Believe Security Logo
DocumentationUnderstanding Results

Understanding Analysis Results

How to interpret and act on Believe Security findings

After Believe Security completes the analysis of your Solana program, you'll receive a comprehensive report detailing any identified vulnerabilities, potential issues, and recommendations for improvement. This guide will help you understand how to interpret these results and take appropriate action.

Analysis Results Structure

Believe Security results are organized into several key sections:

1. Executive Summary

The executive summary provides a high-level overview of the analysis, including:

  • Total number of vulnerabilities found (grouped by severity)
  • Overall security score
  • Analysis completion time
  • Top critical issues requiring immediate attention

Example Executive Summary

Overall Security Score
78/100
2
Critical
3
High
5
Medium
7
Low
Analysis Details
Completion Time:
42 seconds
Files Analyzed:
24
Lines of Code:
3,412
Analysis Depth:
Full

2. Vulnerability Findings

The core of the report is the list of vulnerabilities, organized by severity. Each vulnerability entry includes:

  • Severity level (Critical, High, Medium, Low)
  • Vulnerability type and description
  • Location in code (file, line numbers)
  • Potential impact of the vulnerability
  • Recommended remediation steps
  • Code examples showing how to fix the issue

Critical: Missing Signer Verification

Location
src/instructions/withdraw.rs (lines 32-45)
Description

The program fails to verify that the transaction is signed by the appropriate authority, allowing unauthorized access to protected withdrawal operations. This critical vulnerability could allow an attacker to withdraw funds without authorization.

Vulnerable Code
pub fn process_withdraw(
    program_id: &Pubkey,
    accounts: &[AccountInfo],
    amount: u64,
) -> ProgramResult {
    let account_info_iter = &mut accounts.iter();
    let authority = next_account_info(account_info_iter)?;
    let vault = next_account_info(account_info_iter)?;
    
    // VULNERABILITY: No verification that authority is a signer
    transfer_funds(amount, vault, authority)?;
    
    Ok(())
}
Recommended Fix
pub fn process_withdraw(
    program_id: &Pubkey,
    accounts: &[AccountInfo],
    amount: u64,
) -> ProgramResult {
    let account_info_iter = &mut accounts.iter();
    let authority = next_account_info(account_info_iter)?;
    let vault = next_account_info(account_info_iter)?;
    
    // Verify that the authority is a signer
    if !authority.is_signer {
        return Err(ProgramError::MissingRequiredSignature);
    }
    
    transfer_funds(amount, vault, authority)?;
    
    Ok(())
}
Impact

An attacker could execute unauthorized withdrawals, potentially draining all funds from the vault. This is a critical security vulnerability that should be addressed immediately.

3. Best Practice Recommendations

In addition to vulnerabilities, Believe Security provides recommendations for following best practices that can improve your code's security, readability, and maintainability.

Best Practice: Improve Error Handling

Location
src/state/account.rs (lines 78-92)
Recommendation

Consider using more specific error types instead of returning generic program errors. This will improve error messages and make debugging easier.

Current Code
fn validate_account(account: &AccountInfo) -> ProgramResult {
    if account.data_len() < MIN_ACCOUNT_SIZE {
        return Err(ProgramError::InvalidAccountData);
    }
    
    // Other validation...
    
    Ok(())
}
Suggested Improvement
// Define custom error types
#[derive(Debug)]
pub enum AccountError {
    InsufficientSize { expected: usize, actual: usize },
    InvalidOwner { expected: Pubkey, actual: Pubkey },
    // Other specific errors...
}

impl From<AccountError> for ProgramError {
    fn from(e: AccountError) -> Self {
        ProgramError::Custom(1) // Map to appropriate error codes
    }
}

fn validate_account(account: &AccountInfo) -> Result<(), AccountError> {
    if account.data_len() < MIN_ACCOUNT_SIZE {
        return Err(AccountError::InsufficientSize {
            expected: MIN_ACCOUNT_SIZE,
            actual: account.data_len(),
        });
    }
    
    // Other validation...
    
    Ok(())
}

4. Performance Optimizations

Believe Security may suggest performance optimizations to reduce compute unit usage and improve program efficiency.

Interpreting Results

Understanding Severity Levels

Believe Security uses the following severity levels to prioritize issues:

Critical

Issues that could lead to immediate fund loss or complete program compromise. These should be addressed immediately before deployment.

High

Serious vulnerabilities that could lead to significant security issues. These should be addressed before deployment to production.

Medium

Issues that may have security implications but with limited impact. These should be addressed in a timely manner.

Low

Minor issues or best practice recommendations that should be addressed but don't pose immediate security risks.

Prioritizing Fixes

When addressing the findings in your report, we recommend the following prioritization:

  1. 1
    Critical vulnerabilities - Address these immediately, especially if your program is already deployed.
  2. 2
    High severity issues - Fix these before deploying to production.
  3. 3
    Medium severity issues - Address these in your next development cycle.
  4. 4
    Low severity issues and best practices - Incorporate these improvements when convenient.

Using the Results Interface

Believe Security provides an interactive interface for exploring and managing analysis results. Here's how to use it effectively:

Filtering Results

Use the filtering options to focus on specific types of issues:

  • Filter by severity (Critical, High, Medium, Low)
  • Filter by vulnerability type (e.g., "Missing signer check", "Integer overflow")
  • Filter by file or module
  • Show/hide best practice recommendations
Filters
Critical(2)
High(3)
Medium(5)
Low(7)
Clear filters

Reviewing Code Context

For each vulnerability, you can:

  • View the affected code with syntax highlighting
  • See the recommended fix
  • Click on file locations to open the full source file
  • Expand/collapse detailed information

Exporting Results

You can export analysis results in multiple formats:

  • PDF report (great for sharing with stakeholders)
  • JSON (for integration with other tools)
  • CSV (for tracking issues in spreadsheets)

Tracking Fixed Issues

As you address vulnerabilities, you can mark them as fixed in the interface. This helps track your progress and maintain a record of security improvements. In continuous analysis mode, Believe Security will automatically verify fixed issues in subsequent scans.

Continuous Analysis

For optimal security, we recommend integrating Believe Security into your development workflow through continuous analysis:

  • GitHub Integration - Set up automatic analysis on pull requests and commits
  • CI/CD Pipeline - Add Believe Security to your continuous integration workflow
  • Regular Scheduled Scans - Set up weekly or monthly scans of deployed programs

Continuous analysis helps catch vulnerabilities early in the development process and ensures that security remains a priority throughout your project lifecycle.

Next Steps

Vulnerability Types

Learn about common Solana vulnerabilities and how to prevent them.

View guide

FAQ

Answers to frequently asked questions about Believe Security.

Read more