- One of the token lending contracts included in Solana’s Program Library (SPL) contained a bug that put the funds of several protocols at risk.
- There is a group of on-chain programs targeted at the Sealevel parallel runtime on Solana.
- This vulnerability was reported months ago by a security company, Neodyme, but it has not been fixed because it appears harmless.
- Due to a rounding error, more tokens are delivered to users than they deposited to the contract.
The funds of several protocols were at risk due to a bug in one of the token lending contracts included in Solana’s Program Library (SPL), a group of on-chain programs targeted at the Sealevel parallel runtime on Solana. A security company, Neodyme, had alerted about this vulnerability months ago, but it had not been fixed due to its seemingly innocuous effect.
There is a rounding error that causes more tokens to be delivered than were deposited by users to the contract. Nevertheless, the vulnerability could only be exploited by an organized attack that targeted the vulnerability directly. The auditing group, Neodyme, managed to replicate it and create a script that capitalized on it.
A slow drain of more than $2 billion worth of tokens on these protocols was possible through this exploit. If the attack had been conducted in a smarter way, it would not have triggered any alarms, and would simply have been detected as a slow drain of APY in some pools.
Open source code allows auditors to participate and help correct these types of bugs, Neodyme said. It explained, “We believe the most secure code is open-source, and as auditors, we believe one of the best ways to write better code is to understand vulnerabilities.”
Neodyme shared the existence of this exploit with teams that would likely make use of the tool for their operations. In this list are some protocols that are not open-source on the Solana chain, and therefore cannot be verified directly by their users. As a result, it was difficult for them to verify directly whether these platforms could be exploited.
Although, they communicated with the teams behind these protocols, which are responsible for fixing the issue individually. Token lending contract SPL has previously been reviewed, and two projects that use it have also undergone independent audits: Solend by Kudelski and Larix by Slowmist.
The Solana platform is designed to host decentralized, scalable applications. The Swiss-based Solana Foundation founded Solana in 2017, and the San Francisco-based Solana Labs developed the blockchain. The Solana blockchain is much faster in terms of the number of transactions it can handle, as well as having much lower transaction fees than rival blockchains.