A bug in the Solana Program Library (SPL) token loan agreement was recently found and fixed by Neodyme, a security auditing firm. The bug, discovered a few months ago, could affect several decentralized financial protocols with a total value of more than $ 2 billion (TVL). Her team identified the possible protocols using this contract (or derivatives thereof) and immediately reported the bug.
Solana SPL rounding errors endanger funds
A flaw in one of the token lending contracts that is part of the Solana Program Library (SPL), a group of on-chain programs aimed at the parallel runtime of Sealevel on Solana, puts the funds of several protocols at risk. Neodyme, a security agency, discovered this vulnerability months ago and made it aware of it, but the error was not fixed due to its seemingly harmless effect.
The bug caused a rounding error that delivered more tokens than the users paid into the contract. However, the flaw was not exploitable without an organized attack directly targeting the vulnerability. Neodyme, the auditing group, managed to reproduce it and create a script that benefited from it.
Meaning of open source
More than $ 2 billion in multiple tokens for these protocols threatened to be slowly exhausted by the use of this exploit. Furthermore, if the attack had been done intelligently, it would not have triggered any alarms and would only have been detected as a slow drain by APY in some pools. Neodyme noted the importance of open source code for engaging reviewers to fix these types of bugs. It was said:
We believe open source is the most secure code, and as auditors, we believe that one of the best ways to write better code is to understand vulnerabilities.
After Neodyme discovered this exploit, it shared its existence with teams who would likely use the program as a tool for their operations. Among them were some logs that are not open source in the Solana chain and cannot be directly verified by their users. This made it difficult for them to directly check whether these platforms could be exploited by the bug. However, you have communicated with the teams behind these logs who are responsible for troubleshooting the problem individually.
The SPL token lending contract has been previously reviewed and two projects using it have also been independently reviewed: Solend by Kudelski and Larix by Slowmist.
What do you think of the exploit corrected in the Solana Token Loan Agreement? Let us know in the comments section below.
Photo credit: Shutterstock, Pixabay, Wiki Commons
Disclaimer of liability: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement for any product, service, or company. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author are directly or indirectly responsible for any damage or loss caused or allegedly caused by or in connection with the use of or reliance on the content, goods or services mentioned in this article.
Comments are closed.