🛡️ OWASP Smart Contract Top 10 - Security Examples

This repository contains practical examples demonstrating the OWASP Smart Contract Top 10 security vulnerabilities and their secure implementations. Each example includes both vulnerable and secure code, along with testing and fuzzing tools to demonstrate the security issues.

📁 Project Structure

owasp-sc-top10/
├── README.md                    # This file
├── 01-access-control-vault/    # Access Control examples
│   └── access_control_vault/   # Solana/Anchor implementation
│       ├── programs/
│       │   ├── vault_safe/     # Secure vault implementation
│       │   └── vault_unsafe/   # Vulnerable vault implementation
│       ├── tests/              # Mocha test suites
│       ├── trident-tests/      # Trident fuzzing framework
│       ├── README.md           # Detailed project documentation
│       └── QUICK_START.md      # Quick setup guide
└── [Future examples...]        # Additional OWASP categories

🎯 Current Examples

01-access-control-vault

OWASP Categories: SC01 (Access Control Issues)

OWASP SC01 Definition: Access control flaws allow unauthorized users to access or modify a contract's data or functions. These vulnerabilities arise when the code fails to enforce proper permission checks, potentially leading to severe security breaches.

A Solana/Anchor-based vault system demonstrating:

• Secure Implementation: Proper PDA constraints, signer validation, and access control
• Vulnerable Implementation: Intentional security flaws for educational purposes
• Testing: Mocha test suites for deterministic vulnerability confirmation
• Fuzzing: Trident framework integration for automated vulnerability discovery

Key Features:

• Deposit/withdraw functionality with owner-based access control
• Multiple vulnerability types (inverted logic, admin bypass, time-based bypass)
• Comprehensive testing and fuzzing setup
• Automated program ID synchronization
• Clean development workflow

🚀 Quick Start

Prerequisites

• Rust (latest stable)
• Solana CLI
• Anchor Framework
• Node.js (v16+)
• Trident (for fuzzing)

Getting Started

1. Clone the repository:

   git clone <repository-url>
   cd owasp-sc-top10

2. Choose an example:

   cd 01-access-control-vault/access_control_vault

3. Follow the quick start guide:

   # See QUICK_START.md for detailed instructions
   npm install && anchor build
   pkill -f solana-test-validator
   solana-test-validator --reset &
   anchor deploy
   npm run syncids
   npm run test:safe
   npm run test:vulnerabilities
   npm run fuzz

🔍 What You'll Learn

• Smart Contract Security: Understanding common vulnerabilities in blockchain applications
• Testing Strategies: How to test both secure and vulnerable implementations
• Fuzzing: Using automated tools to discover edge cases and crashes
• OWASP Mapping: How real-world vulnerabilities map to the OWASP Top 10
• Best Practices: Secure coding patterns and anti-patterns to avoid

🧪 Testing & Fuzzing

Each example includes multiple testing approaches:

Test Type	Purpose	What It Catches
Mocha Tests	Deterministic exploits	Logic flaws, access control bugs, business rule violations
Fuzzing	Random input testing	Crashes, panics, unexpected failures, edge cases

🛠️ Development Workflow

1. Build & Deploy: Compile programs and deploy to local validator
2. Sync IDs: Automatically synchronize program IDs across configuration files
3. Test: Run deterministic tests to verify vulnerabilities
4. Fuzz: Use Trident for automated vulnerability discovery
5. Clean: Remove build artifacts and temporary files

📚 Documentation

• README.md: Project overview and structure
• Example-specific README.md: Detailed implementation details
• QUICK_START.md: Step-by-step setup and testing instructions
• Code Comments: Inline documentation explaining security concepts

🤝 Contributing

This project is designed for educational purposes. When contributing:

1. Security First: Ensure examples demonstrate real vulnerabilities safely
2. Clear Documentation: Explain both the vulnerability and the secure alternative
3. Comprehensive Testing: Include tests that prove the vulnerability exists
4. OWASP Mapping: Clearly map examples to OWASP categories

⚠️ Security Notice

⚠️ WARNING: These examples contain intentionally vulnerable code for educational purposes only. Never deploy vulnerable code to production networks.

• All examples run in isolated local development environments
• Vulnerabilities are clearly documented and explained
• Secure implementations are provided alongside vulnerable ones
• Use only for learning and security research

📖 Learn More

• OWASP Smart Contract Top 10
• Anchor Framework Documentation
• Solana Development
• Trident Fuzzing Framework

🎓 Educational Use

This repository is ideal for:

• Security Researchers: Understanding smart contract vulnerabilities
• Developers: Learning secure coding practices
• Students: Blockchain security coursework
• Auditors: Vulnerability pattern recognition
• Teams: Security training and code review practice

---

Happy Learning! 🚀

Remember: Security is a journey, not a destination. These examples help you understand the threats so you can build more secure systems.