$2.6B exploit in Solana (SOL) contracts exposed

Mon 06 Dec 2021 ▪ 20h44 ▪ 3 min read — by Katie Donaldson

Cybersecurity researchers from Neodyme have exposed a bug in the Solana ecosystem. If the problem in the token lending contract of the Solana Program Library (SPL) wasn’t fixed on time, Solana could have seen more than $2.6 billion (~£1.96 billion) stolen.

It all started in June 2021

According to the official report, the bug was affecting several Solana-based decentralised finance (DeFi) protocols, including yield aggregator Tulip Protocol and lending protocols Solend and Larix; together they are holding over $2.6 billion (~£1.96 billion) in total value locked (TVL).

The vulnerability was first exposed by one of Neodyme’s auditors back in June. Other experts didn’t take any time to explore if the bug was dangerous, therefore, it went unnoticed. However, the same researcher, Simon, has finally yelled fire at the start of December.

Whenever a user withdrew funds, apps on Solana that use the SPL reference documents rounded them to the nearest whole number in case the user was owed a Lamport (a fraction of the smallest unit of reference). Such a problem doesn’t seem important on its own, the same could amount to millions if used by hackers over and over again. In this particular case, it would be a rate of $7,500 per second (~£5,650), or $27 million (~£20 million) an hour. It is unclear how long this kind of a bug could have been exploited and how big the losses could be.

Neodyme noted how crucial it is to go over open source codes for auditors in order to help correct these kinds of bugs. “We believe the most secure code is open-source, and as auditors we believe one of the best ways to write better code is to understand vulnerabilities,” their officials added.

Neodyme has already contacted the teams behind the mentioned protocols at risk and helped to fix this exploit individually. 

A bug causing a rounding error that delivers more tokens than users deposit to Solana contracts went unnoticed by Solana developers for months. Neodyme, an auditing agency, has exposed the critical vulnerability that could have led to more than $2.6 billion (~£1.96 billion) stolen.

Subscribe to our daily and weekly newsletter service to receive a digest of the latest news in the cryptosphere and never miss out on any of the Cointribune's highlights!

User Image
Katie Donaldson

I went full time crypto back in June 2018, and have never looked back. I want to help persuade as many people as possible to come and build the decentralised future! Let’s go!


The views, thoughts, and opinions expressed in this article belong solely to the author, and should not be taken as investment advice. Do your own research before taking any investment decisions.

Prices & Indices

BITCOIN (BTCUSD) $29,966.54 1.85%
ETHEREUM (ETHUSD) Ξ $2,010.81 1.9%
DEFI (DEFIPERP) $3,720.40 1.82%
MARKETS (ACWI) $87.95 0.29%
GOLD (XAUUSD) $1,846.18 0.24%
TECH (NDX) $11,835.62 -0.29%
CURRENCIES (EURUSD) $1.06 -0.21%
CURRENCIES (EURGBP) £0.844980 -0.41%
CRUDEOIL (USOIL) $110.52 -0.99%
IMM. US (REIT) $2,463.96 0.79%
The percentage expresses the change over the past 24 hours BUY CRYPTOS WITHOUT RISK

Receive the latest and best crypto news directly to your inbox et tentez de gagner 0.2 ETH en vous inscrivant aujourd'hui

Crytocurrency Guides
You must complete the form to receive your document.