Neodyme security auditing company discovered and repaired a flaw in the Solana Program Library’s token lending contract. A bug in the token lending contract of the Solana Program Library (SPL) was identified a few months back. It could have adversely affected many decentralized finance protocol holding over $2 billion total value locked. They immediately disclosed the bug to their team, which identified potential protocols using the contract (or derivatives thereof).
Solana’s SPL Rounding Bug puts Funds at Risk
A bug in one of the token lending contracts that is part of Solana’s Program Library (SPL), a group of on-chain programs targeting the Sealevel parallel runtime on Solana, put the funds of several protocols at risk. Neodyme was a security agency. disclosedThis vulnerability was discovered months ago.
This bug introduced a rounding error, resulting in tokens that are larger than the ones being deposit by users. The bug could not be exploited without an organised attack targeting the vulnerability. Neodyme (the auditing team) was able to replicate it and develop a script that exploited it.
Open Source: Importance
This exploit could have a slow effect on the $2 billion worth of tokens that were part of these protocols. More so, if the attack had been conducted in a smart way, it wouldn’t have triggered any alarms, and would just be detected as a slow drain of APY in some pools. Neodyme made a comment about how important it was for auditors and other people to have access to the code in open source. This was the conclusion:
Our belief is that open-source is best for security, and we as auditors believe it is possible to better understand vulnerability.
Neodyme, who discovered the exploit, shared its existence to teams likely to use it as part of their operations. These protocols aren’t open-source on the Solana Chain and can not be verified directly by users. It was difficult to verify if these platforms could be exploited by the bug. But, they did communicate with the protocol teams responsible for the bug and each of them are working to fix it.
SPL’s token-lending contract was already reviewed and independently audited by Solend by Kudelski as well as Larix By Slowmist.
How do you feel about the Solana token-lending contract being exploited? Leave a comment below.
Images CreditsShutterstock. Pixabay. Wiki Commons
DisclaimerThis information is provided for educational purposes only. This is not an invitation to purchase or sell directly, nor a suggestion or endorsement of products, services or companies. Bitcoin.com doesn’t offer investment, tax or legal advice. This article does not contain any information, products, or advice that can be used to cause or alleged result in any kind of damage.