A reported bug in Solana has exposed a way in which a hacker could have stolen several million dollars from the various DApps deployed on the network.
The bug or error in question was reported by the cybersecurity company Neodyme and affects the Solana Program Library (SPL), a library used for generating DApps on Solana.
Researchers at Neodyme explained the entire process for exploiting this vulnerability in their official blog. Under the title of «How to become a millionaire, 0,000001 BTC at a time» (in English, How to Become a Millionaire, 0.000001 BTC at a Time), Neodyme experts indicate that the flaw could allow an attacker to obtain up to 27 million dollars per hour, and that the main protocols affected by the vulnerability would be Tulip Protocol, Solend and Larix.
In total, the hackers would have access to around $2.600.000.000 USD. This is taking into account the Total Value Locked (TVL) of the different protocols that use SPL in Solana. Due to its characteristics and dimensions, this could easily be considered one of the most serious flaws in the Solana ecosystem, although luckily the bug was not exploited and has already been corrected.
It may interest you: The energy consumption of the Solana network is much lower than that of Google, iPhones and other cryptocurrencies
The bug could have cost billions to Solana
The bug, which has now been duly patched, as can be seen in SPL GitHub, had its origin in December 2020, when the was created issue 991, which proposed to improve the library's mathematical operations and avoid attack vectors.
However, despite the developers' work to correct it at that time, in June of this year the bug was still present. In the issue 1869, a user showed a proof of concept on how to exploit this flaw.
All this indicates that the error was inside the library for at least 11 months and was not exploited in any way, with the terrible consequences that would have had. In the words of the Neodyme team «A rounding error may seem innocuous, but it can lead to critical vulnerabilities», and the best example of those words is exposed in this whole case, although luckily went completely unnoticed by hackers.
Stealing millions, piece by piece
The bug in SPL worked in a rather simple and, to put it one way, elegant way. The problem arose because the library did not handle rounding consistently. Therefore, in each operation under certain conditions it was possible to stealthily obtain decimals until they turned into million-dollar amounts.
The Neodyme team began their investigation on December 1st last year. There, they found that the bug could be effectively exploited. In fact, the operation allowed, piece by piece, a well-documented hacker to steal a fortune from different Solana protocols that use the SLP library.
Thus, they realized that there was a serious error in the rounding operations. Every time a transaction was made, the amount was rounded to the nearest integer at the withdrawal point. The condition for this to happen is that the user would be owed a fraction of the smallest Solana reference unit (Lamport, the equivalent of satoshi in BTC). The direct result of this is that a user could end up with more or less tokens depending on the amount traded, and on average, within the protocol everything would remain the same.
However, this inconsistent situation would allow a hacker to use the system for his own benefit. To do so, they would only have to prepare a Smart contract exploit the flaw and thus take the tokens they want. And that is precisely what the Neodyme researchers achieved, warning everyone of the error and helping to fix it.
In fact, the evidence presented to prove the error allowed them to get 0,000001 BTC (0,047 dollars). And, if they wanted to get more, they just had to re-execute the operations. That way, they could add more money to their wallet until they walked away with a good loot. The researchers calculated that the exploit could allow a hacker to obtain around $7.500 USD per second or, what is the same, around 27 million dollars per hour.
Actual status
The bug is now fixed, not only in SLP but also in the main open source protocols that make use of this Solana library. The magic of free software is that improvements and fixes can be quickly shared between different projects so that we are all safer. However, Solana has a fairly interesting mix of projects and many of them are closed source.
A good example of this situation is Raydium. This DEX is one of the most used on Solana with a TVL of $1,7 billion today. It is a great application, but it has a major problem: it is closed source. Therefore, it is impossible to verify the code that makes the protocol work, to help detect errors and more.
Of course, this doesn't make Raydium a bad app; although in the ecosystem blockchain We are used to open standards and open source. In this situation, Raydium is clearly an odd case.
But this whole situation may change in the not-too-distant future. Events like this bug would make developers think twice when implementing and releasing the code of their protocols. All of this, of course, in favor of the security and evolution of Solana as a blockchain project and ecosystem. In any case, one thing is very clear, Solana will continue to grow and consolidate itself as one of the most important and efficient blockchains in the crypto ecosystem.
Continue reading: Solana breaks after reaching its maximum TPS due to high demand and network usage
