$2.6 Billion critical vulnerability discovered in Solana's codebase

On December 3, researchers revealed in a blog post that they discovered a critical bug in the token-lending contract of the Solana Program Library (SPL).


Neodyme researchers shared the details of their journey from discovery through exploitation and coordinated revelation and the fix in a blog post.


$2.6 Billion critical vulnerability discovered in Solana's codebase
Solana logo | Image: Optimisus

According to the group, the total value locked (TVL) at risk was about $2.6 billion. Further, the group noted that some low-value coins are not economically viable to steal, but the possible profit was in the hundreds of millions.


However, the group also reported that the bug was fixed, and DApps updated promptly to close the vulnerability.


In addition, the discovery started way back when Simon, one of Neodyme's auditors, spotted a bug in SPL-token-lending for which he created an issue. However, on December 1, it was found that the bug had not been addressed or fixed.


It is due to the fact that apps on Solana that use the SPL reference record round funds to the nearest number at the point of withdrawals, in case the user was owed a portion of the smallest unit of reference.


As a result, users could either receive or lose fractions of their funds. This would seem irrelevant in privacy, though it could amount to a fortune if siphoned by a single firm.


What's interesting, researchers figured they could use this bug 150-200 times in a single transaction and process most of these transactions in a single block. After that, they thought this kind of exploit could result in funds loss at a rate of $7,500 per second, or $27 million an hour.


Moreover, Neodyme verified the potential for the exploit again before contacting various Solana projects that could have been hit by the bug.