Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Centurylong/sanctifier/llms.txt
Use this file to discover all available pages before exploring further.
Sanctifier ships with a community-sourced vulnerability database that catalogs known security issues affecting Soroban contracts and the broader Stellar ecosystem. Every entry carries a structured identifier, CVSS score, a regex detection pattern, a proof-of-concept exploit, and a concrete patch snippet. The database is embedded directly in the CLI binary so scans work fully offline, and you can layer in your own entries by supplying a custom JSON file.
ID scheme
Vulnerability identifiers follow one of two schemes:
| Prefix | Scope | Example |
|---|
SOB-YYYY-NNN | Soroban-specific issues (DeFi math, Kani-detectable patterns, reentrancy) | SOB-2024-015 |
SOL-YYYY-NNN | Stellar/broader platform issues (auth flows, storage TTL, initialization) | SOL-2024-001 |
The year component reflects when the entry was catalogued; NNN is a zero-padded sequential number within that year.
Vulnerability categories
| Category | Description |
|---|
access-control | Missing require_auth, unprotected admin/mint/burn/upgrade functions |
arithmetic | Integer overflow, underflow, fee rounding, decimal precision mismatches |
storage | TTL expiry, key collisions, instance-storage capacity exhaustion |
reentrancy | Cross-contract re-entry before state finalization, flash loan callbacks |
oracle | Stale price data, TWAP manipulation via flash loans |
randomness | Predictable on-chain randomness derived from ledger sequence/timestamp |
error-handling | Silent unwrap_or_default, unhandled Result, opaque panic! |
resource | Unbounded loops exhausting the CPU instruction budget |
events | Inconsistent event topic counts breaking off-chain indexers |
CLI commands
Search
Keyword search matches the vulnerability ID, name, description, tags, and category fields.
sanctifier cve search --keyword reentrancy
Use --format json to get machine-readable output for piping:
sanctifier cve search --keyword reentrancy --format json
List with filters
Filter by category, severity, or both:
sanctifier cve list --category access-control --severity high
# All critical findings in the arithmetic category
sanctifier cve list --category arithmetic --severity critical
Supported severity values: critical, high, medium, low.
Show a single entry
Display full details — description, PoC exploit, patch, recommendation, references, and tags — for one vulnerability:
sanctifier cve show SOL-2024-001
sanctifier cve show SOB-2024-015
Export
Export the entire database as a JSON file or an RSS 2.0 feed:
# Export to a local JSON file
sanctifier cve export --format json -o vulndb.json
# Print an RSS feed to stdout (pipe to a file, curl endpoint, etc.)
sanctifier cve export --format rss
Local HTTP server
Spin up a minimal HTTP server that exposes the database as a REST API:
sanctifier cve serve --port 7654
The server exposes three routes:
| Route | Response |
|---|
GET /api/vulndb | Full database as JSON |
GET /api/vulndb/<id> | Single entry JSON (e.g. /api/vulndb/SOB-2024-015) |
GET /api/vulndb/feed.rss | RSS 2.0 feed |
The server listens on 127.0.0.1 only. It is intended for local tooling integration, not production exposure.
Vulnerability entries
Below are representative entries from the database, spanning different ID schemes and categories.
SOL-2024-001 — Unprotected Initialization (critical, CVSS 9.8)
id: SOL-2024-001
title: Unprotected Initialization
severity: critical
cvss: 9.8
category: access-control
affected_versions: "soroban-sdk <=20.5.0"
description: >
Contract initialize/init function lacks access control, allowing anyone to
re-initialize and take ownership. A second caller can overwrite the admin
address and permanently hijack the contract.
recommendation: >
Add require_auth() check or verify the contract has not been initialized
before accepting parameters.
tags: [initialization, ownership, access-control]
Patch:
// Guard against re-initialization and require admin auth
if env.storage().instance().has(&DataKey::Admin) {
panic!("already initialized");
}
admin.require_auth();
env.storage().instance().set(&DataKey::Admin, &admin);
SOL-2024-005 — Hardcoded Admin Key (high, CVSS 7.5)
id: SOL-2024-005
title: Hardcoded Admin Key
severity: high
cvss: 7.5
category: access-control
affected_versions: "soroban-sdk <=20.5.0"
description: >
Admin addresses embedded directly in contract source code cannot be rotated,
and if compromised represent a permanent and irrecoverable security failure.
recommendation: >
Store admin addresses in contract storage and set them during initialization.
tags: [hardcoded, admin, key-management]
Patch:
fn get_admin(env: &Env) -> Address {
env.storage().instance().get(&DataKey::Admin).unwrap()
}
SOB-2024-013 — Stale Price Oracle Data (high, CVSS 8.2)
id: SOB-2024-013
title: Stale Price Oracle Data
severity: high
cvss: 8.2
category: oracle
affected_versions: "soroban-sdk <=20.5.0"
description: >
Using oracle prices without validating their freshness allows attackers to
exploit price latency: stale prices let liquidations be triggered at outdated
rates or allow undercollateralized borrows to proceed.
recommendation: >
Validate oracle price timestamps and reject prices older than an acceptable
threshold.
tags: [oracle, price, defi, staleness]
Patch:
const MAX_PRICE_AGE_SECS: u64 = 60;
let price_age = env.ledger().timestamp() - oracle_update_time;
if price_age > MAX_PRICE_AGE_SECS {
panic!("stale oracle price");
}
SOB-2024-015 — Cross-Contract Reentrancy (high, CVSS 8.8)
id: SOB-2024-015
title: Cross-Contract Reentrancy
severity: high
cvss: 8.8
category: reentrancy
affected_versions: "soroban-sdk <=20.5.0"
description: >
A Soroban contract that calls an external contract before finalizing its own
state updates can be re-entered if the callee calls back into the original
contract, corrupting intermediate state.
recommendation: >
Apply the Checks-Effects-Interactions pattern: finalize all state changes
before invoking external contracts.
tags: [reentrancy, cross-contract, checks-effects-interactions]
Patch (Checks-Effects-Interactions):
// 1. Check
if balance < amount { panic!("insufficient"); }
// 2. Effect – update state FIRST
set_balance(&env, &user, balance - amount);
// 3. Interaction – call external last
token_client.transfer(&env, env.current_contract_address(), user, amount);
SOB-2024-015 and SOB-2024-027 (Flash Loan Callback Reentrancy) are related. If your contract implements flash loans, review both entries.
Database JSON structure
The embedded database and any custom override follow this schema:
{
"version": "2.0.0",
"last_updated": "2026-06-25",
"description": "Community-sourced vulnerability database of known Soroban and Stellar CVEs",
"vulnerabilities": [
{
"id": "SOL-2024-001",
"title": "Unprotected Initialization",
"name": "Unprotected Initialization",
"description": "...",
"cvss": 9.8,
"severity": "critical",
"category": "access-control",
"affected_versions": "soroban-sdk <=20.5.0",
"pattern": "fn\\s+(initialize|init)\\s*\\([^)]*\\)(?![\\s\\S]*?require_auth)",
"poc_exploit": "contract.initialize(attacker_address, &env);",
"patch": "admin.require_auth();",
"recommendation": "Add require_auth() or verify not-yet-initialized.",
"references": ["https://soroban.stellar.org/docs/fundamentals/authorization"],
"tags": ["initialization", "ownership", "access-control"],
"related_cves": []
}
]
}
Required fields for each entry (must be present in custom databases): id, name, description, severity, category, pattern, recommendation.
Optional fields (may be omitted): title (display alias for name), cvss, affected_versions, poc_exploit, patch. The array fields references, tags, and related_cves default to [] if omitted.
The pattern field is a Rust-compatible regex applied to source files during sanctifier analyze. If a pattern is malformed it is silently skipped so the rest of the scan proceeds normally.
Using a custom vulnerability database
Pass --vuln-db to sanctifier analyze to replace the embedded database with your own:
sanctifier analyze ./contracts --vuln-db path/to/custom.json
Your JSON file must conform to the schema above. Custom entries can introduce new id values (e.g. an internal INT-2024-001 scheme), extend existing categories, or override patterns for your codebase. The full built-in database is available as a starting point via:
sanctifier cve export --format json -o custom.json
Add your project-specific detection rules to the exported JSON and commit it to the repository. CI can then run sanctifier analyze . --vuln-db .sanctifier/custom-vulndb.json to enforce company-wide patterns alongside the community entries.
Complete vulnerability index
The current database (version 2.0.0, last updated 2026-06-25) contains 32 entries. Run sanctifier cve list to see the full list at any time.
# Quick overview of all entries sorted by severity
sanctifier cve list --severity critical
sanctifier cve list --severity high
sanctifier cve list --severity medium
sanctifier cve list --severity low
| ID | Name | Severity | CVSS | Category |
|---|
| SOL-2024-001 | Unprotected Initialization | critical | 9.8 | access-control |
| SOL-2024-002 | Missing Auth on Token Transfer | critical | 9.8 | access-control |
| SOL-2024-006 | Unprotected Mint Function | critical | 9.8 | access-control |
| SOB-2024-018 | Upgrade Authorization Bypass | critical | 9.9 | access-control |
| SOB-2024-023 | Unprotected WASM Hash Upgrade | critical | 9.1 | access-control |
| SOB-2024-027 | Flash Loan Callback Reentrancy | critical | 9.0 | reentrancy |
| SOB-2024-028 | Contract Reinitialization After Upgrade | critical | 9.0 | access-control |
| SOB-2024-029 | Unchecked Auth on Burn Function | critical | 9.1 | access-control |
| SOL-2024-003 | Unchecked Balance Underflow | high | 8.1 | arithmetic |
| SOL-2024-005 | Hardcoded Admin Key | high | 7.5 | access-control |
| SOL-2024-007 | Unbounded Loop Over Storage | high | 7.5 | resource |
| SOL-2024-009 | Missing Allowance Check in transfer_from | high | 8.6 | access-control |
| SOL-2024-012 | Integer Overflow in Token Arithmetic | high | 7.5 | arithmetic |
| SOB-2024-013 | Stale Price Oracle Data | high | 8.2 | oracle |
| SOB-2024-014 | Weak Randomness via Ledger Sequence | high | 7.4 | randomness |
| SOB-2024-015 | Cross-Contract Reentrancy | high | 8.8 | reentrancy |
| SOB-2024-019 | Admin Transfer Without Timelock | high | 7.8 | access-control |
| SOB-2024-020 | Confused Deputy Attack | high | 8.5 | access-control |
| SOB-2024-022 | Token Decimal Precision Mismatch | high | 7.1 | arithmetic |
| SOB-2024-026 | TWAP Oracle Manipulation via Flash Loan | high | 8.2 | oracle |
| SOB-2024-031 | Multi-Signer Weight Bypass | high | 8.1 | access-control |
| SOB-2024-032 | Unchecked Token Issuer Validation | high | 7.8 | access-control |
| SOL-2024-004 | Missing TTL Extension | medium | 6.5 | storage |
| SOL-2024-008 | Cross-Contract Call Without Error Handling | medium | 6.5 | error-handling |
| SOL-2024-010 | Timestamp Manipulation Risk | medium | 5.3 | oracle |
| SOL-2024-011 | Silent Error Swallowing with unwrap_or_default | medium | 5.9 | error-handling |
| SOB-2024-016 | Storage Key Collision | medium | 6.8 | storage |
| SOB-2024-017 | Allowance Race Condition | medium | 6.5 | access-control |
| SOB-2024-021 | Fee Rounding Manipulation | medium | 5.4 | arithmetic |
| SOB-2024-024 | Silent Panic in Soroban Contract Function | medium | 4.3 | error-handling |
| SOB-2024-025 | Instance Storage Capacity DoS | medium | 6.5 | storage |
| SOB-2024-030 | Event Topic Count Inconsistency | low | 3.5 | events |