A bug in the token lending contract of the Solana Program Library (SPL) was recently found and fixed by Neodyme, a security auditing firm. The bug, that was discovered a couple of months back, could have affected several decentralized finance protocols holding more than $2 billion in total value locked (TVL). Their team identified the possible protocols using this contract (or derivatives of it) and disclosed the bug immediately.
Solana SPL Rounding Bug Puts Funds at Risk
A bug in one of the token lending contracts that is part of Solana’s Program Library (SPL), a group of on-chain programs targeting the Sealevel parallel runtime on Solana, put the funds of several protocols at risk. Neodyme, a security agency, had disclosed this vulnerability months ago and alerted about it, but the bug, due to its apparently innocuous effect, had not been resolved.
The bug caused a rounding error that delivers more tokens than the ones being deposited by the users to the contract. However, the bug was not exploitable without an organized attack that targeted the vulnerability directly. Neodyme, the auditing group, managed to reproduce it and create a script that took advantage of it.
Importance of Open Source
More than $2 billion in several tokens on these protocols were at risk of being drained slowly by taking advantage of this exploit. More so, if the attack had been conducted in a smart way, it wouldn’t have triggered any alarms, and would just be detected as a slow drain of APY in some pools. Neodyme remarked about the importance of open source code for auditors to be involved and help correct these kinds of bugs. It stated:
We believe the most secure code is open-source, and as auditors we believe one of the best ways to write better code is to understand vulnerabilities.
After discovering this exploit, Neodyme shared its existence with teams that would probably be using the program as a tool for their operations. Among these were some protocols that are not open source on the Solana chain, and cannot be directly verified by their users. This made it difficult for them to directly verify whether these platforms were exploitable by the bug. However, they communicated with the teams behind these protocols, who are in charge of fixing the issue individually.
The SPL token-lending contract had already been reviewed before, and two projects using it have also been audited independently: Solend by Kudelski and Larix by Slowmist.