Full Report
Solana forking doesn't really exist. This is an amazing innovation for writing proof of concepts locally.
Analysis Summary
# Tool/Technique: Surfpool (Surfnet)
## Overview
Surfpool is a specialized Solana development and simulation framework designed to act as a drop-in replacement for `solana-test-validator`. Its primary purpose is to provide a "Mainnet forking" capability, allowing developers to clone real-world blockchain state (accounts, programs, and token balances) into a local environment for high-fidelity simulation. In a security context, this tool is highly effective for developing and testing **Proof of Concepts (PoCs)** for smart contract exploits without incurring financial costs or alerting on-chain monitoring systems.
## Technical Details
- **Type:** Development Tool / Simulation Framework (Dual-use)
- **Platform:** Solana Blockchain (SVM - Solana Virtual Machine)
- **Capabilities:** Mainnet state forking, RPC "cheatcodes" for state manipulation, Infrastructure-as-Code (IaC) deployment, and transaction debugging.
- **First Seen:** Q4 2024 / Q1 2025 (Active development)
## MITRE ATT&CK Mapping
- **[TA0007 - Discovery]**
- [T1613 - Cloud Strategy Discovery]: Used to map out smart contract architectures and account dependencies by forking Mainnet state.
- **[TA0008 - Lateral Movement]**
- [T1570 - Lateral Tool Transfer]: While primarily a dev tool, the ability to simulate complex multi-account interactions facilitates movement across DeFi protocols.
- **[TA0040 - Impact]**
- [T1496 - Resource Hijacking]: Technically used to simulate the impact of malicious transactions before execution.
## Functionality
### Core Capabilities
- **Mainnet Forking:** Clones Mainnet accounts and program data to a local environment, enabling testing against real-world liquidity and state.
- **Universal Faucet:** Allows for the instant generation of SOL, USDC, USDT, and BONK within the local fork.
- **Drop-in Validator Replacement:** Replaces standard Solana test validators to provide enhanced RPC methods.
### Advanced Features
- **RPC Cheatcodes (`surfnet_*`):**
- `surfnet_setAccount`: Arbitrarily modify account data.
- `surfnet_timeTravel`: Manipulate the network clock/slot to test time-lock bypasses or oracle staleness.
- `surfnet_setTokenBalance`: Grant any amount of SPL tokens to a target wallet address.
- **Surfpool Studio:** A web-based interface (localhost:18488) providing byte-level diffs of account changes and compute unit (CU) profiling for optimized exploit execution.
- **IDL-to-SQL Pipeline:** Syncs deployment data with relational databases for complex state tracking.
## Indicators of Compromise
*Note: As a local development tool, indicators are primarily found on the developer/researcher machine.*
- **Network Indicators:**
- `http://localhost:8899` (Default RPC port)
- `http://localhost:18488` (Surfpool Studio default UI port)
- `run.surfpool[.]run` (Installation/Update domain)
- `docs.surfpool[.]run` (Documentation domain)
- **Process Behaviors:**
- Execution of `curl -sL hxxps://run.surfpool[.]run/ | bash` for automated installation.
- High local CPU/RAM usage consistent with running a local Solana validator.
## Associated Threat Actors
- **Security Researchers / Whitehats:** Used for responsible disclosure and bug hunting.
- **Exploit Developers:** Utilized to refine smart contract "drainers" or MEV (Maximal Extractable Value) bots in a private, sandboxed environment before mainnet deployment.
## Detection Methods
- **Behavioral Detection:**
- Monitoring for non-standard RPC methods (e.g., `surfnet_setTokenBalance`) in application logs, which indicates the environment is a simulated fork rather than a legitimate network.
- Detection of the Surfpool binary or its associated IDL-to-SQL pipelines in restricted environments.
- **YARA Rule Hint:** Scan for strings associated with the custom RPC methods:
yara
rule Surfpool_Indicator {
strings:
$s1 = "surfnet_setAccount"
$s2 = "surfnet_timeTravel"
$s3 = "surfnet_setTokenBalance"
$s4 = "surfpool_studio"
condition:
any of them
}
## Mitigation Strategies
- **For Smart Contract Developers:**
- Ensure that production code does not rely on environment-specific constants that could be manipulated in a fork.
- Implement robust "Time-of-Check to Time-of-Use" (TOCTOU) protections to mitigate logic tested via `timeTravel` cheatcodes.
- **For Infrastructure:**
- Block access to the Surfpool installation URL on corporate networks if blockchain development is not a sanctioned activity.
## Related Tools/Techniques
- **Anvil (Foundry):** The Ethereum equivalent for Mainnet forking and state manipulation.
- **Solana-test-validator:** The native tool Surfpool is designed to replace/enhance.
- **Bankrun:** A lightweight testing framework for Solana programs.