Solana’s blockchain relies on validators to process transactions and keep the network secure. These participants confirm transactions and produce blocks using mechanisms like Proof of History (PoH). However, some validators may act maliciously, threatening the network’s reliability and user assets.

This guide provides clear steps to spot and avoid harmful validators. You’ll learn how to recognize malicious activities, use tools to investigate validators, and take action to protect your stakes. By staying informed, you can help maintain the network’s integrity and safety.

What Validators Do

Validators are nodes responsible for processing transactions, participating in consensus, and maintaining Solana’s blockchain. Validators perform these core functions in Solana's network:

1. Block production

Solana’s Proof of History leader schedule assigns each validator specific slots. When its turn arrives, the validator gathers pending transactions, checks that each transaction signature and account state is valid, assembles them into a block, and appends that block to the ledger. This continuous, time‐ordered block production keeps the chain moving at high throughput with sub‑second block times.

2. Consensus voting

After a block is produced, participating validators examine the block’s Proof of History receipts and transaction integrity. They then cast a “vote” for that block, signaling to the rest of the network that they agree it’s the next correct link. These votes accumulate to finalize the ledger - once a block receives enough votes, it’s confirmed.

3. Network security via staking

To participate, validators must lock up (stake) SOL tokens as collateral. This financial commitment aligns their incentives: honest behavior preserves their stake and earns them a share of inflation‐driven rewards, ensuring the network remains secure and decentralized.

Malicious validators threaten this system by acting against network rules.

Key Terms Explained

To ensure clarity as you read this guide, here are definitions of important terms related to validator behavior and Solana’s mechanics. These concepts will be referenced repeatedly, so come back to this section if needed:

Inclusion rate: The percentage of transactions a validator includes in the blocks it produces vs. those it skips). Low rates (<80%) suggest intentional censorship.
Commission: The fee a validator charges delegators from staking rewards (e.g., 5% commission = validator keeps 5% of rewards).
Epoch: A ~2-3 day period on Solana where validator schedules and commission changes take effect.
Double-signing: When a validator attempts to sign conflicting blocks for the same slot. While Solana's Tower BFT and fast block times (>400ms) make this extremely difficult, it could theoretically enable double-spending (spending the same funds twice by exploiting consensus failure). Solana prevents this via:
Transaction expiration (150-block window using recent blockhashes)
Durable nonce system for pre-signed transactions.

Now, let’s continue.

Types of Malicious Activity

While Solana's design makes these attacks exceptionally difficult, understanding them helps you appreciate the network's safeguards and monitoring tools.

1. Double-signing (theoretical)

What: A validator signs two conflicting blocks at the same slot.
Why: To create chain splits (forks) or enable double-spending.
Hypothetical detection:
- Check Solana transaction logs for duplicate block submissions.
- Monitor validator voting history for inconsistencies.

Practical reality note

While the guide covers detection methods for completeness, actual double-signing/double-spending would require:

Circumvention of PoH and Tower BFT
Exploitation of nonce management flaws

No successful double-spend attacks have occurred on the Solana mainnet. As previously explained, Solana makes double-signing extremely difficult.

2. Transaction censorship

What: Deliberately excluding transactions from blocks.
Why: To manipulate markets or suppress specific users.
Detection:
- Analyze skipped transactions in Solana Explorer (look for patterns).
- Check if a validator’s inclusion rate is abnormally low (tools like Validators.app).
- Compare the validator’s behavior to the network median.

3. Network attacks

What: Colluding to disrupt consensus (e.g., Sybil attacks, eclipse attacks).
Why: To stall the chain or manipulate governance.
Detection:
- Monitor stake concentration (e.g., 10+ validators controlled by one entity).

Red Flags to Watch For

You don’t need deep technical skills to spot risky validators. These observable patterns often signal malicious intent:

1. Performance metrics

High downtime: Legitimate validators aim for >95% uptime.
Abnormal voting patterns: Frequent missed votes or delayed confirmations.
Sudden commission changes: Sudden commission hikes (>10% without explanation). Unjustified fee hikes may signal exit scams.

2. On-chain behavior

Rapid stake changes: Large SOL deposits/withdrawals in short periods.
Rug pulls/exit scams: Validators suddenly shutting down after attracting delegators.

3. Off-chain reputation

No public identity or team info.
History of sanctions or bans on other networks.

Example: Spotting a Malicious Validator

A recent incident on Solana highlights a common tactic used by malicious validators: abruptly raising their commission to 100%. Here’s how it works and why it’s harmful:

The Incident

A validator (identity: HoXANZnWTG..., vote account: 4dmBLJcchy...) suddenly increased its commission rate to 100%, as shown in the StakeWiz dashboard below:

This means delegators staking SOL with this validator would receive 0% of future rewards - the validator takes everything.

Why Do Validators Do This?

Steal rewards: By setting commission to 100%, the validator claims all staking rewards for itself, effectively stealing from delegators.
Exit scam: Validators may attract delegators with low fees, then suddenly hike commissions to drain funds before shutting down.

How to Protect Yourself Against Sudden Fee Hikes

Set commission alerts: Use tools like StakeWiz to monitor validators for sudden commission changes.
Check epoch timing: On Solana, commission changes take ~2-3 days (1 epoch) to activate. Delegators have a short window to unstake before the change applies. Unstake before the change activates.

How to Avoid Malicious Validators

Protecting yourself requires proactive checks. Combine these strategies:

1. Pre-staking due diligence

Verify identities via Solana Beach and team websites.
Avoid validators with no public track record.

2. Active monitoring

Monitor the commission of the validator you chose to stake with.
Review uptime constantly.

3. Emergency response

Unstake immediately if:
- Commission jumps >10% without warning.
- Uptime drops below 80% for multiple epochs.

Tools to Investigate Validators

a. Solana Explorer

Check leader schedule to see if a validator is skipping blocks.
Review vote history for missed confirmations.

b. Solana Beach and Validators.app

Track uptime, commission rates, and stake distribution.
Compare validator performance against network averages.

c. RPC Methods

For developers and advanced users, Solana's RPC endpoints provide access to validator performance data:

getLeaderSchedule: Shows upcoming validator leader slots
getBlockProduction: It contains valuable information about epoch block production.
getEpochInfo: Tracks epoch progress.
- Check Solana docs.

Reporting Malicious Actors

Submit evidence (logs, screenshots) to Solana Foundation.
Alert the community via Discord or Twitter.

Key Takeaway

Always stake with validators that have:

Transparent fee structures (e.g., clear commission history).
Auditable reputations.
Active team & community engagement (e.g., Discord, Twitter).

Final Note: Solana’s security relies on collective vigilance. By auditing validators, setting alerts, and reporting bad actors, you help protect the network for everyone.

Protect Yourself Against Malicious Solana Validators: A Short Guide