A bug in the Solana library potentially allowed to steal $27 million an hour

The bug went unnoticed for six months

06.12.2021 - 14:15

726

1 min

What’s new? The Neodyme experts discovered that due to the bug in one of the Solana Protocol Program Library (SPL) the potential scammers could steal funds from the DeFi projects at a rate of $27 million per hour.

We recently discovered a critical bug in the token-lending contract of the solana-program-library (SPL). This blog post details our journey from discovery, through exploitation and coordinated disclosure, and finally the fix.— Neodyme (@Neodyme) December 3, 2021

Which projects were under threat? The Tulip Protocol (TULIP) yield aggregator and the Solend (SLND) and Larix lending protocols could have been the most vulnerable.

The Neodyme experts noted that the bug was first identified by one of Solana's auditors, back in June. However, he probably considered it insignificant, and as a result, the library continued to function with the bug for six months. On December 1, the auditor noticed that the vulnerability had not been fixed yet, and asked the Neodyme experts to run testing.

What conclusions did Neodyme come to? After the experts did their research, they discovered that the bug could have caused a multi-million dollar loss. They contacted the Solana Foundation and 8 projects that should have noticed the impact of the bug in their work. It turned out that some of them had already removed it, and Solana Labs had fixed the help documentation.

Author: