Neodyme, a security auditing firm, recently discovered and addressed a flaw in the Solana Program Library (SPL) token lending contract. The problem, which identified a few months ago, might have harmed many decentralised finance systems with a combined worth of over $2 billion (TVL). Their team discovered the possible protocols that used this contract (or variations of it) and immediately reported the flaw.
Solana SPL Rounding Bug endangers Funds
A flaw in one of the token loan contracts in Solana’s Program Library (SPL), a collection of on-chain programs aimed towards Solana’s Sealevel parallel runtime, put the money of numerous protocols in jeopardy. This vulnerability had been disclosed and informed about months earlier by Neodyme, a security firm. However, the flaw kept unfixed due to its seemingly innocuous effect.
The problem resulted in a rounding error, delivering more tokens to the contract than were in place by users. The issue, on the other hand, could not be in use without a well-coordinated operation that targeted the vulnerability directly. The auditing organisation, Neodyme, was able to duplicate it and construct a script that took use of it.
Significance of Open Source
More than $2 billion in numerous tokens on these protocols maybe slowly drained with this approach. Furthermore, if the attack correctly executed, it would not trigger any alerts and would have been visible as a slow drain of APY in a few pools. Neodyme underlined the importance of open-source code in allowing auditors to participate and assist in the correction of such issues. It declared:
“As auditors, we feel that knowing vulnerabilities is one of the most important methods to design better code.”
Neodyme warned teams that the program will most likely implemented in their activities following the discovery of this problem. Some Solana protocols aren’t open source. Thus users can’t inspect them directly. It was impossible to tell if the weakness might be usable to directly exploit certain platforms because of this. They did, however, make contact with the teams in charge of these protocols, who are accountable for resolving each issue individually.