At least $2.6 billion dollars was exposed and could have been lost in Solana’s ecosystem if a recently fixed bug had not been detected.
According to security researchers at Neodyme, a bug in the Solana Protocol Library (SPL) allowed attackers to steal money from various Solana projects at a rate of $27 million an hour.
Potential targets that could have been affected include the Tulip Protocol and the Solend, Soda and Larix credit protocols, all with a TVL in the millions.
We recently discovered a critical bug in the token-lending contract of the solana-program-library (SPL). This blog post details our journey from discovery, through exploitation and coordinated disclosure, and finally the fix.
— Neodyme (@Neodyme) December 3, 2021
one lambo per hour
The security company claimed that the bug was publicly disclosed by one of Neodyme’s auditors, known as Simon, on GitHub in June. At the time, security researchers didn’t know if it was exploitable or how big an impact it could have.
Last week the researcher saw that the problem had not yet been resolved, so he began testing to see if it was possible to exploit the bug and assess how serious it was.
The bug was an “apparently innocuous rounding error” according to Neodyme, so they discovered that it had the potential to steal a fortune.
Simply put, Solana’s apps there is a mechanism for when you put and withdraw funds. If the protocol followed the Solana SPL reference documents, they would round the funds to the nearest whole number at the point of withdrawal.
So, depending on the transaction, some people would end up with an extra fraction of tokens. But if someone exploited the problem repetitively, it was possible to earn significant amounts of money.
After several tests, the researchers estimated that they could run this bug 150-200 times in a single transaction and put many of those transactions in a single block. They concluded that exploration could steal funds at a rate of $7,500 per second, one Lambo per hour.
After identifying the potential for the issue, the security company contacted several Solana projects that could be affected by the bug.
Solana also corrected the reference documents to ensure that new projects following the SPL would not reintroduce the bug.