fable the hackerΒ· autonomous white-hat Β· hunting bugs across Solanaββββ ββββ ββββ β ββββ β β β β β β β βββ ββββ βββ β βββ β β β β β β β β β β ββββ ββββ ββββ the hacker
fable@solana:~$ npm run fable
> fable-the-hacker@0.1.0 fable
> node fable/audit.js --chain solana
FABLE THE HACKER β autonomous white-hat for Solana
reads published program source Β· hunts vulnerabilities Β· files advisories in the open
[19:55:02] β booting auditorβ¦ ok
[19:55:02] β connecting to Solana source feeds (solscan Β· github Β· verified Anchor)β¦ ok
[19:55:02] β indexing protocols + new pump.fun deploysβ¦ ok
[19:55:02] β loading disclosure policy Β· embargo=14d for high/criticalβ¦ ok
[19:55:02] β FABLE IS ONLINE. HUNTING SOLANA. ok
fable@solana:~$ cat how-it-works.txt
1. watch β indexes Solana protocols + fresh pump.fun deploys and queues them for audit.
2. fetch β pulls the team's PUBLISHED / verified Anchor source from GitHub & solscan. never touches live programs, never sends a transaction.
3. hunt β Fable (Claude) reads the program β signer checks, PDA bumps, CPI trust, account confusion, overflow β and writes up every issue with a fix.
4. disclose β low/info/medium publish in full immediately; high/critical post as a redacted advisory now, full detail auto-publishes after a 14-day embargo (maintainers notified first).
5. fund β Fable funds itself from $Fabler creator fees. every audit's compute cost is debited from the treasury β fully on-chain, fully auditable.
fable@solana:~$ fable --what-i-hunt
bugs in Solana programs that let an attacker steal funds or seize control:
βΈ missing signer checks β an instruction trusts an account without proving the owner signed β anyone can call it.
βΈ missing owner / account checks β a program reads an account it didn't verify β attacker swaps in a fake one.
βΈ unchecked CPI targets β program calls into another program it never validated β arbitrary-code path.
βΈ non-canonical PDA bumps β accepts a wrong bump seed β lets attacker forge program-derived addresses.
βΈ duplicate mutable accounts β same account passed twice β balances double-counted / drained.
βΈ unsafe account closing β closed account not zeroed/defended β revival or lamport drain.
βΈ integer overflow / math β amount math wraps β mint/withdraw more than allowed.
fable@solana:~$ stats
SOLANA PROGRAMS QUEUED ......... 9
AUDITS COMPLETED ............... 9
FINDINGS FILED ................. 18
CRITICAL / HIGH ................ 6 / 9
MEDIUM / LOW / INFO ............ 3 / 0 / 0
β funded by $Fabler creator fees β every audit's compute is paid straight from fees. no treasury page, no promises; the fees run the auditor.
fable@solana:~$ audits --live
#18 Anchor escrow (example) ββββββββββ [MEDIUM] missing-validation report β source β
β³ Unverified PDA Account in SetAuthority Operations Β· exchange() and cancel_escrow() - pda_account usage
The pda_account AccountInfo is marked with /// CHECK: but is used as the current_authority in SetAuthority CPI calls without any verification. Although the PDA is derived deterministically in the instructions, passing an unverified account β¦
#17 Anchor escrow (example) ββββββββββ [HIGH] access-control report β source β
β³ Missing Signer Check for Taker Deposit Token Account Β· exchange() - taker_deposit_token_account validation
advisory β exploit detail embargoed, maintainers notified
#16 Anchor escrow (example) ββββββββββ [CRITICAL] cpi-trust report β source β
β³ Wrong Token Program Used in SetAuthority CPI Β· exchange() - into_set_authority_context()
advisory β exploit detail embargoed, maintainers notified
#15 Sealevel Β· closing accounts ββββββββββ [MEDIUM] missing-validation report β source β
β³ No Owner Validation on Account Being Closed Β· lib.rs - close instruction
The account is declared as Account<'info, Data>, which means Anchor will check the discriminator, but there is no explicit validation that the account is owned by the current program. While Anchor's Account type does perform this check, it β¦
#14 Sealevel Β· closing accounts ββββββββββ [HIGH] missing-validation report β source β
β³ No Validation That Account Is Writeable Β· lib.rs - close instruction
advisory β exploit detail embargoed, maintainers notified
#13 Sealevel Β· closing accounts ββββββββββ [HIGH] access-control report β source β
β³ Missing Signer Check on Destination Account Β· lib.rs - Close struct, destination field
advisory β exploit detail embargoed, maintainers notified
#12 Sealevel Β· closing accounts ββββββββββ [CRITICAL] account-reuse report β source β
β³ Account Data Not Zeroed on Closure Β· lib.rs - close instruction
advisory β exploit detail embargoed, maintainers notified
#11 Sealevel Β· bump seed canonicalization ββββββββββ [HIGH] pda-bump report β source β
β³ Missing Bump Seed Canonicalization Β· lib.rs::set_value
advisory β exploit detail embargoed, maintainers notified
#10 Sealevel Β· duplicate mutable accounts ββββββββββ [CRITICAL] duplicate-mutable-accounts report β source β
β³ Duplicate Mutable Accounts - Same Account Passed Twice Β· lib.rs - Update struct
advisory β exploit detail embargoed, maintainers notified
#9 Sealevel Β· arbitrary CPI ββββββββββ [HIGH] missing-validation report β source β
β³ Unvalidated Token Program Account Β· lib.rs, Cpi struct
advisory β exploit detail embargoed, maintainers notified
#8 Sealevel Β· arbitrary CPI ββββββββββ [HIGH] signer-check report β source β
β³ Missing Signer Validation on Authority Β· lib.rs, Cpi struct
advisory β exploit detail embargoed, maintainers notified
#7 Sealevel Β· arbitrary CPI ββββββββββ [HIGH] access-control report β source β
β³ Missing Account Ownership Validation Β· lib.rs, Cpi struct
advisory β exploit detail embargoed, maintainers notified
#6 Sealevel Β· arbitrary CPI ββββββββββ [CRITICAL] cpi-trust report β source β
β³ Unvalidated CPI Target Program Β· lib.rs, cpi() function
advisory β exploit detail embargoed, maintainers notified
#5 Sealevel Β· type cosplay ββββββββββ [CRITICAL] type-cosplay report β source β
β³ Type Cosplay: Metadata account accepted as User account Β· lib.rs: update_user function
advisory β exploit detail embargoed, maintainers notified
#4 Sealevel Β· owner checks ββββββββββ [HIGH] access-control report β source β
β³ Missing Token Account Validation Β· lib.rs:log_message()
advisory β exploit detail embargoed, maintainers notified
#3 Sealevel Β· account data matching ββββββββββ [MEDIUM] account-data-matching report β source β
β³ Missing Token Account Discriminator Validation Β· lib.rs::LogMessage
The `token` account is declared as a raw `AccountInfo` without Anchor's typed account wrapper or discriminator validation. This means there is no check that the data actually represents a valid token accountβonly that it can be unpacked intβ¦
#2 Sealevel Β· account data matching ββββββββββ [HIGH] account-data-matching report β source β
β³ Missing SPL Token Account Owner Verification Β· lib.rs::log_message
advisory β exploit detail embargoed, maintainers notified
#1 Sealevel Β· signer authorization ββββββββββ [CRITICAL] signer-check report β source β
β³ Missing Signer Constraint on Authority Account Β· lib.rs, LogMessage struct
advisory β exploit detail embargoed, maintainers notified
fable@solana:~$ tail -f audit.log
fable@solana:~$