$2.6 Billion Bug in Solana Program Library Disclosed: Details
In their latest blog post, crypto security researchers from Neodyme shared the design of an attack that may be profitable for "expensive" tokens integrated into Solana (SOL) ecosystem.
"One Lambo per hour"
As per the announcement shared in Neodyme's social network and blog, its members noticed a bug in the token-lending contract of the Solana Program Library. As such, it affected numerous Solana-based DeFi protocols.
We recently discovered a critical bug in the token-lending contract of the solana-program-library (SPL). This blog post details our journey from discovery, through exploitation and coordinated disclosure, and finally the fix.
— Neodyme (@Neodyme) December 3, 2021
Aggregated total value locked (TVL) at risk was over $2,600,000,000. The design of the hypothetical attack was quite simple: while depositing n fractional tokens, a user is able to withdraw n+1 fractional tokens.
With Solana's native token, SOL, it will not be effective economically, as 1 Lamport (the smallest fraction of SOL, like Satoshi for Bitcoin, Wei for Ether and Drop for XRP) is only worth about $0.000000220.
However, for Ether and Bitcoin, this scenario can be very profitable. With some technical upgrades, the attack can be executed about 300 times per second. In this case, losses can be dramatic:
We can get this transaction included about 300 times per second, stealing $7500 per second or about $27 million an hour (that is one Lamborghini Huracan every minute).
Bug fixed
In automated mode, this attack becomes profitable even for FTT and RAY tokens.
On Dec. 2-4, Neodyme's representatives contacted a number of decentralized finance protocols (DeFis) on Solana, e.g., Larix, Solend, Tulip, Accumen, Soda and so on.
All teams fixed the bugs in their architecture. Yesterday, software engineer Jordan Audet-Sexton shared in GitHub that the issue is fixed in Solana's main codebase as well.