registry  /  @dynamic-labs-sdk/solana  /  1.17.0

@dynamic-labs-sdk/solana@1.17.0

⚠ Under review

This package contains the Solana (SVM) integration for the Dynamic SDK.

Static Scan Results

scanned 12d ago · by rust-scanner

Static analysis flagged 7 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
Crypto
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 21 file(s), 225 KB of source, external domains: phantom.app

Source & flagged code

2 flagged · loading source
dist/index.esm.jsView file
1import { a as NotSolanaProviderError, c as isSolanaWalletAccount, d as [redacted], f as name, i as isSolanaGasSponsorshipEnabled, l as isVersionedTransact... L2: import { t as assertBufferAvailable } from "./assertBufferAvailable-b4xOlERy.esm.js"; ... L191: outAssets: response.outAssets || [], L192: priceData: response.priceData, L193: showTotalFiat: response.showTotalFiat, ... L268: //#region [redacted].constants.ts L269: const PHANTOM_DEEPLINK_BASE_URL = "https://phantom.app/ul/v1"; L270: const PHANTOM_SESSION_STORAGE_KEY = "phantom_session"; ... L382: if (!decrypted) throw new PhantomRedirectDecryptionError(); L383: const decryptedString = getBuffer().from(decrypted).toString("utf-8"); L384: try {
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

dist/index.esm.jsView on unpkg · L1
dist/index.cjsView file
57Trigger-reachable chain: manifest.main -> dist/index.cjs L57: * This function fetches the transaction fee by compiling the transaction message L58: * and querying the network. It handles both legacy Transaction and VersionedTransaction L59: * formats and includes retry logic for network requests. ... L195: outAssets: response.outAssets || [], L196: priceData: response.priceData, L197: showTotalFiat: response.showTotalFiat, ... L272: //#region [redacted].constants.ts L273: const PHANTOM_DEEPLINK_BASE_URL = "https://phantom.app/ul/v1"; L274: const PHANTOM_SESSION_STORAGE_KEY = "phantom_session"; ... L386: if (!decrypted) throw new PhantomRedirectDecryptionError(); L387: const decryptedString = (0, _dynamic_labs_sdk_client_core.getBuffer)().from(decrypted).toString("utf-8"); L388: try {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.cjsView on unpkg · L57

Findings

2 Critical1 Medium4 Low
CriticalWallet Draindist/index.esm.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.cjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License