5 Smart Contract Vulnerability Patterns Every Solana Dev Should Know

I've spent time auditing DeFi protocols on Solana and Ethereum. Here are the patterns that keep showing up. 1. Oracle Manipulation If your protocol uses a price oracle (Pyth, Chainlink, Switchboard), the #1 question is: can someone manipulate the price in the same transaction they exploit your contract? The pattern: Attacker flash loans a large amount Manipulates a DEX pool price Your oracle reads the manipulated price Attacker borrows/withdraws at the wrong price Repays flash loan, keeps profit The fix: Use TWAP (time-weighted average prices), require price staleness checks, and use multiple oracle sources. 2. Missing Signer Checks Solana programs must explicitly verify that the right accounts signed the transaction. Unlike Ethereum where msg.sender is implicit, Solana requires manual checks. // BAD - no signer check pub fn withdraw ( ctx : Context < Withdraw > , amount : u64 ) -> Result < () > { // Anyone can call this! transfer ( ctx .accounts.vault , ctx .accounts.destination , amo