Home>News>Economy>Cryptocurrency>Bug in Solana Token Lending Contract Fixed, More Than $2 Billion Made Exploitable

Bug in Solana Token Lending Contract Fixed, More Than $2 Billion Made Exploitable

Cryptocurrency
06.12.2021
239
Bug in Solana Token Lending Contract Fixed, More Than $2 Billion Made Exploitable

A bug in the token lending contract of the Solana Program Library (SPL) was recently found and fixed by Neodyme, a security auditing firm. The bug, that was discovered a couple of months back, could have affected several decentralized finance protocols holding more than $2 billion in total value locked (TVL). Their team identified the possible protocols using this contract (or derivatives of it) and disclosed the bug immediately.

Solana SPL Rounding Bug Puts Funds at Risk

A bug in one of the token lending contracts that is part of Solana’s Program Library (SPL), a group of on-chain programs targeting the Sealevel parallel runtime on Solana, put the funds of several protocols at risk. Neodyme, a security agency, had disclosed this vulnerability months ago and alerted about it, but the bug, due to its apparently innocuous effect, had not been resolved.

The bug caused a rounding error that delivers more tokens than the ones being deposited by the users to the contract. However, the bug was not exploitable without an organized attack that targeted the vulnerability directly. Neodyme, the auditing group, managed to reproduce it and create a script that took advantage of it.

Importance of Open Source

More than $2 billion in several tokens on these protocols were at risk of being drained slowly by taking advantage of this exploit. More so, if the attack had been conducted in a smart way, it wouldn’t have triggered any alarms, and would just be detected as a slow drain of APY in some pools. Neodyme remarked about the importance of open source code for auditors to be involved and help correct these kinds of bugs. It stated:

We believe the most secure code is open-source, and as auditors we believe one of the best ways to write better code is to understand vulnerabilities.

After discovering this exploit, Neodyme shared its existence with teams that would probably be using the program as a tool for their operations. Among these were some protocols that are not open source on the Solana chain, and cannot be directly verified by their users. This made it difficult for them to directly verify whether these platforms were exploitable by the bug. However, they communicated with the teams behind these protocols, who are in charge of fixing the issue individually.

The SPL token-lending contract had already been reviewed before, and two projects using it have also been audited independently: Solend by Kudelski and Larix by Slowmist.

Tags in this story

What do you think about the exploit corrected in the Solana token lending contract? Tell us in the comments section below.

Author:bitcoin

Актуальные новости

08.04.2022, 08:18
163
South Africa finishes technical PoC for wholesale CBDC settlement system
10.02.2022, 07:00
212
Ricardo Salinas Pliego Hints at Elektra Group Selling Bitcoin in Its Stores
26.11.2021, 06:00
229
‘Wake up’: markets warn central banks to get a grip on inflation
01.05.2022, 21:17
136
Top 5 cryptocurrencies to watch this week: BTC, LUNA, NEAR, VET, GMT
22.04.2022, 01:49
110
Hacker bungles DeFi exploit: Leaves stolen $1M in contract set to self destruct
05.08.2021, 16:54
738
New York lawmakers’ impeachment inquiry into Cuomo nearing an end
24.05.2022, 08:32
139
10 Days After Wheat Shipment Ban In India, Charts Still Signal Record Highs Ahead
30.12.2021, 01:20
152
Polygon upgrade quietly fixes bug that put $24B of MATIC at risk
btc
$ 20643
-0.6%
eth
$ 1188.08
-0.99%
busd
$ 0.997095
-0.14%
xrp
$ 0.342671
-1.03%
ltc
$ 54.36
-1.89%