Solana has corrected a problem that could have allowed hackers to steal $ 27 million in an hour
Flaw in the Solana Protocol Library could allow hackers to steal
In the cryptocurrency industry, rug pulling and network exploits have dominated public opinion. DeFi applications have now lost over $2 billion to such hacks, including more than $120 million this week alone.
Additionally, according to security researchers at Neodyme, if a bug is recently patched, there is a risk of thousands of dollars being stolen from the Solana ecosystem.
Several articles Researchers revealed in a blog post that a flaw in the Solana Protocol Library (SPL (Reference Set for Solana Projects) could allow hackers to quickly steal funds from multiple Solana projects at an hourly rate of $27 million. The risk is estimated to be worth up to $2.6 billion in total.
The Tulip Protocol’s return aggregator, as well as the Solend, Soda, and Larix credit protocols, all of which have a Total Value Locked (TVL) in the millions, could all be affected.
How it all started
It all began in June when researcher Simon discovered the bug and reported it to Github. The error went unnoticed at this point because it did not pose an imminent risk. However, it remained unresolved or corrected, however, when it was reviewed on December 1.
The researchers then began testing the exploit for vulnerabilities and evaluating the potential harm it could cause. Although the researcher initially dismissed it as a “seemingly harmless rounding error,” he later realized that large sums of money could be stolen through an infinite number of small transactions.
This is because applications on Solana that use SPL reference the nearest integer when paying out, which results in the user receiving very little or even losing money if the user owes a fraction of the smallest reference unit of money. While this may appear insignificant, the total is incalculable if a single company takes advantage of this and adheres to it.
The researchers estimate that they can make this error 150–200 times in a single transaction and pack those many transactions into a single block following the test. They calculated that an exploit of this vulnerability could steal $7,500 per second, or $27 million per hour.
Neodyme confirmed the existence of this bug by contacting several Solana projects that may have been impacted. Due to the fact that the majority of them are proprietary, the mission uncovered some roadblocks.
Nonetheless, they made an attempt to contact several prominent projects to correct the errors, and Solana Labs also corrected the references to ensure that subsequent new projects were error-free.