For six months, a publicly publicized problem affecting important Solana projects went unnoticed. According to security experts, it might have stolen hundreds of dollars per second.
Solana project bug went unnoticed for six months
A bug in the Solana Protocol Library (SPL), a set of reference materials for Solana projects, may have permitted attackers to steal $27 million per hour from many Solana projects.
Tulip Protocol, a yield aggregator, and the loan protocols Solend and Larix were among the projects affected. These initiatives presently manage $1.7 billion in assets (although this figure was much greater before today’s market fall).
The flaw was originally publicly exposed by one of Neodyme’s auditors, known as Simon, on file-sharing platform GitHub in June, according to a blog post. The security researchers didn’t know if it could be exploited or how great of an impact it may have at the time. The Solana project bug went unnoticed for six months.
Simon noticed that the bug had not been resolved and that the issue was still open on December 1. Because of his fears, security researchers at Neodyme began testing to determine if the problem could be exploited and how dangerous it was.
According to Neodyme, the bug was a “seemingly innocuous rounding error,” but they soon discovered that it had the ability to steal a fortune — in millions of tiny bits.
This is how the bug operated. Simply, there is a process for when you put money into and take money out of Solana apps. The procedure would round monies to the nearest whole number at the point of withdrawal if it followed the SPL reference papers.This would only happen if the user was owed a fraction of the smallest unit of reference, known as a Lamport (this is similar to a satoshi, the smallest amount of Bitcoin).
This worked in both directions. Some folks would end up with a little surplus of tokens. Others would receive a small fraction of what they were entitled to. However, it would be a negligible sum per person, and it would about equalize on average.
But, the researchers reasoned, if someone tried to rig the system, wouldn’t they end up taking the small extra amounts? And if they did this again, they could be able to generate a considerable sum of money.
On a clone of the blockchain, the researchers put their theory to the test. They sent a transaction to exploit the flaw, and it was successful in stealing 0.000001 BTC ($0.047) owing to a rounding error.
The researchers calculated that they could use this problem 150-200 times in a single transaction and that many of these transactions might be grouped together in a single block. They estimated that a mistake like this might steal $7,500 every second, or $27 million each hour.
In terms of how much money may be stolen in total, it’s unclear how long this kind of exploit could have gone unnoticed before security measures were implemented. That would depend on how obvious the attackers were and how swiftly or slowly they carried out the attack. However, the researchers were well aware that more than a billion bucks were at stake.
The researchers quickly contacted a number of Solana projects they suspected were harmed by the problem. It was a considerably more difficult task because many Solana projects are closed-source, and they misidentified a couple of projects. However, they were able to contact Solend, Tulip, and Larix, who were all able to resolve the issue.
Solana Labs has also corrected the reference papers since the flaw was discovered, ensuring that future projects following its guidelines will not reintroduce it.
If you find this article informative then do share it with your friends and family!
Also read: Wrapped LUNA Token: Everything you need to know
