The scenario of an attack revealed by Neodyme crypto security experts could result in the loss of about $2.6 billion in Decentralized Finance (DeFi) protocols linked into the Solana (SOL) ecosystem.
In a Twitter thread, the German-based team with experience in multiple technologies and ecosystems described the major flaw in the token-lending contract as well as how it could have been exploited in a blog post.
The total TVL at risk was about 2.600.000.000 USD. Some of that value is lent out, and some other low-value coins are not economically viable to steal, but the potential profit was easily in the hundreds of millions.
The bug was fixed, and dapps updated promptly to close the vulnerability. We believe the most secure code is open-source, and as auditors we believe one of the best ways to write better code is to understand vulnerabilities.
We can get this transaction included about 300 times per second, stealing $7500 per second or about $27 million an hour (that is one Lamborghini Huracan every minute).
Port, Larix, Solend, Tulip, Accumen, and Soda were among the decentralised finance (DeFi) developers contacted by Neodyme’s representatives on Solana. They had not forked token-lending at all, as their assumption regarding Soda and Acumen turned out to be incorrect.
Port had detected the problem early and had only partially applied the months-old draught pull request that had addressed it. After learning about the problem, Solend, Tulip, and Larix worked fast to resolve it.