registry  /  @dynamic-labs-sdk/solana  /  1.19.0

@dynamic-labs-sdk/solana@1.19.0

This package contains the Solana (SVM) integration for the Dynamic SDK.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package exposes user-invoked Solana transaction and wallet-redirect functionality appropriate to its SDK role.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Application explicitly calls wallet connect, signing, or transfer APIs.
Impact
A caller can request wallet actions, but source shows no autonomous transfer, credential exfiltration, persistence, or install-time execution.
Mechanism
Builds transactions and delegates signing to the configured wallet provider.
Rationale
The scanner's wallet-drain signal maps to an explicit SDK transfer API that uses caller-supplied recipient and wallet account, then delegates signing to the wallet provider. Source inspection found no lifecycle execution or concrete unauthorized behavior.
Evidence
package.jsondist/index.esm.jsdist/solanaTransferAmount-B4keau5s.cjs
Network endpoints1
phantom.app/ul/v1

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/solanaTransferAmount-B4keau5s.cjs` builds SOL/SPL transfer transactions.
  • `dist/index.esm.js` signs and broadcasts only through the selected wallet provider.
  • `dist/index.esm.js` stores encrypted Phantom redirect session state.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • No child-process, filesystem-write, environment-harvesting, eval, or dynamic-code primitive found in `dist`.
  • Transfers require explicit amount, recipient, wallet account, and provider signing.
  • The only concrete remote URL is Phantom's documented deeplink base.
Behavioral surface
Source
Crypto
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 21 file(s), 241 KB of source, external domains: phantom.app

Source & flagged code

2 flagged · loading source
dist/index.esm.jsView file
1import { a as NotSolanaProviderError, c as isSolanaWalletAccount, d as [redacted], f as name, i as isSolanaGasSponsorshipEnabled, l as isVersionedTransact... L2: import { t as assertBufferAvailable } from "./assertBufferAvailable-b4xOlERy.esm.js"; ... L222: outAssets: response.outAssets || [], L223: priceData: response.priceData, L224: showTotalFiat: response.showTotalFiat, ... L299: //#region [redacted].constants.ts L300: const PHANTOM_DEEPLINK_BASE_URL = "https://phantom.app/ul/v1"; L301: const PHANTOM_SESSION_STORAGE_KEY = "phantom_session"; ... L763: if (!decrypted) throw new PhantomRedirectDecryptionError(); L764: const decryptedString = getBuffer().from(decrypted).toString("utf-8"); L765: try {
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

dist/index.esm.jsView on unpkg · L1
dist/index.cjsView file
75Trigger-reachable chain: manifest.main -> dist/index.cjs L75: * This function fetches the transaction fee by compiling the transaction message L76: * and querying the network. It handles both legacy Transaction and VersionedTransaction L77: * formats and includes retry logic for network requests. ... L226: outAssets: response.outAssets || [], L227: priceData: response.priceData, L228: showTotalFiat: response.showTotalFiat, ... L303: //#region [redacted].constants.ts L304: const PHANTOM_DEEPLINK_BASE_URL = "https://phantom.app/ul/v1"; L305: const PHANTOM_SESSION_STORAGE_KEY = "phantom_session"; ... L767: if (!decrypted) throw new PhantomRedirectDecryptionError(); L768: const decryptedString = (0, _dynamic_labs_sdk_client_core.getBuffer)().from(decrypted).toString("utf-8"); L769: try {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.cjsView on unpkg · L75

Findings

2 Critical1 Medium4 Low
CriticalWallet Draindist/index.esm.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.cjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License