An unnoticed bug that could have caused $2.6 billion losses was rectified in two days averting a potential catastrophe.
Innocuous Looking Bug for Solana
A blog post details the discovery, response, and remedial action that was taken to fix a bug in the token-lending contract of the Solana Program Library (SPL) that avoided potential exploitation that might run into billions of dollars.
Neodyme, a team of security researchers discovered a vulnerability in the SPL contract and took immediate action to fix the bug that appeared harmless at first glance. This is because, on the surface, the malicious actor may have to pay 5000 more in transaction fees to exploit the protocol. This was probably the reason why the issue was not addressed in June when a researcher spotted the bug and reported it.
“The attack would have taken several days, so it might have been interrupted when it is noticed. But it is really hard to notice, and we are not sure anyone has sufficient monitoring, especially when the attack is carried out slowly and carefully. If the attack is carried out slowly enough, this could only be noticed as a reduction in APY and probably wouldn’t have triggered any alarm bells.” – the blog post revealed why the exploitation if it takes place, might go unnoticed.
The bug could affect potential targets that include yield aggregator Tulip Protocol, lending protocols such as Solend, Soda, and Larix that have millions in Total Value Locked (TVL).
How the Exploit Could Have Taken Place
On Solana, a single transaction can contain multiple instructions and is only limited by the 1232 maximum User Datagram Protocol (UDP) packet size. A program can be deployed to execute the exploit multiple times until the limit is reached. Hence allowing multiple exploits per transaction.
The researcher estimated approximately 150-200 execution of this exploit per transaction. This amounts to $7.50 per transaction. If done at 300 times a second, the loss comes up to $7,500 per second and about $27 million an hour.
Remedying the Situation
The battle is only half won after discovering how the potential vulnerability can be exploited. The next challenge was to contact the respective teams to fix the bug.
The blog further details the subsequent challenge, it says, “It took almost exactly two days from the time we realized the issue was still open to the time all projects were fixed. It took about one day for us to verify that the issue is still present and actually exploitable. The other day was spent finding and contacting vulnerable projects. Once we were in contact with a dev, the issue was always verified and fixed within a couple of hours.”
Key Takeaways
There are a few points to note from the blog. Contracts that are audited may still be vulnerable and not entirely free from bugs. Even stealing one token should ring the alarm bell. Developers of high-value contracts should be added to Known Keys List of the Solana Explorer. This allows for anyone to look up at how the contract is called.
Reporting procedure on security-critical bugs should be part of every protocol’s standard operating procedure for faster reach.
Source : solana.news