Pinned
Introducing Riverguard 🏞️💂
A new security tool for Solana program deployers... 🧵
riverguard.io
Neodyme
388 posts
Neodyme
@Neodyme
We secure software with deep-dive audits, cutting-edge research, and in-depth trainings.
Secure your solana program with Riverguard @ riverguard.io 🏞️💂
- We recently discovered a critical bug in the token-lending contract of the solana-program-library (SPL). This blog post details our journey from discovery, through exploitation and coordinated disclosure, and finally the fix.
- When CS:GO clients connected to our server, they got more than a game. We found 3 RCE vulnerabilities to give clients an unexpected 'welcome'. Ready for a deep-dive? 🎮🔧🎆 neodyme.io/blog/csgo_from… #InfoSec #CSGO #Exploit
- Heads up #solana #developers! Our team has been helping @solana with peer-reviews and we'd like to share what we've learned over the course of our audits:
- Replying to @NeodymeAs such, we’ve written up a dive into how this vulnerability could have been exploited, and how we found it:
- Technical Analysis of the Ledger Supply-Chain Attack 🧵 We did a brief analysis of today’s attack against the @Ledger browser integration. This is what we found. Ledger’s browser integration, Ledger Connect, was attacked via a suspected supply chain attack. The attacker
Replying to @LedgerUpdate: The malicious version of the file was replaced with the genuine version at around 2:35pm CET. The new genuine version should be propagated soon. We will provide a comprehensive report as soon as it’s ready. In the meantime, we’d like to remind the community to - Are you a #Solana #dev and attending #BreakpointLisbon? Come join our security masterclass where we'll teach you how to think like an attacker! conference.solana.com/agenda/session…
- We believe every software project should clearly communicate its bug bounty policies and how to get in touch regarding security issues. In order to facilitate this, we brought security.txt to Solana:
- Replying to @NeodymeThe bug was fixed, and dapps updated promptly to close the vulnerability. We believe the most secure code is open-source, and as auditors we believe one of the best ways to write better code is to understand vulnerabilities.
- Replying to @NeodymeThe total TVL at risk was about 2.600.000.000 USD. Some of that value is lent out, and some other low-value coins are not economically viable to steal, but the potential profit was easily in the hundreds of millions.
- Total Loss of Funds The story of Solana's highest-severity bug -- and how we found it back in late 2020. Among other things, it allowed us to: - Mint or steal any amount of any token - Modify any NFT - Delete liabilities in any lending protocol
- > tfw you audit Solana so well, the SEC considers it "security"
The Solana Foundation disagrees with the characterization of SOL as a security. We welcome the continued engagement of policymakers as constructive partners on regulation to achieve legal clarity on these issues for the thousands of entrepreneurs across the U.S. building in the - Cypher protocol was exploited for over $1 million. But how? Here’s the main idea for what the attacker did, and why it worked 👇🏻
