A bug in the Solana library potentially allowed to steal $27 million an hour
The bug went unnoticed for six months
06.12.2021 - 14:15
556
1 min
0
.
What’s new? The Neodyme experts discovered that due to the bug in one of the Solana Protocol Program Library (SPL) the potential scammers could steal funds from the DeFi projects at a rate of $27 million per hour.
We recently discovered a critical bug in the token-lending contract of the solana-program-library (SPL). This blog post details our journey from discovery, through exploitation and coordinated disclosure, and finally the fix.— Neodyme (@Neodyme) December 3, 2021
Which projects were under threat? The Tulip Protocol (TULIP) yield aggregator and the Solend (SLND) and Larix lending protocols could have been the most vulnerable.
The Neodyme experts noted that the bug was first identified by one of Solana's auditors, back in June. However, he probably considered it insignificant, and as a result, the library continued to function with the bug for six months. On December 1, the auditor noticed that the vulnerability had not been fixed yet, and asked the Neodyme experts to run testing.
What conclusions did Neodyme come to? After the experts did their research, they discovered that the bug could have caused a multi-million dollar loss. They contacted the Solana Foundation and 8 projects that should have noticed the impact of the bug in their work. It turned out that some of them had already removed it, and Solana Labs had fixed the help documentation.
Useful material?
Market
Funds can be seized by law enforcers due to links to illegal activity
Apr 26, 2024
Market
Tether Finance division will be responsible for the issuance and redemption of USDT stablecoins
Apr 18, 2024
Trends
The first project introduced on the platform will be BounceBit (BB)
Apr 18, 2024
Business
The rate exchange of the native ACH token reacted with a 10% increase
Apr 18, 2024
Market
Miners are hunting for the first block after halving as the value of the first satoshi could exceed $1 million
Apr 18, 2024
Market
The platform will be non-custodial and accessible to everyone
Apr 15, 2024