LaunchGuard Solana
Sign inScan my repo
Demo report

SplitSafe Pay — Launch readiness review

Solana group expense and settlement app with AI-powered receipt scanning, Wallet Adapter, and Supabase backend. Generated by LaunchGuard Solana on 4/29/2025, 2:25:01 PM.

Run on my repo
58
/ 100
Launch readiness
Risky — fix critical issues

Risky — fix critical issues before mainnet launch.

4 blockers7 should fix1 nice to fix

Web3 risk radar

Per-category readiness across the Solana attack surface.

Solana Program Security
1 blockers · 0 should fix · 0 nice
85
Wallet & Transaction Safety
1 blockers · 1 should fix · 0 nice
76
API Protection
1 blockers · 1 should fix · 0 nice
70
Database & RLS
0 blockers · 1 should fix · 0 nice
94
Secrets Protection
1 blockers · 0 should fix · 0 nice
70
AI Endpoint Safety
0 blockers · 1 should fix · 0 nice
93
Payment Safety
0 blockers · 0 should fix · 0 nice
100
Dependency Health
0 blockers · 1 should fix · 0 nice
94

Mainnet readiness

Risky 58 / 100

Risky — fix critical issues before mainnet launch.

Risky. Resolve the blocker list before mainnet — Shannon-confirmed exploits are present.

Blockers
4
Required before mainnet
  • P0CriticalShannon confirmed
    Supabase service role key pattern detected in frontend bundle
  • P0CriticalNot applicable
    Missing signer validation in Anchor instruction
  • P0HighShannon confirmed
    API route allows expense update without workspace authorization
  • P0HighShannon confirmed
    Wallet ownership checked only in frontend
Should fix
7
Required before beta
  • P1HighNot applicable
    Transaction amount trusted from client input
  • P2MediumShannon confirmed
    No rate limit on AI receipt endpoint
  • P2MediumNeeds review
    Vulnerable next dependency in lockfile
  • P2MediumNeeds review
    Missing security headers in Vercel/Next.js config
  • …and 3 more
Nice to fix
1
Polish and best practice
  • P3LowShannon confirmed
    Error messages reveal internal database details
Top risk categories
Wallet Transaction · 2Secrets · 1Solana Program · 1Api Protection · 1Ai Endpoint · 1
Suggested next action

Resolve every P0 in the Blockers list, then re-run the Enterprise Full Audit with Shannon authorized.

Top findings

12 normalized
P0CriticalSecretsShannon confirmedConfidence · Very HighFix available

Supabase service role key pattern detected in frontend bundle

TruffleHog actively verified that a Supabase service role key is reachable from the browser bundle. The actual key is not displayed by LaunchGuard. Rotate immediately and move it to a server-only env var.

app/lib/supabase-public.ts
Detected by TruffleHog Gitleaks LaunchGuard DeepSecVerified by TruffleHog
P0CriticalSolana ProgramNot applicableConfidence · Very HighFix available

Missing signer validation in Anchor instruction

An attacker could call this on-chain instruction without proving they are the actual member, letting them settle expenses on behalf of someone else.

programs/splitsafe_pay/src/instructions/settle.rsProgramsplitsafe_pay
Detected by LaunchGuard DeepSec
P0HighAPI ProtectionShannon confirmedConfidence · Very HighFix available

API route allows expense update without workspace authorization

Any authenticated user can update any expense, including expenses from other workspaces. Shannon validated this live against the staging URL.

app/api/expenses/[id]/route.tsPATCH /api/expenses/[id]
Detected by LaunchGuard Semgrep DeepSecVerified by Shannon
P0HighWallet & TransactionShannon confirmedConfidence · Very HighFix available

Wallet ownership checked only in frontend

The app verifies wallet ownership in the browser but not on the server. Anyone who skips the UI can pretend to own a wallet they don't.

app/api/groups/[groupId]/members/route.tsPOST /api/groups/[groupId]/members
Detected by LaunchGuard Semgrep DeepSecVerified by Shannon
P1HighWallet & TransactionNot applicableConfidence · HighFix available

Transaction amount trusted from client input

The amount paid is taken from the user's request body without verifying against the database expense. A modified request can underpay or overpay.

app/api/expenses/settle/route.tsPOST /api/expenses/settle
Detected by LaunchGuard Semgrep DeepSec
P2MediumAI EndpointShannon confirmedConfidence · Very HighFix available

No rate limit on AI receipt endpoint

Attackers can spam the AI receipt endpoint and run up your provider bill. Shannon issued a small authorized burst and the endpoint accepted every request without throttling.

app/api/ai/scan-receipt/route.tsPOST /api/ai/scan-receipt
Detected by LaunchGuard Semgrep DeepSecVerified by Shannon

Engine confidence matrix

Rows are findings, columns are engines. Green check = verified live, dot = detected, dash = not applicable.

FindingLGSGNJSTHGLOSVTRVDSSH
Supabase service role key pattern detected in frontend bundle
app/lib/supabase-public.ts
Missing signer validation in Anchor instruction
programs/splitsafe_pay/src/instructions/settle.rs
API route allows expense update without workspace authorization
app/api/expenses/[id]/route.ts
Wallet ownership checked only in frontend
app/api/groups/[groupId]/members/route.ts
Transaction amount trusted from client input
app/api/expenses/settle/route.ts
No rate limit on AI receipt endpoint
app/api/ai/scan-receipt/route.ts
Vulnerable next dependency in lockfile
pnpm-lock.yaml
Missing security headers in Vercel/Next.js config
next.config.mjs
Supabase RLS missing on expenses table
supabase/migrations/0001_init.sql
Error messages reveal internal database details
app/api/expenses/route.ts
Dockerfile runs container as root user
Dockerfile
SSRF: user-controlled URL passed to fetch / http.request
app/api/proxy/route.ts

App map

Solana group expense and settlement app

Workflows
  • Sign in with email + connect Solana wallet
  • Create a group and invite members
  • Add expense (manual or via AI receipt scan)
  • Settle balances on-chain via SPL token transfers
  • Export monthly statements
Wallet flows
  • Solana Wallet Adapter (Phantom, Backpack, Solflare)
  • Sign-in with Solana (SIWS) for session establishment
  • Custodial signer for batched settlements
API routes
  • POST /api/groups
  • PATCH /api/expenses/[id]
  • POST /api/expenses/settle
  • POST /api/ai/scan-receipt
  • GET /api/reports/monthly
Highest-risk areas
  • Frontend bundle (verified Supabase service-role key exposure)
  • settle_expense Anchor instruction (signer + amount)
  • PATCH /api/expenses/[id] (cross-tenant)
  • POST /api/ai/scan-receipt (cost abuse)

Threat model

SplitSafe Pay lets small groups split expenses, scan receipts with AI, and settle balances on Solana through a shared on-chain ledger.

Main assets
  • Member wallet pubkeys and signatures
  • Group expense data
  • Solana program authority
  • Custodial signer keypair (server-only)
  • Supabase service role key (server-only)
Top abuse cases
  • Cross-tenant tampering: An attacker uses a valid session in workspace A to read or modify rows from workspace B by guessing IDs.
  • AI receipt cost abuse: An abuser hammers the AI receipt endpoint to drive up provider cost or trigger denial-of-wallet.
  • Settlement amount manipulation: A user submits a smaller amount in the settlement request than the original expense.
  • Service-role key abuse: A leaked Supabase service-role key gives an attacker full read/write to every row, bypassing RLS.
Recommended controls
  • Rotate the Supabase service-role key and move it to server-only env
  • Add Anchor Signer + has_one constraints across all financial instructions
  • Enforce workspace_id checks in every API route plus matching Supabase RLS policies
  • Implement signed-nonce wallet ownership verification
  • Add Upstash/Redis rate limiter on AI endpoints with per-workspace daily quotas
  • Add canonical security headers (HSTS, X-Frame-Options, X-Content-Type-Options)
Disclaimer: Authorized scan only. LaunchGuard Solana is a launch-readiness review and is not a full formal penetration test or a certified smart contract audit. Pair with a dedicated audit firm before mainnet for institutional assurance.