Community Trust ScoreVerified
Solend is the autonomous interest rate machine for Solana. Users earn interest on deposits, and they are able to borrow assets on the fastest, lowest fee, and the most scalable lending protocol.
Solend expressed: At 2021-08-19 12:40 GMT, an attacker attempted to exploit the Solend smart contract. The attempt to steal funds was detected and stopped by the Solend team in time such that no funds were stolen.
The attacker subverted an insecure auth check on the UpdateReserveConfig function to make nearly all accounts liquidate-able and set the borrower APY to 250% for all markets.
Time to detect: 41m Time to mitigate: 1h10m Time to fix: 1h38m. 5 users were wrongfully liquidated by Solend’s liquidator. Those users are being refunded out of the liquidator’s undue earnings (16K USD).
We’re taking the following steps in response to this incident: – Increasing bug bounty size – Building a better monitoring and alerting service. A detailed incident report is published in this regard already.
Someone stated, talking about the hack, that we are really glad we did a capped launch. Users were limited to ~50K USD worth per market. Had there been more funds at stake, the attacker may have been less sloppy and successfully exploited. This should be the gold standard for all new DeFi protocols.
Community response to the hack attempt: As the post reads, harm was caused, and a few people were wrongfully liquidated, but it isn’t very important and easily reimbursed.
This might be the fastest and most efficient mitigation of an attack in crypto I’ve ever seen. I will take this over a post-mortem any day.
Some of them were very curious on why the team’s bot only liquidated very few positions over the course of an hour. Does the bot have local requirements that didn’t update in the attack, causing it to ignore so many liquidate-able positions?
This attack demonstrated a core function which should be securing the system, but it was not working as expected. Odd to me that they have not addressed this very important aspect of their system, which failed especially while bragging about their “gold standard” or DeFi form of it.
While there were criticisms, optimists were like: Good job, sir. This is bullish. Have these people been arrested? I have lost 101 SOL. How to recover? Please help me! Hackers are targeting us because we are getting more volume. Everybody loved our flawless launch.





