$2.6 Billion Bug in Solana Program Library Disclosed: Details

In their latest blog post, crypto security researchers from Neodyme shared the design of an attack that may be profitable for "expensive" tokens integrated into Solana (SOL) ecosystem.

"One Lambo per hour"

As per the announcement shared in Neodyme's social network and blog, its members noticed a bug in the token-lending contract of the Solana Program Library. As such, it affected numerous Solana-based DeFi protocols.

We recently discovered a critical bug in the token-lending contract of the solana-program-library (SPL). This blog post details our journey from discovery, through exploitation and coordinated disclosure, and finally the fix.

HOT Stories

Morning Crypto Report: XRP to $4.20 Not a Dream, New Ethereum Hard Fork Game-Changer, Bitcoin Faces Worrying $111 Million Sale

Solana Shades XRP: 'There Is No Bridge Currency'

This Bitcoin (BTC) Fakeout Can Destroy $100,000, Will Dogecoin (DOGE) Add Zero? XRP Getting Squeezed

XRP vs Bitcoin: Fight or Flight, Dogecoin Volume Jumps 62% as DOGE Price Eyes Rally, Shiba Inu to Add Zero If History Repeats — Crypto News Digest

— Neodyme (@Neodyme) December 3, 2021

Aggregated total value locked (TVL) at risk was over $2,600,000,000. The design of the hypothetical attack was quite simple: while depositing n fractional tokens, a user is able to withdraw n+1 fractional tokens.

With Solana's native token, SOL, it will not be effective economically, as 1 Lamport (the smallest fraction of SOL, like Satoshi for Bitcoin, Wei for Ether and Drop for XRP) is only worth about $0.000000220.

However, for Ether and Bitcoin, this scenario can be very profitable. With some technical upgrades, the attack can be executed about 300 times per second. In this case, losses can be dramatic:

We can get this transaction included about 300 times per second, stealing $7500 per second or about $27 million an hour (that is one Lamborghini Huracan every minute).

Bug fixed

In automated mode, this attack becomes profitable even for FTT and RAY tokens.

On Dec. 2-4, Neodyme's representatives contacted a number of decentralized finance protocols (DeFis) on Solana, e.g., Larix, Solend, Tulip, Accumen, Soda and so on.

All teams fixed the bugs in their architecture. Yesterday, software engineer Jordan Audet-Sexton shared in GitHub that the issue is fixed in Solana's main codebase as well.