Soroban Contract State Management

This CertiK research analyzes Soroban (Stellar) smart contract storage and demonstrates three primary security risks: storing critical data in Temporary storage (leading to permanent data loss), relying on ledger TTL expiry as a security boundary (allowing anyone to extend TTL and keep stale nonces/signatures valid), and contract storage bloat attacks that exhaust per-entry limits and cause DoS. The report includes PoC contracts and commands, root-cause analysis, and practical mitigation guidance (use persistent/instance storage, enforce in-contract expirations, shard state across keys, and adopt proactive TTL-extension strategies).