Fuzzing Solana Programs with Trident: How Ackee's Open-Source Fuzzer Catches Bugs That Unit Tests Miss

Your Anchor program has 100% branch coverage. Every instruction handler has a matching unit test. Clippy is clean. anchor test passes. Then someone calls withdraw() after deposit() after update_oracle() in the same transaction, and 40,000 SOL vanishes into an attacker's wallet. Unit tests verify the paths you imagined. Fuzzers find the paths you didn't. This guide walks through Trident — Ackee Blockchain Security's open-source Rust fuzzer for Solana Anchor programs — and shows you how to catch real vulnerability classes before auditors (or attackers) do. Why Solana Programs Need Fuzzing Solana programs are stateful, multi-account, and composable. A single instruction can read from 8+ accounts, each with their own owner, data layout, and lifecycle. The attack surface isn't just "bad input" — it's bad sequences of valid inputs . Consider three vulnerability classes that unit tests routinely miss: 1. Missing Signer Checks on Authority Transfers // Vulnerable: admin_update doesn't verify c