Undetected Bug Puts Billions Of Dollars At Risk On Solana Network

An error in the Solana Protocol Library (SPL) could have allowed hackers and cybercriminals to steal investors’ funds at a pace of almost $30 million per hour. The SPL consists of documents used to reference projects built on the Solana network. The report is according to data from a security firm Neodyme.

Details Of The Problem And The Risks

The error put many Solana projects at risk. At the moment, these projects combined are overseeing funds a little short of $2 billion. The value was higher but dropped due to the continued market slump today.

Neodyme disclosed on their blog that the bug was first noticed on Github by an auditor of the company in the middle of the year. At the time, the scale of danger the bug posed was unknown. The bug ended up not catching any other attention.

The auditor on the 1st of December, while checking, observed that Solana had yet to cover the loophole. The auditor, Simon, became concerned by the potential harms and decided to involve researchers at the security firm. They ran tests to see if the error could be taken advantage of and the level of damage it could cause. 

The firm disclosed that at first, it seemed like a harmless mistake, but they soon realized that it could lead to the loss of millions of dollars. The error exploited the mechanism built into the withdrawal and deposit mechanism of the Solana network. When one pays into their wallet or takes away funds on any projects using the Solana protocol governing documents, the figure is usually approximated to the closest whole number.

The approximation usually happens when a user is entitled to a little part of the Solana token called Lamport. Sometimes a user may end up with a little more or a little less. The difference usually seems unnoticeable and tends to even itself out. 

The researchers, however, began to wonder what would happen if someone tried to take advantage of this. They wanted to see the possibility of someone gaming the system to steal lots of money. The researchers decided to create a mock version of the blockchain to test their hypothesis. 

They created a model transaction to take advantage of the system and got away with $0.047. The researchers, after several testing, realized that criminal elements could exploit the error up to 200 times in a single transaction. It didn’t end there; they could also fit many of these transactions in one block. Such a ploy would see attackers getting over $7,000 per second and near $30 million per hour.

From the results, it wasn’t easy for the researchers to estimate how much could be lost in such an attack in total. What lay at risk in full will be determined by many factors. The discretion of the attackers will determine how quickly they are found out, and measures are put in place to stop it. The researchers believe that over a billion dollars were at risk.


The security firm immediately informed the different Solana projects they felt were at risk. It was not easy to identify the projects at risk due to the closed-source nature of Solana projects. The exposed projects have covered the project’s loophole and the documentation for future projects.