Developers, validators, and client teams of Solana have addressed a critical network vulnerability through a coordinated update.
Anatomy of a patch
In the past few hours a critical security vulnerability and patch were disclosed on Solana, this public disclosure occured after a supermajority of stake had already been patched to protect the network. Let’s look at how this process unfolded and how 70% of…
— Laine ❤️ stakewiz.com (@laine_sa_) August 9, 2024
The process began on August 7, when Solana Foundation specialists contacted major network operators through private channels. These contacts were necessary to keep the patch confidential, preventing potential exploitation by malicious actors.
Within the following 24 hours, the involved parties were required to confirm their readiness for the update and adherence to confidentiality.
On August 8 at 14:00 UTC, operators received another message from the Solana Foundation. It contained instructions for downloading, verifying, and applying the patch. The patch itself was hosted in the GitHub repository of a well-known engineer from the Anza project.
Within a few hours, the stakeholders managed to protect a “supermajority” of 66.6% of the network with the update. The vulnerability was publicly disclosed after 70% implementation, with a call for all remaining operators to update.
“The fact that the issue was discovered and promptly resolved speaks volumes about the high-level engineering efforts, often unseen by the community, from specialists at Anza, Solana Foundation, Jump/Firedancer, Jito, and other key teams,” noted Laine, one of the network’s validators.
In April, Solana developers updated the software as part of measures to combat blockchain congestion, which was causing transaction delays.