Recently, the security audit company Neodyme discovered and fixed an error in the token lending contract of the Solana Library (SPL). This vulnerability, discovered a few months ago, may affect several decentralized financial agreements that hold a total value lock (TVL) of more than $2 billion. Their team used this contract (or its derivatives) to determine a possible agreement and immediately disclosed the error.

Solana SPL rounding errors put funds at risk

An error in the token lending contract as part of the Solana Library (SPL), which is a set of on-chain programs for the parallel operation of Sealevel on Solana, which puts funds in multiple protocols at risk. Neodyme is a security agency, Disclosure This vulnerability has been alerted several months ago, but due to its apparently harmless impact, the vulnerability has not been resolved.

This error caused a rounding error, which provided more tokens than the user deposited into the contract. However, if there is no organized attack directed against the vulnerability, the vulnerability cannot be exploited. The audit team Neodyme managed to replicate it and created a script to exploit it.

The importance of open source

Multiple tokens of more than 2 billion U.S. dollars in these agreements may be slowly exhausted by exploiting this loophole. More importantly, if the attack is carried out in a clever way, it will not trigger any alarms, but will only be detected as a slow consumption of APY in certain pools.NdFeB Comment Regarding the importance of open source code for auditors to participate and help correct these types of errors. It states:

We believe that the most secure code is open source, and as auditors, we believe that one of the best ways to write better code is to understand vulnerabilities.

After discovering this vulnerability, Neodyme shared its existence with a team that might use the program as its operating tool.Including some agreements that are not open source on Solana chain, And cannot be directly verified by its users. This makes it difficult for them to directly verify whether these platforms can be exploited by the vulnerability. However, they communicated with the teams behind these agreements, which were responsible for solving the problems individually.

The SPL token loan contract has been reviewed before, and the two projects that use it have also been independently reviewed: Kudelski’s Solend and Slowmist’s Larix.

What do you think of the corrected exploits in the Solana token loan contract? Tell us in the comments section below.

Image Source: Shutterstock, Pixabay, Wikimedia Commons