A bug in the token lending contract of the Solana Program Library (SPL) was recently found and fixed by Neodyme, a security auditing firm. The bug, that was discovered a couple of months back, could have affected several decentralized finance protocols holding more than $2 billion in total value locked (TVL). Their team identified the possible protocols using this contract (or derivatives of it) and disclosed the bug immediately.
Solana SPL Rounding Bug Puts Funds at Risk
A bug in one of the token lending contracts that is part of Solana’s Program Library (SPL), a group of on-chain programs targeting the Sealevel parallel runtime on Solana, put the funds of several protocols at risk. Neodyme, a security agency, had disclosed this vulnerability months ago and alerted about it, but the bug, due to its apparently innocuous effect, had not been resolved.
The bug caused a rounding error that delivers more tokens than the ones being deposited by the users to the contract. However, the bug was not exploitable without an organized attack that targeted the vulnerability directly. Neodyme, the auditing group, managed to reproduce it and create a script that took advantage of it.
Importance of Open Source
More than $2 billion in several tokens on these protocols were at risk of being drained slowly by taking advantage of this exploit. More so, if the attack had been conducted in a smart way, it wouldn’t have triggered any alarms, and would just be detected as a slow drain of APY in some pools. Neodyme remarked about the importance of open source code for auditors to be involved and help correct these kinds of bugs. It stated:
We believe the most secure code is open-source, and as auditors we believe one of the best ways to write better code is to understand vulnerabilities.
After discovering this exploit, Neodyme shared its existence with teams that would probably be using the program as a tool for their operations. Among these were some protocols that are not open source on the Solana chain, and cannot be directly verified by their users. This made it difficult for them to directly verify whether these platforms were exploitable by the bug. However, they communicated with the teams behind these protocols, who are in charge of fixing the issue individually.
The SPL token-lending contract had already been reviewed before, and two projects using it have also been audited independently: Solend by Kudelski and Larix by Slowmist.
What do you think about the exploit corrected in the Solana token lending contract? Tell us in the comments section below.
Image Credits: Shutterstock, Pixabay, Wiki Commons
Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services, or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.
Alchemy and Infura block access to Tornado Cash as Vitalik Buterin weighs in on debate
U.S. persons and entities must comply with the Treasury’s sanctions or face possible criminal consequences.
1096 Total views
15 Total shares
According to Twitter user @0xdev0, on Monday, Web3 development platform Alchemy and Infura.io blocked remote procedure call (RPC) requests to cryptocurrency mixer Tornado Cash, preventing users from accessing the applications. The day prior, the U.S. Treasury placed 44 smart contract addresses linked to Tornado Cash in the Specially Designated Nationals and Blocked Persons (SDN) list. U.S. persons and entities are prohibited from blockchain or business interactions with Tornado Cash under t sanctions, with the possibility of criminal liabilities for violations.
The move came after the U.S. Treasury alleged individuals and groups had used the privacy protocol to launder more than $7 billion worth of crypto since 2019, including the $455 million stolen by the North Korea-affiliated Lazarus Group. Almost immediately after the announcement, stablecoin issuer Circle froze USD Coin funds held within Tornado Cash’s smart contracts. Meanwhile, programming repository GitHub took down the project’s main page and blocked developer access.
Vitalik Buterin, the co-founder of Ethereum, claimed that he used Tornado Cash to donate to Ukraine. The intent, as told by Buterin, was to protect the financial privacy of the recipients so that their enemy, the Russian government, would not have full details of the transaction.
I’ll out myself as someone who has used TC to donate to this exact cause.
— vitalik.eth (@VitalikButerin) August 9, 2022
Others have also pointed out the mixer’s privacy applications, such as for an individual getting paid in crypto who doesn’t want an employer to see their financial details, or paying for a service in crypto who doesn’t want the service provider to see the past transactions from their wallet. On the other hand, the tool has, in part, acted as a hotspot for enabling anonymous hackers to launder stolen funds from protocol exploits particularly cross-chain bridges. More than $2 billion worth of funds has been stolen from such applications year to date.
Reddit partners with FTX to enable ETH gas fees for community points
With the new integration, Reddit users will be able to purchase Ether from supported Reddit apps via FTX’s payment and exchange infrastructure platform FTX Pay.
684 Total views
53 Total shares
After moving away from Bitcoin (BTC) payments years ago, online forum Reddit now seems to be inching closer to embracing cryptocurrency payments via a new partnership with the FTX exchange.
Sam Bankman-Fried’s crypto exchange FTX and Reddit announced in a joint statement on Tuesday that the platform intends to integrate Reddit’s Community Points in the United States, the European Union, Australia and other markets.
The partnership features the integration of FTX Pay as a payment and crypto exchange solution to unlock new crypto-enabled perks for Reddit Community Points. Introduced in May 2020, Reddit Community Points are a measure of reputation in communities or subreddits, allowing users to own a piece of their favorite communities.
“As a unit of ownership, points capture some of the value of their community. They can be spent on premium features and are used as a measure of reputation in the community,” Reddit said when launching the Community Points two years ago. Reddit Community Points are based on Arbitrum, one of the most Ethereum scaling solutions.
With the new integration, users will be able to purchase Ether (ETH) from supported Reddit apps via FTX’s payment and exchange infrastructure platform FTX Pay. The cryptocurrency can be used to pay blockchain gas fees, or network fees for their Community Points transactions on-chain.
“We’re always working to empower communities and introduce new ways to use Reddit, and decentralized, self-sustaining blockchain technology allows us to do that. By working with FTX, we’re able to do this at scale,” Reddit staff software engineer Niraj Sheth said.
Bankman-Fried noted that the partnership with Reddit marks FTX s commitment to empower online communities to harness the power of blockchain. “FTX Pay’s payment and exchange infrastructure integrates with Reddit Community Points, making the customer experience a more seamless process,” he added.
The news comes amid Arbitrum developer Offchain Labs launching the Arbitrum Nova chain on Tuesday. Arbitrum Nova, the second chain launched in the Arbitrum ecosystem, is designed to serve as the premier solution for Web3 gaming and social applications. Apart from Reddit and FTX, other firms like Google Cloud, Consensys, P2P and QuickNode participated in the launch by becoming inaugural members of Nova’s “Data Availability Committee.”
One of the most popular websites in the United States, Reddit has been largely involved in the crypto and blockchain industry for many years. The discussion platform is known for once allowing users to pay for their premium membership in Bitcoin but removing the opportunity in 2018.
Reddit co-founder Alexis Ohanian has been widely involved in crypto, launching a $100 million Web3 investment fund last year. Ohanian subsequently launched another $200 million Web3 and social media fund in collaboration with the Ethereum scaling solution Polygon.
Is your SOL safe? What we know about the Solana hack | Find out now on The Market Report
On this week’s episode of “The Market Report,” Cointelegraph’s resident experts discuss whether your SOL is safe or not.
1144 Total views
25 Total shares
On this week’s episode of “The Market Report,” Cointelegraph’s resident experts discuss the latest updates concerning the recent Solana (SOL) hack.
To kick things off, we broke down the latest news in the markets this week:
Bitcoin realized price bands form key resistance as bulls lose $24K, significant whale activity between $22,000 and $24,800 adds to the complexity of the current spot market setup. Bitcoin (BTC) consolidated lower on Aug. 9 after familiar resistance preserved a multi-month trading range. When will we finally break out of this price range and make the move towards $30K?
Institutions flocking to Ethereum for 7 straight weeks as Merge nears: Report, “Greater clarity” around the Merge has driven institutional inflows into Ethereum products, according to a CoinShares report. Is the ETH merge finally around the corner and will it bring new all time highs to ETH or has the price already been factored into the current price?
Circle freezes blacklisted Tornado Cash smart contract addresses, Crypto data aggregator Dune Analytics said that, on Monday, Circle, the issuer of the USD Coin (USDC) stablecoin, froze over 75,000 USDC worth of funds linked to the 44 Tornado Cash addresses sanctioned by the U.S. Office of Foreign Assets Control’s Specially Designated Nationals and Blocked Persons (SDN) list. Could this mark the end for Tornado Cash or is there a way they can redeem themselves?
Next up is a new segment called “Quick Crypto Tips,” which aims to give newcomers to the crypto industry quick and easy tips to get the most out of their experience. This week’s tip: Have some funds ready to buy further downturns.
Market expert Marcel Pechman then carefully examines the Bitcoin and Ether (ETH) markets. Are the current market conditions bullish or bearish? What is the outlook for the next few months? Pechman is here to break it down. The experts also go over some markets news to bring you up to date on the latest regarding the top two cryptocurrencies.
After Marcel’s market analysis, our resident experts discuss whether your SOL is safe and the latest updates on the Solana hack. We also discuss why the network has been victim to so many hacks and downtimes. What exactly do these exploits mean for the Solana platform and if you should be worried.
Lastly, we’ve got insights from Cointelegraph Markets Pro, a platform for crypto traders who want to stay one step ahead of the market. The analysts use Cointelegraph Markets Pro to identify two altcoins that stood out this week: Radicle’s RAD and DigiByte’s DGB.
Do you have a question about a coin or topic not covered here? Don’t worry. Join the YouTube chat room, and write your questions there. The person with the most interesting comment or question will be given a 1 month free subscription to markets Pro worth $100!
The Market Report streams live every Tuesday at 12:00 pm ET (4:00 pm UTC), so be sure to head on over to Cointelegraph’s YouTube page and smash those like and subscribe buttons for all our future videos and updates.
Circle (USDC) Will Support Ethereum’s PoS Merge Chain Only
Ethereum Is The Most Prospective Blockchain For Web3, Hard Forks Not Necessary – DeBank
Insider Misconduct To Be Investigated by Celsius’ Creditor Committee
Crypto.com Obtains Licenses in South Korea
Beanstalk Stablecoin Relaunches Four Months After Getting Hacked For Nearly $182 Million.
‘Continue to ebb and flow over time’: Denny’s chief brand officer on how consumers’ moods inform brand messaging
Bitcoin hits $45K ahead of July inflation report, but one fractal hints at looming correction
Smart Marketing Token (SMT) Is on a Mission to Help Blockchain Projects Reach Their Goals
Identity management org Sailpoint unveils no-code tool
Japan crypto exchange bitbank upgrades performance of its matching engine by 4x
Bit Coin3 months ago
DeFi transforming lending routes on the blockchain
Bit Coin3 months ago
Look out below! Ethereum derivatives data hints at further downside from ETH
Tech3 months ago
Nvidia releases its first open-source Linux drivers
Bit Coin3 months ago
Miami and New York City coins tank despite Mayoral endorsements
Bit Coin3 months ago
An Anime Action Adventure: YOANN․IO Seed Launch on KICK․IO
Tech3 months ago
Report: Apple is testing USB-C iPhone models for 2023
Bit Coin3 months ago
Swiss think tank urges greater global cooperation on crypto regulation
Bit Coin2 months ago
Sequel to Iconic RPG Ni No Kuni to Feature NFT Integration and Play-to-Earn Mechanics