Ethereum vs Solana: How Execution Models Shape Smart Contract Bugs

When comparing smart contract ecosystems, it is tempting to focus only on the visible differences: Ethereum vs Solana, Solidity vs Rust, fees, speed, developer experience… But from a security researcher’s perspective, the most important difference is the execution model underneath: the set of rules, constraints and assumptions that define how code interacts with state, value and permissions.
At a high level, programmable blockchains share a common goal. They allow code to define and enforce rules over digital value. A lending protocol defines when debt is safe or unsafe. A vault defines how assets and shares should relate to each other. A DEX defines how liquidity, prices and fees move over time. In all of these cases, the promise is similar: rules should execute deterministically, transparently and without relying on a central operator.
That also means that some security questions are universal. If the business logic is wrong, the protocol is vulnerable regardless of the blockchain it runs on. Broken accounting, incorrect permission logic, unsafe liquidation rules or inconsistent share calculations can exist in any ecosystem. Before thinking about the virtual machine, the language or the runtime, a security researcher still has to ask whether the protocol does what it claims to do.
But those rules do not exist in isolation. They are written in a specific programming language, compiled or interpreted for a specific execution environment, and executed under a specific set of assumptions. That environment defines what state means, how it is accessed, how execution is ordered, what resources are explicit, and which guarantees are provided by the system rather than by the developer.
This is where virtual machines and runtimes become important. They are not just implementation details. They define the world in which smart contracts live. Ethereum and Solana both allow developers to build decentralized applications, but they expose those developers to different realities. In Ethereum, this environment is usually discussed through the Ethereum Virtual Machine, or EVM. In Solana, the equivalent mental layer is better understood as the Solana runtime and its account-based execution model.
This difference matters because many vulnerabilities are not just mistakes inside isolated functions. They come from a mismatch between the logic written by the developer and the guarantees actually provided by the environment where that logic runs.
That is why Solidity on the EVM and Rust on Solana lead to different security mindsets. To see this more clearly, it is useful to look at each ecosystem not as a collection of isolated technologies, but as a different way of organizing state, execution and trust.
The EVM: A Shared Ledger With Rules

The EVM gives developers a relatively uniform model for building smart contracts. A contract has code, storage, a balance, and functions that can be called through transactions. Each transaction is executed in a deterministic order, and every state change becomes part of a shared history.
Solidity is the most common language used to write those contracts. It was designed specifically around Ethereum and the EVM, which makes the interaction between developer and virtual machine much easier to reason about. Developers do not usually need to think about every low-level detail of execution. Instead, Solidity gives them a higher-level way to define rules over state, value and permissions.
This is what makes the EVM feel like a shared ledger with programmable rules.
A protocol defines how its own section of that ledger should evolve over time. A lending market tracks collateral, debt and health factors. A vault tracks assets and shares. An AMM tracks liquidity, reserves and fees. An access-control system tracks who is allowed to modify sensitive state.
From a security perspective, the key question is not only whether each function looks correct in isolation. The deeper question is whether every allowed interaction preserves the protocol’s invariants as the ledger changes.
This is why many EVM vulnerabilities are connected to state transitions. Reentrancy, broken accounting, rounding asymmetries, stale oracle assumptions, flawed access control or upgradeability mistakes are not just isolated bug categories. They are different ways in which the rules written by the protocol fail to preserve the intended state of its internal book.
The abstraction is powerful. Solidity and the EVM allow developers to build complex financial systems without manually handling every low-level resource. But that also means that a large part of EVM security comes down to checking whether the protocol’s internal ledger remains consistent under every possible sequence of calls.
Solana: Explicit Accounts, Authorities And Resources

Solana gives developers a different model for building on-chain programs. Instead of thinking mainly in terms of contracts with their own internal storage, Solana programs operate over accounts that are passed into each instruction.
A Solana program contains logic, but the state lives in separate accounts. Those accounts can hold data, lamports, ownership information, signer permissions and writable permissions. This means that, before executing the business logic, the program must make sure that the accounts it received are the accounts it actually expects.
Rust is commonly used to write Solana programs. Unlike Solidity, Rust was not created specifically for one blockchain virtual machine. It is a systems programming language, closer to low-level resource management, memory layout and explicit control. In Solana, this fits naturally with a model where the developer must reason carefully about accounts, ownership, permissions and data structures.
This makes Solana feel less like writing rules inside a shared ledger, and more like managing a set of explicit resources inside an execution context.
A lending protocol still tracks collateral, debt and liquidations. A vault still tracks assets and shares. A DEX still tracks liquidity, prices and fees. The financial logic does not disappear. But in Solana, that logic is surrounded by another critical layer: verifying that every account, authority and resource involved in the instruction is the correct one.
From a security perspective, the key question is not only whether the protocol’s invariants are preserved. The deeper question is also whether the program is operating on the right accounts, with the right permissions, owned by the right programs, and connected to each other in the intended way.
This is why many Solana vulnerabilities are connected to account validation and execution context. Missing signer checks, missing owner checks, incorrect PDA validation, account substitution, wrong authority binding or unsafe account lifecycle assumptions are not just isolated bug categories. They are different ways in which the program trusts a context that does not actually match its assumptions.
The flexibility is powerful. Solana’s model allows programs to work with explicit accounts and resources in a highly performant environment. But that also means that a large part of Solana security comes down to checking whether the execution context is authentic, correctly constrained and impossible for an attacker to reshape.
Conclusion
Both Ethereum and Solana programs can implement the same kind of financial logic. If that business logic is wrong, the protocol is vulnerable regardless of the blockchain it runs on. But each execution model adds its own layer of assumptions.
On the EVM, the main abstraction is a contract modifying persistent storage through ordered transactions. This pushes many security questions toward state transitions: whether the protocol’s internal accounting remains consistent, whether permissions evolve correctly, whether value and shares move together, and whether different routes through the system preserve the same invariants.
On Solana, those same logical questions still exist, but they are surrounded by a more explicit execution context. The program must reason not only about what the logic does, but also about which accounts were provided, who owns them, who signed, which accounts are writable, whether the expected PDA was used, and whether the accounts are connected to each other in the intended way.
In other words, logical bugs are universal, but execution-model bugs are shaped by the ecosystem. Auditing smart contracts is not just reading code. It is understanding the world in which that code executes.


