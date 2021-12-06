A bug in the Solana Protocol Program Library (SPL) could potentially allow stealing from several large DeFi-Projects funds at a rate of approximately $ 27 million per hour. This was found out by experts from the Neodyme team.

We recently discovered a critical bug in the token-lending contract of the solana-program-library (SPL). This blog post details our journey from discovery, through exploitation and coordinated disclosure, and finally the fix. – Neodyme (@Neodyme) December 3, 2021

The Tulip Protocol yield aggregator and the Solend and Larix lending protocols were under threat. At its peak, cumulative TVL of these projects reached $ 2.6 billion.

The experts noted that the bug was publicly disclosed by one of the group’s auditors, nicknamed Simon, back in June. On December 1, he discovered that the vulnerability had not been fixed. As suggested by Neodyme, it may have been considered harmless.

However, experts have found that the bug allows you to quickly steal “hundreds of millions of dollars” through tiny amounts.

For assets on Solana, you must indicate the number of zeros after the decimal point, and the program from the SPL for withdrawing funds rounds the minimum asset value to the nearest whole number, experts explained.

Theoretically, nothing prevents you from setting up the output so as to get rounding in your favor and display this amount. However, for example, for the Solana token, it is 1 Lamport, equal to 0.000000001 SOL, or approximately $ 0.00000022 (at the time of research). The transaction fee exceeds this value by almost 5,000 times, emphasized in Neodym.

Some coins from Solend listing. The number of zeros after the decimal point, the approximate value of the cryptocurrency at the time of the study, the ratio of the minimum unit to the transaction fee in it. Data: blog.

At the same time, for cryptocurrencies with a larger denomination, this gap does not look so catastrophic. By testing their theory on a copy of the blockchain, experts were able to steal $ 0.05 in Bitcoin and $ 0.005 in Ethereum.

Since a transaction on the Solana network can contain many instructions, Neodyme experts used an exploit to carry out about 300 transfers per second. In the case of Bitcoin, this meant approximately $ 7,500 stolen funds over the period, or ~ $ 27 million per hour. The attack has also become economically feasible against FTT and even RAY tokens.

Experts contacted the Solana Foundation and eight projects that they believe are affected by the vulnerability. In some cases, the assumptions turned out to be wrong, and Port Finance resolved the problem on its own several months ago. Tulip, Solend and Larix did this after the call, and the Solana team made some changes to the documentation.

Recall that in early December, a hacker withdrew assets worth over $ 120 million from the Badger DAO DeFi project.

Subscribe to ForkLog news in Twitter…

Found a mistake in the text? Select it and press CTRL + ENTER