Solana confronts another security hurdle amid a history of outages

A Discord alert yesterday said core contributors had found a security issue warranting an “urgent response,” and a patch was being made imminently available

by Jack Kubinec&Jeff Albus /
article-image

Artwork by Crystal Le

share

Today, enjoy the Lightspeed newsletter on Blockworks.co. Tomorrow, get the news delivered directly to your inbox. Subscribe to the Lightspeed newsletter.

Howdy! 

It is Friday, there was no Solana downtime and I’m currently working from Nashville. 

Have a great weekend. Yee-haw.

Behind the scenes of Solana’s ‘urgent’ security issue

Things looked like they might get dicey for the Solana network yesterday when a Discord alert went out saying core contributors had found a security issue warranting an “urgent response,” and a patch was being made imminently available.

Given Solana’s history with outages, some in the network held their breath as the situation developed.

“[P]repare for pain boys,” Helius CEO Mert Mumtaz wrote on X, adding in a reply that “it’s Thursday night upgrade time.”

But just seven minutes after the alert went out, validators representing over 70% of Solana’s stake had already instituted the patch, Anza engineer @trent.sol said on X, adding that “liveness should be protected.”

That’s remarkably fast, and one of my sources ruminated that large validators were likely contacted about the vulnerability ahead of time. This proved to be correct, as the pseudonymous validator Laine wrote on X — a post that appeared to be validated by multiple key Solana players. A spokesperson for the Solana Foundation also said that Laine’s version of events is accurate.

Laine said that multiple members of the Solana Foundation contacted them on Wednesday across multiple platforms saying that Solana had a critical security issue, and Laine should be ready to apply a patch at 10 am ET on Thursday. Several other core members reached out with a similar message over the following 24 hours — Laine mentions Jito, Anza and Jump Crypto in various parts of their post.

At the agreed-upon time, Solana Foundation members passed along the patch, which was hosted on the GitHub of an engineer at Anza. Anza develops the original Solana Labs validator client (now named Agave).

Once 70% of Solana’s stake implemented the patch, Solana was “ostensibly safe” from an attack, Laine said. Solana’s blockchain works such that a 66.6% supermajority of stake can vote to let the network reach consensus despite any potential attack. I should note: It’s still unclear exactly what the security issue was, though a source told me a post-mortem is coming at some point.

This all raised some eyebrows, as an ostensibly decentralized blockchain worked with distributed validators behind the scenes to coordinate around implementing a patch. The response from Solana’s core seemed to be that this was a measure borne out of necessity.

“[Y]ou don’t patch shit like this in public,” the Anza engineer said to one naysayer, adding later that decentralization has “several dimensions.” In a separate post, Laine said the bug needed to be patched confidentially because the patch made the vulnerability clear, and making it public too soon could create room for a bad actor to try halting the network. 

In their longer post, Laine pointed out that while validators are globally distributed, many of them know each other through Discord, Telegram group chats and in-person conferences. In other words, if a security issue needs to be addressed, the Solana Foundation knows how to get in touch.

One X user said Solana’s ability to herald resources around patching a bug grew out of the network’s experience handling downtime in the past.

“[S]tudy outages,” trent.sol wrote in response, invoking a popular ironic crypto trope. “[S]ome lessons in there.”

The Solana Foundation did not return a request for comment by press time.

— Jack Kubinec

Zero In 

9

That’s the number of major or partial outages Solana has experienced during its four-year lifetime, according to Solana’s uptime tracker.

Five of these outages happened during what was a rough 2022 for the blockchain. There was one outage in 2023 and another in February of this year.

Solana’s outages are a common knock that the network’s detractors point out, and while downtime is simply a part of the modern internet-based world (hello CrowdStrike), its community will certainly be glad Solana didn’t make it to double-digit outages yesterday.

— Jack Kubinec

The Pulse

ICYMI this week in Solanaland:

  • A global first: The Comissão de Valores Mobiliários (CVM) approved the launch of the first-ever spot Solana ETF in Brazil. The ETF, offered by QR and managed by Vortx, will use the CME CF Solana Dollar Reference Rate for pricing to provide a standardized and precise valuation of Solana in USD.
  • Russian President Vladimir Putin signed a law legalizing cryptocurrency mining, making it a recognized component of digital currency turnover. Only Russian legal entities and registered entrepreneurs can participate. Though not specifically Solana-related, this development could open doors for SOL’s adoption in the Russian market as the regulatory landscape becomes more favorable toward all blockchain tech.
  • The launch of the RTR token, rumored to be an official Trump memecoin, caused a massive spike in its market cap to $155 million on Solana. However, the excitement was short-lived as the Trump family debunked the rumors, causing a 90% drop in RTR’s value.
  • DAWN announced an $18 million raise led by Dragonfly Capital to build the first DePIN protocol offering decentralized broadband using multi-gigabit wireless technology on Solana. The project aims to empower users to operate as network hosts, transforming the internet from a provider-owned model to a consumer-owned one.
  • Anchorage Digital Bank NA has expanded its custody support to include SPL tokens on Solana. As the only federally chartered crypto bank in the US, Anchorage Digital’s inclusion of Solana’s native tokens could further solidify Solana’s position within institutional finance.
  • Switchboard announced its partnership with Jito to support its (Re)staking platform. The move is a bid to enhance the security and flexibility of Switchboard’s Oracle network on Solana. The collaboration intends to boost liquidity and improve network performance, aligning incentives for node operators and paving the way for more efficient dapps on Solana.

— Jeffrey Albus

One Good DM

A message from Chris Hermida, co-founder of Switchboard:

Updated August 9, 2024 at 4:36 pm ET: Clarified that Laine, not Stakewiz, is the name of the validator who posted on X.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Digital Asset Summit 2025

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

recent research

Research Report Templates (6).png

Research

THORChain: The Prices are Going Higher

In recent months, a number of highly accretive developments were implemented across the protocol to improve fee capture, expand product functionality, and ultimately drive value accrual to the RUNE token, with more upgrades on the immediate horizon. These developments include hiking the minimum swap fee parameter to increase revenue, adding a Burn System Income Lever to reduce the RUNE supply, the addition of COSM-WASM smart contracting and IBC to enable an application layer, new chain integrations, and more.

by Luke Leasure

/

news

article-image

Web3

Permissionless III dispatch: What a difference a year makes for Solana

A blockchain some thought dead in the water two years ago now feels cool

by Jack Kubinec /
article-image

Policy

Binance exec Tigran Gambaryan denied bail in Nigeria

Former IRS agent and Binance executive Tigran Gambaryan will remain imprisoned in Nigeria’s Kuje prison

by Katherine Ross /
article-image

Web3

Politics and memecoins drive the conversation on day 2 of Permissionless

When Permissionless III wraps on Friday, there will be 26 days left until the 2024 presidential election

by Casey Wagner /
article-image

Forward Guidance Newsletter

Latest inflation data comes in hotter than expected, led by housing costs

Plus, an update from the ground in Salt Lake City at Permissionless III

by Felix Jauvin&Ben Strack&Casey Wagner /
article-image

Policy

SEC files lawsuit against crypto market-maker Cumberland DRW

The US regulator accused the crypto market-making firm of acting as an unregistered dealer

by Michael McSweeney /
article-image

Sponsored

TRON DAO hosted the TRON Builder Tour at Columbia University with Blockchain at Columbia and Boston University Blockchain

The 12-hour event attracted over 120 sign-ups