A bug in the Solana program library (SPL) potentially allowed funds to be stolen from several large DeFi projects at a rate of about $27 million per hour. This was determined by researchers from the Neodyme team.
The yield aggregator Tulip Protocol, as well as the lending protocols Solend and Larix, were under threat. At its peak, the combined TVL of these projects reached $2.6 billion.
Experts noted that the bug was publicly disclosed by one of the group’s auditors, who goes by the nickname Simon, as early as June. On December 1, he found that the vulnerability had not been fixed. As Neodyme speculated, it may have been considered harmless.
However, experts found that the bug could be exploited to steal “hundreds of millions of dollars” via tiny amounts.
For Solana assets, the number of decimals must be specified, and the SPL withdrawal program rounds the minimum nominal unit of the asset to the nearest integer, the experts explained.
Theoretically, nothing prevents configuring the output to receive rounding in one’s favour and withdraw that amount. For the Solana token, this minimum unit equals 1 Lamport, equal to 0.000000001 SOL or about $0.00000022 (at the time of the study). The transaction fee exceeds this value by almost 5,000 times, Neodyme emphasised.
Meanwhile, for tokens with larger nominal values, the gap does not look as catastrophic. Testing their theory on a copy of the blockchain, the experts managed to steal $0.05 in Bitcoin and $0.005 in Ethereum.
Because a Solana transaction can contain many instructions, Neodyme used the exploit to execute about 300 transfers per second. In the case of Bitcoin this meant roughly $7,500 stolen over the period or about $27 million per hour. The attack was economically viable also for FTT tokens and even RAY.
Experts contacted the Solana Foundation and eight projects believed to be affected by the vulnerability. In some cases, the assumptions proved incorrect, and Port Finance fixed the issue themselves several months ago. Tulip, Solend and Larix did so after being contacted; the Solana team also updated the documentation.
Earlier in December, the hacker withdrew assets worth more than $120 million from the DeFi project Badger DAO assets worth more than $120 million.
Follow ForkLog news on Twitter.