Security researchers at Neodyme said a bug in the Solana Protocol Library (SPL), a reference set for the Solana project, could allow attackers to steal $27 million per hour from multiple Solana projects.
Affected projects include the Tulip Protocol and the Solend and Larix lending protocols, which currently handle more than $1.7 billion in funding. (albeit much higher before the current market crash)
inblog post Neodyme explained that the bug waspublic disclosureIt was first introduced by one of Neodyme’s reviewers, aka Simon, on the GitHub platform in June. which at that time Security researchers don’t know how useful or impactful it can be.
On December 1, Simon saw that the problem persists and the bug has not been fixed. which from his concern Security researchers at Neodyme have begun testing to see if they can take advantage of this flaw. and to assess how serious the incident was and such errors “Seems harmless” according to Neodyme, but they quickly found the potential to steal funds. divided into millions of tiny parts
The error works as follows. Simply put, for the Solana app there is a mechanism when you put money in and take it out. If the protocol is based on the SPL reference, they round the funds to the nearest whole number at the point of withdrawal. with satoshi which is the smallest amount of bitcoin)
The researchers then put their theory to practice with blockchain copycats, sending them transactions designed to exploit the flaw. And it can steal 0.000001 BTC ($0.047) due to rounding error.
The researchers estimated that they could perform 150-200 operations on this bug in a single transaction. And many of these transactions can be combined into a single block. They think the exploit could steal money at a rate of $7,500 per second, or $27 million an hour.
In terms of how much money can be stolen, it all depends on how long it happened before it was noticed and protected. That will depend on how blatant the attackers are and whether they attack fast or slow. But researchers know the risk is more than a billion dollars.
The researchers quickly contacted several Solana projects. which they believe will be affected by this error. Because many Solana projects are closed-source So it’s a much more difficult task. But they managed to get in touch with Solend, Tulip and Larix, all of whom had fixed the error.
And since the bug was revealed, Solana Labs has revised the reference. This ensures that new projects will follow the instructions mentioned above.
The post, researchers say, a bug in Solana library could have resulted in the theft of $27 million an hour appeared first on Bitcoin Addict.