Helius x Pashov Audit Group

This is a joint bounty between Helius and Pashov Audit Group, a leading smart contract security company. Pashov Audit Group has completed over 150 audits including contracts for Pump Fun, LayerZero, and more. Their audits help secure over $20B in TVL, and are trusted voice in the blockchain security space.

Introduction

Security is the foundation of any blockchain network, and Solana has faced its share of challenges over the years. From high-profile application exploits like Wormhole to supply chain attacks on widely used libraries like Solana/web3.js, each incident has tested the network’s resilience and response mechanisms. This bounty invites researchers to provide a rigorous, data-driven analysis of Solana’s security history—examining the root causes, repercussions, and lessons learned from past vulnerabilities.

We encourage participants to classify and analyze security incidents across different categories, including application-level exploits, supply chain attacks, and core protocol vulnerabilities. How frequent have these incidents been? What were the total losses, and who bore the impact? How has Solana’s security response evolved over time, from incident response speed to the effectiveness of bug bounty programs?

This competition is an opportunity to create a detailed and well-documented historical account of security incidents on Solana—tracking their occurrence, impact, and the network’s approach to mitigation over time.

Let the investigation begin!

Bounty Scope 

A long-form research article, at least 3,000 words in length, posted on a blogging site (e.g., Medium, Substack, Notion, etc.) that is publicly viewable upon deadline.

Example Categories

• Application exploits - e.g. Wormhole, Slope

• Supply chain attacks - e.g. Solana/web3.js

• Core protocol - e.g. Durable Nonces

• Network-Level Attacks - e.g. DDoS incidents

Example Aspects

• Root causes

• Repercussions

• Incident Response

• Remediations

• Lessons learnt

• User losses (if any)

Example Data Analysis

• Frequency of security incidents, classified by type and severity

• Total funds lost and by who

• Bug bounty programs available and awards issued

• Response times

Reward Structure

The first place winner will receive $3,750 and the chance to have your article published on the Helius blog. Second and third place will pay $1,500 and $750 respectively.

• 1st place — $3,750

• 2nd place — $1,500

• 3rd place— $750

Note: An additional $1,000 was added to this bounty on Tuesday, April 1st.

Judging Criteria

1. Accuracy: factual accuracy of the information and the relevance of the data used

2. Writing Style: quality, conciseness, readability, and engagement level of your content

3. Originality: novelty of insights and analysis

4. Rich Media & Presentation: use of data dashboards, original charts and diagrams, etc.

5. Resources: inclusion of high-quality resources to support your research 

Bonus points if your post your article on X and tag @heliuslabs.

Content Criteria 

Your article will be rejected:

• If it is not written in English.

• If the contents of the submission are less than 3,000 words

• If it is found to be plagiarized or stolen

• If it fails to include and cite proper references

• Your submission is not publicly viewable on and after the submission deadline. Submissions of private links will not be eligible.

Resources 

• A Complete History of Solana Outages: Causes, Fixes, and Lessons Learnt - Lostin, Helius Blog

• A Hitchhiker's Guide to Solana Program Security - 0xIchigo, Helius Blog