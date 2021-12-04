A bug reported but never corrected

Neodyme is a team of cybersecurity researchers, made up of experts specializing in various technologies, including blockchain and smart contracts. In a statement posted on its blog, Neodymium revealed that it had recently discovered a critical flaw in the Solana Program Library (SPL) protocol.

We learn that the bug was initially discovered last June by a researcher from the Neodymium team and made public on GitHub. However, he explains that at this point, it was impossible to determine if the bug was exploitable. This one had thus gone unnoticed.

However, on December 1, this same researcher found that the flaw was still present and that nothing had been done to correct it. In addition, it threatened many protocols in the Solana ecosystem (SOL), such as the yield aggregator Tulip Protocol and the Solend and Larix lending platforms. Projects that currently manage $ 1.7 billion in funds.

The Neodymium team therefore carried out a series of tests to verify whether this flaw was exploitable and possibly correct it. According to the press release, the work of the researchers and the contribution of the teams from the protocols concerned made it possible to quickly correct the situation and protect the users. But what was this bug and what could have happened?

👉 On the same theme – The audit company CertiK raises $ 80 million to continue to secure the ecosystem

A simple rounding error …

In the rest of the press release, Neodymium explains how the bug that threatened the Solana Program Library worked. To put it simply, when you deposit funds on a protocol, the value of your assets changes over time. When withdrawing, it can have many digits after the decimal point. This is why some protocols rely on SPL to round the amount returned to the nearest decimal place.

Consider the smallest reference unit in the Solana ecosystem. This is called Lamport and is worth 0.000000001 SOL (it is the same principle as a satoshi, smaller unit of Bitcoin). If you deposit an amount of 1.5 Lamport in a loan protocol then you will receive 2 Lamport upon withdrawal. Conversely, if this amount is only worth 1.4 Lamport when withdrawing, you will only receive 1 Lamport. On average, this should balance out by creating as much value as it removes.

However, researchers have shown that by exploiting this system very quickly, it is possible to recover tiny amounts with each deposit and withdrawal of funds. By repeating the operation many times, the total amount recovered could be really large.

That could have cost hundreds of millions of dollars!

By testing their theory on a replica of the blockchain, Neodymium experts managed to steal 0.000001 BTC ($ 0.047). They estimated that they could run this bug 150-200 times in a single transaction and put several of those transactions in a single block. Thus, such a strategy could allow funds to be stolen at a rate of $ 7,500 per second, or $ 27 million per hour.

Regarding the total amount that could have been stolen, this obviously depends on the duration of exploitation of the vulnerability before it is noticed and protections are put in place:

“The attack would have lasted for several days, so it could have been stopped by the time it was noticed. But it’s really hard to figure it out, and we’re not sure anyone has sufficient surveillance, especially when the attack is carried out slowly and carefully, ”the statement read.

Research by the Neodymium team has identified 6 protocols potentially threatened by this flaw: Larix, Tulip, Port, Solend, Soda and Acumen. The total value of assets under management, and thus threatened, is approximately $ 1.7 billion. Not all are really at risk, Neodymium estimates that the potential profit still amounted to several hundred million dollars.

👉 To go further – SafeDollar stablecoin drops to zero after exploiting a flaw in its protocol

Newsletter 🍞

Receive a recap of crypto news every Sunday 👌 And that’s it.

About the Author: Lilian Aliaga

Freelance writer located between Paris and Toulouse. I want to share my passion for the world of cryptocurrencies with as many people as possible. I am also interested in technical analysis and trading.

All articles by Lilian Aliaga.