A bug in the Solana Protocol (SPL) program library could potentially steal funds from several large DeFi projects at a rate of about $ 27 million an hour.
The Tulip Protocol yield aggregator and the Solend and Larix lending protocols were under threat. At their peak, the combined TVL of these projects reached $ 2.6 billion.
The experts noted that the bug was publicly disclosed by one of the group's auditors, nicknamed Simon, back in June. On December 1, he discovered that the vulnerability had not been fixed. As suggested by Neodyme, it may have been considered harmless.
However, experts have found that the bug allows you to quickly steal "hundreds of millions of dollars" through tiny amounts.
For assets on Solana, you must indicate the number of zeros after the decimal point, and the program from the SPL for withdrawing funds rounds the minimum asset value to the nearest whole number, experts explained.
Theoretically, nothing prevents you from setting up the output to get rounding in your favor and display this amount. However, for example, for the Solana token, it is 1 Lamport, equal to 0.000000001 SOL, or approximately $ 0.00000022 (at the time of research). The transaction fee exceeds this value by almost 5,000 times, emphasized in Neodym.
At the same time, for cryptocurrencies with a larger denomination, this gap does not look so catastrophic. By testing their theory on a copy of the blockchain, experts were able to steal $ 0.05 in Bitcoin and $ 0.005 in Ethereum.
Since a transaction on the Solana network can contain many instructions, Neodyme experts used an exploit to carry out about 300 transfers per second. In the case of Bitcoin, this meant approximately $ 7,500 stolen funds over the period, or ~ $ 27 million per hour. The attack has also become economically feasible against FTT and even RAY tokens.
Experts contacted the Solana Foundation, and eight projects that they believe are affected by the vulnerability. In some cases, the assumptions turned out to be wrong, and Port Finance resolved the problem on its own several months ago. Tulip, Solend, and Larix did this after the call, and the Solana team made some changes to the documentation.