- Oct 25, 2021
- Reaction score
Solana SPL Rounding Bug Puts Funds at Risk
A bug in one of the token lending contracts that is part of Solana’s Program Library (SPL), a group of on-chain programs targeting the Sealevel parallel runtime on Solana, put the funds of several protocols at risk. Neodyme, a security agency, had
The bug caused a rounding error that delivers more tokens than the ones being deposited by the users to the contract. However, the bug was not exploitable without an organized attack that targeted the vulnerability directly. Neodyme, the auditing group, managed to reproduce it and create a script that took advantage of it.
Importance of Open Source
More than $2 billion in several tokens on these protocols were at risk of being drained slowly by taking advantage of this exploit. More so, if the attack had been conducted in a smart way, it wouldn’t have triggered any alarms, and would just be detected as a slow drain of APY in some pools. Neodyme
We believe the most secure code is open-source, and as auditors we believe one of the best ways to write better code is to understand vulnerabilities.
After discovering this exploit, Neodyme shared its existence with teams that would probably be using the program as a tool for their operations. Among these were some protocols that are not open source on the Solana
The SPL token-lending contract had already been reviewed before, and two projects using it have also been audited independently: Solend by Kudelski and Larix by Slowmist.
What do you think about the exploit corrected in the Solana token lending contract? Tell us in the comments section below.