Now fixed, Solana Protocol Library bug had potential to expose $2.6 billion to risk of theft

Rug pulls and network exploits have dominated much of the buzz within the cryptocurrency industry, and for good reason. DeFi applications have now lost over $2 billion in total owing to such hacks. The latest one this week alone accounted for $120 million.

Further, billions more could have been lost from the Solana ecosystem if a recently rectified bug had not been detected, according to security researchers at Neodyme.

In a recent blog post, the researchers revealed that a bug in the Solana Protocol Library (SPL), could have allowed attackers to steal money from multiple Solana projects at a rate of $27 million an hour. The total value at risk rang up to $2.6 billion. SPL is a set of reference documents for Solana projects.

Potential targets that could’ve been affected include yield aggregator Tulip Protocol and lending protocols Solend, Soda, and Larix, all of whom have millions of dollars in TVL.

It all started in June this year when a researcher named Simon initially spotted the bug and raised an issue on Github. Since at the time the bug did not seem to pose an immediate risk, it went largely unnoticed. However, when the issue was reviewed by the researcher again on December 1, it was found that it had not been addressed or fixed.

Researchers then started to test the possibilities of exploiting the bug and to gauge the potential damage it could cause. While it was initially seen as a “seemingly innocuous rounding error,” it was later realized that it had the potential to steal a large amount through endless tiny transactions.

This is because those apps on Solana that use the SPL reference documents round funds to the nearest whole number at the point of withdrawals, in case the user was owed a fraction of the smallest unit of reference. This would result in users either receiving or losing very small fractions of their funds. Though it would seem insignificant in isolation, the same could amount to a fortune if siphoned by a single entity.

Upon testing, researchers estimated they could execute this bug 150-200 times in a single transaction and put many of these transactions in a single block. They figured such an exploit could steal funds at a rate of $7,500 per second, or $27 million an hour.

Once the potential for an exploit was confirmed, Neodyme contacted multiple Solana projects that could have been affected by the bug. Since most of these are close sourced, the task did come with its fair share of hurdles. However, they did manage to contact some prominent projects that fixed the bug, while Solana Labs also fixed the reference documents to ensure that new projects following the SPL would not reintroduce the bug.