A bug in the Solana Protocol Library (SPL) вЂ » a set of reference documents for Solana projects вЂ » could have seen attackers steal money from multiple Solana projects at a rate of $27 million an hour, according to security researchers at Neodyme.
The projects that were affected included yield aggregator Tulip Protocol and Top Site Info lending protocols Solend and Larix. These projects currently look after $1.7 billion in funds (although that was considerably higher before todayвЂ™s market crash).
In a blog post, Neodyme explained that the bug was first publicly disclosed by one of NeodymeвЂ™s auditors, known as Simon, on file sharing platform GitHub in June. At the time, the security researchers did not know if it was exploitable or how big its impact could be. The bug went unnoticed.
On December 1, Simon saw that the issue was still open and Top Site Info the bug hadnвЂ™t been fixed. Due to his concerns, security researchers at Neodyme started testing to see if it was possible to exploit the bug, and to gauge how serious it was.
The bug was a вЂњseemingly innocuous rounding error,вЂќ according to Neodyme, but they quickly found that it had the potential to steal a fortune вЂ » in millions of tiny pieces.
The bug worked as follows. Simply put, for Solana apps thereвЂ™s a mechanism for when you put funds in and take them out. If the protocol followed the SPL reference documents, then they would round funds to the nearest whole number at the point of withdrawal.
This would only happen if the user was owed a fraction of the smallest unit of reference, known as a Lamport (this is similar to a satoshi, the smallest amount of bitcoin).
Now this worked both ways. Some people would end up with an extra fraction of their tokens. Other people would end up with slightly less than they were owed. But it would be a minuscule amount per person, and on average would roughly equal out.
But were someone to game the system, the researchers wondered, surely they could end up taking the tiny extra amounts?
And were they to do this over and over again, perhaps they could make significant amounts of money.
The researchers tested their theory out in practice on a copy of the blockchain. They submitted a transaction designed to exploit the bug and it managed to steal 0.000001 BTC ($0.047) due to the rounding error.
The researchers estimated they could execute this bug 150-200 times in a single transaction and put many of these transactions in a single block.
They figured such an exploit could steal funds at a rate of $7,500 per second, or $27 million an hour.
In terms of how much could be stolen in total, itвЂ™s an open question how long this kind of an exploit could have gone on for before it was noticed and protections were put in place.
In case you loved this article and you would love to receive much more information regarding Top Site Info (you can try Topsiteinfo) i implore you to visit our web-page.