Solana Loses Less to Hacks Than Rival Networks: Certora Explains Why

While blockchain advocates celebrate an incredible year for the industry, nefarious actors across the space have been enjoying their own bull run.

Analysts report that 2025 has been a bumper year for foul play. In the first half of the year alone, bad actors stole over $1.93B in crypto-related crimes, eclipsing the amount lost to hacks and scams across the entirety of 2024.

But despite unprecedented levels of malice in the crypto, Solana has, at least technically, remained resoundingly secure. While EVM networks have suffered over $220M in hacks in 2025, Solana-based apps have come out largely unscathed, losing ~$18M to exploits at this stage of the year. 

Speaking exclusively with Seth Hallem, CEO of Certora, a leading blockchain security firm, SolanaFloor dove into the details to get to the bottom of this vast discrepancy and find out if Solana really is inherently a safer space to operate.

Why Does Solana Suffer Fewer Hacks than EVM?

One look at DefiLlama’s hack list paints an unfortunate picture. Taking a snapshot of a month’s worth of crypto exploits, it’s evident that EVM chains are largely overrepresented, especially when compared to Solana and its adjacent SVMs. Additionally, it’s worth noting that Solana’s Texture hack in July was one of only 3 exploits on the network, compared to dozens across EVM-based chains.

While exchange hacks, like the $1.4B ByBit exploit, consistently rank as the biggest and most damaging security events, flaws in protocol logic are far and away the most common vulnerability exploited by malicious actors.

Hallem attributes Solana’s dramatically lower hack and exploit volume to Solana’s inherent programming architecture. Built using Rust, as opposed to ‘crypto-exclusive’ languages like Solidity, Solana programming is a more accessible and battle-tested foundational Lego set than what EVM developers are required to use.

“Solana contracts are built on Rust, which is a far more widely adopted and familiar programming language than Solidity. Any time there is a learning curve for a developer, there is an entirely fresh set of security rules and practices to learn… Solana was developed with concepts like reusability and upgradability in mind from the beginning. This allows developers to build on top of an ever-growing library of building blocks. The more you can centralize functionality and reuse, the more opportunity you have to invest heavily in security once for the benefit of the entire community.”

Additionally, Hallem articulated that, with a dramatically larger network, the EVM-scape offers far more fertile ground for the nefarious scoundrels of crypto’s dark underbelly. Ethereum’s TVL is ~595% larger than Solana’s, discounting Layer-2s. 

“EVM chains remain a larger and more profitable target - as Solana grows, the number of attacks targeting Solana chains will grow too.”

However, while Hallem correctly points out that Ethereum’s surface area for attack is significantly larger, Solana’s hack volume is still proportionately smaller. Ethereum’s 2025 hack volume represents a 0.22% share of its TVL, compared to 0.12% on Solana.

When You Can’t Verify, Who Can You Trust?

Despite its position as a hallmark of crypto’s fundamental ethos, self-custody is something of a double-edged sword. The onchain economy may be an abundant financial playground with boundless opportunities, but all it takes is one rogue link-click or unsuspecting contract interaction to leave users with nothing.

Crypto advocates preach the “don’t trust, verify” mantra ad nauseum, but the reality is that the vast majority of blockchain users are not capable of analyzing onchain, open-source contracts. 

“Don’t trust, verify” is perhaps even more superfluous on Solana, where most applications operate closed-source protocols. This leaves users in a tricky position: If you’re unable to verify, how can you possibly trust?

“The average end user gains little by analyzing a Rust contract, but they should be vigilant about who the trusted auditors are in the space, who has audited each Solana program they intend to use, and what the auditor had to say about that program.”

This is where reputable security firms like Certora earn their stripes and cement themselves as the unsung heroes of the onchain economy. Hallem compares blockchain security auditors to the expert lawyers of the web2 world, responsible for abstracting away the incredibly complicated minutiae of onchain contracts, flagging potential vulnerabilities, and working alongside developer teams to patch up attack vectors.

“Safety on-chain is a trillion-dollar question, and it is ultimately the reason why companies like Certora exist. The best way to think about it is by taking the web3 ethos that "code is law" and applying it by analogy. Most of us have neither the expertise nor the patience to read each law passed by the US Congress. Instead, we rely on secondary sources that are more accessible - news articles that explain laws relevant to us, and, when in doubt, lawyers who specialize in interpreting the law. The web3 world is the same - audit firms like Certora act as intermediaries, working with contract developers to ensure security, but also acting as an interpreter of trust for the end-user community.”

As one of Solana’s most reliable auditors, Certora is undeniably one of the network’s favorite “interpreters of trust”.

Solana’s DeFi giants, including platforms like Jito and Kamino, which hold multiple billions in TVL, routinely turn to Certora for security audits to ensure their users’ safety. As of August 2025, Certora has secured over $9B of funds on Solana, a figure that has likely grown in recent weeks following $SOL’s recent price surge.

Staying Ahead of Hackers

Blockchain security is a delicate game of cat-and-mouse. Hackers are constantly developing new attack vectors and strategies, meaning even applications that can be considered ‘safe’ need to stay abreast of new exploit trends. 

Hallem asserts that Certora’s auditing approach follows a two-pronged approach. Between Certora’s highly experienced team of auditors and technologies like formal verification tools, the firm’s proactive stance protects both apps and users. 

“Certora's strength as an auditor is built on two key pillars: people and technology. People come first, and we take pride in assembling a talented group of web3 security experts and providing them with an environment that encourages them to do their best work. To put our teams in the best position to succeed, we always assign at least two auditors to a project, and we are constantly innovating in our audit process."

Beyond assigning multiple auditors to every project, Certora also leverages powerful security tools to identify vulnerabilities. 

“Technology is the second pillar of what we do - we build innovative, industry-leading tools that we use to find vulnerabilities in smart contracts and, increasingly, to guide our auditors to the suspicious areas of a contract that require further investigation.”

Formal verification stacks like the firm’s proprietary Certora Prover compare smart contract bytecode against a code’s expected behaviour, analyzing contract states and paths to highlight potential attack vectors.

“Attackers are innovating too, and to try to stay ahead we follow two disparate paths. The first is to make sure that we are always aware of the latest attack vectors and how those vectors can impact our customers, but that is ultimately a reactive perspective. The second is to use formal verification, the core technology at the heart of Certora, to mathematically guarantee the absence of entire categories of failure that can make a contract vulnerable.”

Formal verification is widely championed by security thought-leaders across Solana, including Kamino founder Marius Ciubotariu, and of course, Solana Labs founding father Anatoly Yakovenko.

Auditor Liability

One of the biggest misconceptions permeating the crypto space is the notion that audited protocols are impervious to exploits. The uncomfortable reality is that blockchain security audits are by no means a guarantee that certain protocols and applications are safe to use. 

Instead, crypto-natives should see audits as a genuine, honest effort made by experts to protect people to the very best of their ability. Hallem opines that if an audited protocol is hacked, the onus and liabilities of the exploit ultimately lie with the application, not the auditor.

“Auditors play a key role in establishing the trust of the web3 ecosystem, and in that position the reputation of an audit firm is paramount. Much like a tax auditor, I think that the liability of an auditor is not about whether or not a protocol is hacked, but instead about whether or not the auditor is honest. Many companies have successfully hidden tax shelters and other illegal maneuvers from their tax auditors, and as long as the auditor made a good faith effort to conduct a thorough and complete audit, the liability for those choices lies with the company, not the auditor. In the web3 space, we feel a similar obligation to do a thorough analysis of our customers' code and to produce an honest report of our findings. However, we are still just advisors to our customers - we are not in full control of their decisions on exactly what software to release and how - and given the nature of what we do, our work is always incomplete - attackers innovate, and vulnerabilities increasingly rely on interactions that go beyond the code we audit.”

Web2 comparisons aside, Hallem makes a pertinent observation about the role of blockchain auditors in an industry that loves to play the blame game. Despite all the progress being made in the blockchain industry, participants still need to remain critical, vigilant, and objective, without blindly trusting applications and security firms.

“The real answer to web3 security lies far beyond the audit as a single point of failure - the industry needs a broader, more comprehensive solution to the security challenges in web3, and as a company Certora is aiming to provide that broader picture. Smart contract vulnerabilities will not go away, but we can learn from other industries where a combination of technologies and a "defense in depth" mentality has yielded a layered approach that allows us to feel safe in our online interactions. The same can, and should apply in web3 as the industry matures.”

Crypto will likely remain, at least for the foreseeable future, the wild west of finance. As long as the onchain economy continues to offer fertile ground for exploits and permissionless money, the space will continue to be plagued by nefarious and extractive players. 

But just as bad actors will persist, good actors serve as a counterbalance. Security firms like Certora, while still no guarantee of absolute safety, present what is arguably the best defense against foul play. 

Read More on SolanaFloor

Why does Star Atlas need its own Layer-1?

Here’s Everything You Might’ve Missed From Star Atlas Summer

SolanaFloor Sits Down with Star Atlas CEO Michael Wagner