← Back to Work

Solana Gaming Audit

Submitted Security Started September 2025 Launched September 2025
Rust Solana Anchor Security Auditing
GitHub →

Solana Gaming Audit: Finding 19 Ways to Break a Protocol

PrimeSkill Studios FPS gaming protocol looked solid on the surface. Win-2-Earn mechanics. Escrow for player stakes. Winner-takes-all payouts. Built on Solana for speed.

Then I started auditing. And the surface cracked.

The Bounty

Superteam Earn posted a 750 USDC bounty for security auditing. The protocol let players stake tokens before competitive matches — winner takes the pot. Real money on the line. Real stakes for getting security wrong.

I spent a week systematically breaking it.

The Methodology

Smart contract security isnt about finding one bug. Its about coverage. Every function. Every state transition. Every assumption the developers made.

I built a vulnerability tracking system with severity classifications: Critical (CVSS 9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low, and Informational. Then I worked through the codebase function by function.

Started with 100+ potential findings. Validated each one. Built proof-of-concept exploits. Filtered false positives.

The Findings

Final count: 19 valid vulnerabilities. The breakdown scared me:

  • 15 Critical — Protocol-breaking, fund-draining issues
  • 2 High — Significant security risks
  • 2 Medium — Exploitable under specific conditions

The worst one? Private keys exposed in the codebase. Catastrophic. Full protocol compromise possible. Someone could drain every escrow account.

Others included: - Pay2Spawn exploitation — manipulate match outcomes - Refund attack vectors — extract locked funds prematurely - Underflow panics — crash the protocol - State corruption — break game logic permanently - Session hijacking — impersonate other players

Each finding got a detailed report. CVSS scoring. Attack vectors. Impact analysis. Remediation recommendations.

The PoC Arsenal

Claims without proof are opinions. I built 19 proof-of-concept exploits — one for every valid vulnerability.

Rust test files demonstrating each attack: - vuln-002-pay2spawn-poc.rs - vuln-003-refund-attack-poc.rs - vuln-005-state-corruption-poc.rs - vuln-096-private-keys-exposed-poc.rs

Run the tests, watch the exploit succeed. No ambiguity. No debate about severity.

The Agent Analysis

For thoroughness, I ran specialized analysis agents on different severity tiers. Fifteen agent reports covering high, medium, and low severity categories. Cross-validation of findings. Multiple perspectives on each vulnerability.

The 78% false positive detection rate shows how noisy initial scanning can be. Raw tool output means nothing — validation is everything.

What I Learned

Gaming protocols have unique attack surfaces. Match manipulation. Timing exploits. Economic attacks on stake mechanics. Traditional DeFi audit patterns dont fully apply.

The escrow system was the critical path. Every function touching locked funds needed paranoid scrutiny. Most vulnerabilities clustered there.

And private keys in source code? Still happens. Still catastrophic. Check your gitignore. Check it again.

Bounty: PrimeSkill Studio Security Audit (Superteam Earn)

Prize: 750 USDC (1st: 500, 2nd: 250)

Findings: 19 valid vulnerabilities (15 critical, 2 high, 2 medium)

Deliverables: Full audit report, 19 PoC exploits, remediation guidance

Stack: Rust, Solana, Anchor, Security tooling

Link: GitHub