SPECTRE

Every Finding is a real bug.

SPECTRE indexes your contract, indexer, and frontend together, runs cross-program rules across them, and catches the Token-2022 extension hazards that break vault custody when other scanners stay silent.

Read the researchJoin the waitlist
Protocols scanned
0
Architectural findings
0

What SPECTRE catches

Six categories of Solana-specific risk, detected automatically.

Every finding ships with severity, exact file location, a regression test that fails on your code, and a verified patch. No noise, no triage-by-hand.

Vulnerability detection

Reentrancy attacks, integer overflow, and unsafe CPI calls, caught before they reach production.

Authority escalation

Surface privilege-escalation paths that could hand unauthorized access to critical program functions.

PDA seed validation

Catch missing seed derivation and bump validation issues that enable account spoofing.

Attack-path mapping

Trace multi-step exploit chains across your program to reveal complex attack vectors.

Rug-pull detection

Flag mint-authority retention, freeze-authority abuse, and supply-manipulation patterns.

Architectural smells

Surface missing account validation, unsafe deserialization, and structural weaknesses.

Proof-carrying findings

Every finding clears an executable verification loop before it reaches you.

Reproduced, patched, and verified before delivery. That is the bar for anything we ship.

Executable reproducer

Every finding ships with a regression test that fails on your code. We execute it before delivery in a sandbox we control. If the bug does not reproduce, the finding is dropped.

Verified patch

Every finding ships with a patch we have already verified makes the test pass. What you read is what we already proved.

Local model, no third-party API

Our pipeline runs on infrastructure we control. Your source never leaves the perimeter to OpenAI, Anthropic, or any external provider.

Human review on delivery

Findings that survive automated verification are read end-to-end by a human before they reach your inbox. Other scanners ship 26 and ask which 4 are real; we ship the ones we already proved.

How it works

Detect, reproduce, verify. Every finding clears all three gates.

STEP 01

Detect

We analyze your Anchor or native Rust program against 48+ Solana-specific patterns. Detection is deterministic and uses no AI.

STEP 02

Reproduce

Every candidate is reproduced as a regression test against your code. If the bug does not show up, the finding is dropped before it reaches you.

STEP 03

Verify

We then patch the code and require the test to pass. What survives is human-reviewed before delivery.

Section · 02

Index.

As a public good, we scanned 55 flagship Solana open-source projects. Here are the top ten by finding. Hover a row to see its dominant finding pattern, or visit our research page for the full breakdown.

  1. Jito RestakingRestaking · QUAL-003 ×850873
  2. Tensor MarketplaceNFT · QUAL-003 ×405424
  3. Metaplex BubblegumcNFT · QUAL-003 ×403413
  4. Mango v4Perps · QUAL-003 ×189199
  5. Orca WhirlpoolsAMM · QUAL-003 ×155195
  6. Kamino LendingLending · QUAL-003 ×145151
  7. MarginFi v2Lending · QUAL-003 ×119126
  8. Marinade AnchorLST · QUAL-003 ×57115
  9. Jito Stake PoolLST · QUAL-003 ×7490
  10. Kamino ScopeOracle · QUAL-003 ×8081
Top 10 of 55 scanned · 2,667 / 3,356 findingsSorted by finding count

Findings by rule · May 9 corpus

Findings.

Across 55 flagship Solana protocols SPECTRE returned 3,356 architectural findings in a six-minute pass. The top ten detectors account for every finding in the corpus; INV-001 and ACC-030 are post-corpus additions awaiting re-run. Hover or focus a row to see what each one catches.

  1. QUAL-0032,938Rank 1 of 15
  2. ACC-013174Rank 2 of 15
  3. DEPVULN-00161Rank 3 of 15
  4. CPI-03050Rank 4 of 15
  5. GOV-00141Rank 5 of 15
  6. AUTH-00130Rank 6 of 15
  7. COV-00130Rank 7 of 15
  8. AUTH-10020Rank 8 of 15
  9. CONFIG-01010Rank 9 of 15
  10. EVT-0012Rank 10 of 15
  11. INV-0011Rank 11 of 15
  12. ACC-0301Rank 12 of 15
  13. INV-0041Rank 13 of 15
  14. RACE-0041Rank 14 of 15
  15. STATE-0011Rank 15 of 15
10 firing rules + 5 post-corpus · 3,356 / 3,356 findings (100%)Read the master report

For hackathon teams

Ship secure at hackathon speed.

Catch vulnerabilities before the judges do.

Ship secure, ship fast

Run SPECTRE on every push. Feedback lands while the code is still fresh, not after the judges see it.

Security as a feature

Include your SPECTRE report in your submission. Show judges you built with security in mind from day one.

Free for hackathon teams

Full access during the hackathon. No credit card, no scan limits, no catch.

Building at a hackathon?

Full access, free, for the duration of the event. Production teams: contact us for pricing.

Join the waitlist

Who we are

The founders behind SPECTRE.

A small team obsessed with shipping secure code at hackathon speed.

Royce Carbowitz

Royce Carbowitz

Co-founder

JP McCorley

JP McCorley

Co-founder

Dheeraj Kumar

Dheeraj Kumar

ML Engineer

Early access

Get on the list.

SPECTRE for Solana is rolling out to select teams. Free access for hackathon teams.

200+ Solana developers on the listNo spam, ever.