95.6) |
| Typosquat | Levenshtein Distance | Detects solana-sdk vs solana-skd |
| Behavioral | Static Analysis | Flags runtime key exfiltration or clipboard hijacking |
| Source | Origin Verification | Blocks untrusted git/path dependency origins |
Powered by Kimi K2.5, Proktor provides expert-level technical analysis for every finding.
- Reasoning Traces: See the "chain-of-thought" as the AI researches the exploit vector.
- PoC Generation: Automatically generates executable Rust/TypeScript exploit scripts.
- Remediation: Provides high-quality, idiomatic secure code fixes.
Proktor is mapped against a proprietary database of the Top 100 Solana Vulnerabilities, including:
- Authentication: Missing Signer (SOL-001), Missing Owner (SOL-003).
- DeFi Logic: Price manipulation, Flash loan vectors, Slippage bypass.
- Solana Specifics: PDA Seed collisions, Account aliasing, Reinitialization.
- Formal Errors: Integer overflow (proven), Division by zero (proven).
curl -sSfL https://proktor.security/install.sh | shgit clone https://github.com/brainless3178/proktor.git
cd proktor
cargo build --release -p proktor-cliLaunch the modern TUI dashboard to analyze your program:
proktor scan ./programs/my-programProktor is designed for CI. Use .proktor.toml to configure thresholds:
[scan]
min_severity = "high"
fail_on = "critical"
format = "sarif"
[engines]
z3_verification = true
taint_analysis = trueCopyright (c) 2026 Proktor Security. Distributed under the MIT License. See LICENSE for details.
Powered by Proktor Security Oracle • 52+ detectors • Z3 formal proofs