$16 000 USD

AUGUST 2021

GLOBAL

SOLEND

DESCRIPTION OF EVENTS

"Solend is the autonomous interest rate machine for Solana. Earn interest on deposits and borrow assets on the fastest, lowest fee, and most scalable lending protocol."

 

"Solend is an algorithmic, decentralized protocol for lending and borrowing on Solana. Lending and borrowing has proven itself as being key in a DeFi ecosystem. However, current products are slow and expensive. On Solana, Solend can scale to being 100x faster and 100x cheaper. Solend aims to be the easiest to use and most secure solution on Solana."

 

"At 2021-08-19 12:40 GMT, an attacker attempted to exploit the Solend smart contract. They subverted an insecure auth check on the UpdateReserveConfig function to make accounts with borrows liquidatable and set the borrow APY to 250% for all markets."

 

"First, the attacker created a new Lending Market (tx). Next the configs for USDC, SOL, ETH, BTC reserves were updated (tx, tx, tx, tx)." "Reserve configs were updated." "[I]t's clear the attacker intended to steal funds by wrongfully liquidating accounts with an outsized bonus. We estimate that around $2M was at risk."

 

"The attacker was able to update the reserve configs by using the newly created Lending Market to subvert an auth check." "The highlighted checks were insufficient, since the attacker was able to pass in an arbitrary Lending Market created and owned by them."

 

"The attempt to steal funds was detected and stopped by the Solend team in time such that no funds were stolen. A handful of users (5) were liquidated by Solend's liquidator, but those users were refunded out of the liquidator's undue earnings (~16K USD)."

 

"No liquidations occurred except by our liquidator bot. It appears the attacker's attempts to liquidate didn't work. Note that by default on Solana, txs are simulated locally and never sent to a validator if the simulation run fails. Because of this, we have no way of knowing if there were failed liquidation attempts."

 

"The team quickly detected, investigated, and found the issue." They identified a list of steps they plan to take in the future, including "[i]mplement[ing a] stricter code review policy", scheduling a "follow-up audit of diff", "[i]ncreas[ing the] bug bounty size", "[a]dd[ing] alerts to [a] monitoring service", "[w]rit[ing] an incident response playbook", "[r]econcil[ing the] wrongfully liquidated accounts", "adding [a] circuit breaker", and "adding speed bumps". "A fix was implemented and deployed. Wrongful liquidations were inspected and reconciled with a 2% bonus."

Solend is a lending protocol for Solana. The smart contract hot wallets had a vulnerability which allowed an attacker to escalate their permissions and change configuration parameters in a new lending market. This would have allowed them to steal the funds of users on a much larger scale. Luckily, the issue was detected early, and only $16k of funds were liquidated.

 

Compensation was made to all affected users, and a series of steps were undertaken to secure the smart contract further.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.