Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Centurylong/sanctifier/llms.txt

Use this file to discover all available pages before exploring further.

Sanctifier ships with a community-sourced vulnerability database that catalogs known security issues affecting Soroban contracts and the broader Stellar ecosystem. Every entry carries a structured identifier, CVSS score, a regex detection pattern, a proof-of-concept exploit, and a concrete patch snippet. The database is embedded directly in the CLI binary so scans work fully offline, and you can layer in your own entries by supplying a custom JSON file.

ID scheme

Vulnerability identifiers follow one of two schemes:
PrefixScopeExample
SOB-YYYY-NNNSoroban-specific issues (DeFi math, Kani-detectable patterns, reentrancy)SOB-2024-015
SOL-YYYY-NNNStellar/broader platform issues (auth flows, storage TTL, initialization)SOL-2024-001
The year component reflects when the entry was catalogued; NNN is a zero-padded sequential number within that year.

Vulnerability categories

CategoryDescription
access-controlMissing require_auth, unprotected admin/mint/burn/upgrade functions
arithmeticInteger overflow, underflow, fee rounding, decimal precision mismatches
storageTTL expiry, key collisions, instance-storage capacity exhaustion
reentrancyCross-contract re-entry before state finalization, flash loan callbacks
oracleStale price data, TWAP manipulation via flash loans
randomnessPredictable on-chain randomness derived from ledger sequence/timestamp
error-handlingSilent unwrap_or_default, unhandled Result, opaque panic!
resourceUnbounded loops exhausting the CPU instruction budget
eventsInconsistent event topic counts breaking off-chain indexers

CLI commands

Keyword search matches the vulnerability ID, name, description, tags, and category fields.
sanctifier cve search --keyword reentrancy
Use --format json to get machine-readable output for piping:
sanctifier cve search --keyword reentrancy --format json

List with filters

Filter by category, severity, or both:
sanctifier cve list --category access-control --severity high
# All critical findings in the arithmetic category
sanctifier cve list --category arithmetic --severity critical
Supported severity values: critical, high, medium, low.

Show a single entry

Display full details — description, PoC exploit, patch, recommendation, references, and tags — for one vulnerability:
sanctifier cve show SOL-2024-001
sanctifier cve show SOB-2024-015

Export

Export the entire database as a JSON file or an RSS 2.0 feed:
# Export to a local JSON file
sanctifier cve export --format json -o vulndb.json
# Print an RSS feed to stdout (pipe to a file, curl endpoint, etc.)
sanctifier cve export --format rss

Local HTTP server

Spin up a minimal HTTP server that exposes the database as a REST API:
sanctifier cve serve --port 7654
The server exposes three routes:
RouteResponse
GET /api/vulndbFull database as JSON
GET /api/vulndb/<id>Single entry JSON (e.g. /api/vulndb/SOB-2024-015)
GET /api/vulndb/feed.rssRSS 2.0 feed
The server listens on 127.0.0.1 only. It is intended for local tooling integration, not production exposure.

Vulnerability entries

Below are representative entries from the database, spanning different ID schemes and categories.

SOL-2024-001 — Unprotected Initialization (critical, CVSS 9.8)

id: SOL-2024-001
title: Unprotected Initialization
severity: critical
cvss: 9.8
category: access-control
affected_versions: "soroban-sdk <=20.5.0"
description: >
  Contract initialize/init function lacks access control, allowing anyone to
  re-initialize and take ownership. A second caller can overwrite the admin
  address and permanently hijack the contract.
recommendation: >
  Add require_auth() check or verify the contract has not been initialized
  before accepting parameters.
tags: [initialization, ownership, access-control]
Patch:
// Guard against re-initialization and require admin auth
if env.storage().instance().has(&DataKey::Admin) {
    panic!("already initialized");
}
admin.require_auth();
env.storage().instance().set(&DataKey::Admin, &admin);

SOL-2024-005 — Hardcoded Admin Key (high, CVSS 7.5)

id: SOL-2024-005
title: Hardcoded Admin Key
severity: high
cvss: 7.5
category: access-control
affected_versions: "soroban-sdk <=20.5.0"
description: >
  Admin addresses embedded directly in contract source code cannot be rotated,
  and if compromised represent a permanent and irrecoverable security failure.
recommendation: >
  Store admin addresses in contract storage and set them during initialization.
tags: [hardcoded, admin, key-management]
Patch:
fn get_admin(env: &Env) -> Address {
    env.storage().instance().get(&DataKey::Admin).unwrap()
}

SOB-2024-013 — Stale Price Oracle Data (high, CVSS 8.2)

id: SOB-2024-013
title: Stale Price Oracle Data
severity: high
cvss: 8.2
category: oracle
affected_versions: "soroban-sdk <=20.5.0"
description: >
  Using oracle prices without validating their freshness allows attackers to
  exploit price latency: stale prices let liquidations be triggered at outdated
  rates or allow undercollateralized borrows to proceed.
recommendation: >
  Validate oracle price timestamps and reject prices older than an acceptable
  threshold.
tags: [oracle, price, defi, staleness]
Patch:
const MAX_PRICE_AGE_SECS: u64 = 60;
let price_age = env.ledger().timestamp() - oracle_update_time;
if price_age > MAX_PRICE_AGE_SECS {
    panic!("stale oracle price");
}

SOB-2024-015 — Cross-Contract Reentrancy (high, CVSS 8.8)

id: SOB-2024-015
title: Cross-Contract Reentrancy
severity: high
cvss: 8.8
category: reentrancy
affected_versions: "soroban-sdk <=20.5.0"
description: >
  A Soroban contract that calls an external contract before finalizing its own
  state updates can be re-entered if the callee calls back into the original
  contract, corrupting intermediate state.
recommendation: >
  Apply the Checks-Effects-Interactions pattern: finalize all state changes
  before invoking external contracts.
tags: [reentrancy, cross-contract, checks-effects-interactions]
Patch (Checks-Effects-Interactions):
// 1. Check
if balance < amount { panic!("insufficient"); }
// 2. Effect – update state FIRST
set_balance(&env, &user, balance - amount);
// 3. Interaction – call external last
token_client.transfer(&env, env.current_contract_address(), user, amount);
SOB-2024-015 and SOB-2024-027 (Flash Loan Callback Reentrancy) are related. If your contract implements flash loans, review both entries.

Database JSON structure

The embedded database and any custom override follow this schema:
{
  "version": "2.0.0",
  "last_updated": "2026-06-25",
  "description": "Community-sourced vulnerability database of known Soroban and Stellar CVEs",
  "vulnerabilities": [
    {
      "id": "SOL-2024-001",
      "title": "Unprotected Initialization",
      "name": "Unprotected Initialization",
      "description": "...",
      "cvss": 9.8,
      "severity": "critical",
      "category": "access-control",
      "affected_versions": "soroban-sdk <=20.5.0",
      "pattern": "fn\\s+(initialize|init)\\s*\\([^)]*\\)(?![\\s\\S]*?require_auth)",
      "poc_exploit": "contract.initialize(attacker_address, &env);",
      "patch": "admin.require_auth();",
      "recommendation": "Add require_auth() or verify not-yet-initialized.",
      "references": ["https://soroban.stellar.org/docs/fundamentals/authorization"],
      "tags": ["initialization", "ownership", "access-control"],
      "related_cves": []
    }
  ]
}
Required fields for each entry (must be present in custom databases): id, name, description, severity, category, pattern, recommendation. Optional fields (may be omitted): title (display alias for name), cvss, affected_versions, poc_exploit, patch. The array fields references, tags, and related_cves default to [] if omitted. The pattern field is a Rust-compatible regex applied to source files during sanctifier analyze. If a pattern is malformed it is silently skipped so the rest of the scan proceeds normally.

Using a custom vulnerability database

Pass --vuln-db to sanctifier analyze to replace the embedded database with your own:
sanctifier analyze ./contracts --vuln-db path/to/custom.json
Your JSON file must conform to the schema above. Custom entries can introduce new id values (e.g. an internal INT-2024-001 scheme), extend existing categories, or override patterns for your codebase. The full built-in database is available as a starting point via:
sanctifier cve export --format json -o custom.json
Add your project-specific detection rules to the exported JSON and commit it to the repository. CI can then run sanctifier analyze . --vuln-db .sanctifier/custom-vulndb.json to enforce company-wide patterns alongside the community entries.

Complete vulnerability index

The current database (version 2.0.0, last updated 2026-06-25) contains 32 entries. Run sanctifier cve list to see the full list at any time.
# Quick overview of all entries sorted by severity
sanctifier cve list --severity critical
sanctifier cve list --severity high
sanctifier cve list --severity medium
sanctifier cve list --severity low
IDNameSeverityCVSSCategory
SOL-2024-001Unprotected Initializationcritical9.8access-control
SOL-2024-002Missing Auth on Token Transfercritical9.8access-control
SOL-2024-006Unprotected Mint Functioncritical9.8access-control
SOB-2024-018Upgrade Authorization Bypasscritical9.9access-control
SOB-2024-023Unprotected WASM Hash Upgradecritical9.1access-control
SOB-2024-027Flash Loan Callback Reentrancycritical9.0reentrancy
SOB-2024-028Contract Reinitialization After Upgradecritical9.0access-control
SOB-2024-029Unchecked Auth on Burn Functioncritical9.1access-control
SOL-2024-003Unchecked Balance Underflowhigh8.1arithmetic
SOL-2024-005Hardcoded Admin Keyhigh7.5access-control
SOL-2024-007Unbounded Loop Over Storagehigh7.5resource
SOL-2024-009Missing Allowance Check in transfer_fromhigh8.6access-control
SOL-2024-012Integer Overflow in Token Arithmetichigh7.5arithmetic
SOB-2024-013Stale Price Oracle Datahigh8.2oracle
SOB-2024-014Weak Randomness via Ledger Sequencehigh7.4randomness
SOB-2024-015Cross-Contract Reentrancyhigh8.8reentrancy
SOB-2024-019Admin Transfer Without Timelockhigh7.8access-control
SOB-2024-020Confused Deputy Attackhigh8.5access-control
SOB-2024-022Token Decimal Precision Mismatchhigh7.1arithmetic
SOB-2024-026TWAP Oracle Manipulation via Flash Loanhigh8.2oracle
SOB-2024-031Multi-Signer Weight Bypasshigh8.1access-control
SOB-2024-032Unchecked Token Issuer Validationhigh7.8access-control
SOL-2024-004Missing TTL Extensionmedium6.5storage
SOL-2024-008Cross-Contract Call Without Error Handlingmedium6.5error-handling
SOL-2024-010Timestamp Manipulation Riskmedium5.3oracle
SOL-2024-011Silent Error Swallowing with unwrap_or_defaultmedium5.9error-handling
SOB-2024-016Storage Key Collisionmedium6.8storage
SOB-2024-017Allowance Race Conditionmedium6.5access-control
SOB-2024-021Fee Rounding Manipulationmedium5.4arithmetic
SOB-2024-024Silent Panic in Soroban Contract Functionmedium4.3error-handling
SOB-2024-025Instance Storage Capacity DoSmedium6.5storage
SOB-2024-030Event Topic Count Inconsistencylow3.5events

Build docs developers (and LLMs) love