// the find
otter-sec/anchor
⚓ Solana Program Framework
This is otter-sec's fork of the canonical Anchor framework for Solana smart contract development. It adds security-focused tooling on top of the standard Anchor stack, notably a built-in fuzzing integration via Crucible and an interactive debugger with a TUI. Aimed at Solana devs who want the familiar Anchor DX plus better program auditing and testing primitives.
- Fuzzing integration (`anchor fuzz`) backed by Crucible is a meaningful addition over upstream — coverage-guided fuzzing for Solana programs has historically required significant manual setup, and baking it into the CLI lowers that bar considerably.
- The CLI debugger module is surprisingly deep: GDB integration, a TUI, flamegraph generation, and SBPF-specific syntax highlighting suggest real engineering effort rather than a wrapper script.
- The benchmark directory (COMPUTE_UNITS.md, STACK_MEMORY.md, BINARY_SIZE.md) tracks program-level performance metrics across releases, which is useful for any program with compute budget concerns.
- CI is notably more thorough than most forks: separate workflows for attested binary builds, unpinned Docker checks, and zizmor security linting indicate the maintainers are treating this as a production artifact.
- This is a fork of the Solana Foundation's Anchor repo (the install script even pulls from `solana-foundation/anchor`), and the divergence from upstream is not clearly documented — no comparison of what's added/removed, no migration guide, making it hard to evaluate the delta.
- The fuzzing feature depends on Crucible, an external tool from asymmetric-research that has its own setup requirements and limited documentation; if Crucible changes or goes unmaintained, this feature breaks silently.
- No clear statement on how bug fixes and features from upstream Anchor get merged into this fork, or at what cadence — adopters could end up behind on critical fixes without realizing it.
- The docs-v2 content appears to be standard Anchor documentation rather than otter-sec-specific guidance, so security-specific features like the debugger and fuzzer are not well-represented in the onboarding material.