Solana confronts another security hurdle amid a history of outages
A Discord alert yesterday said core contributors had found a security issue warranting an “urgent response,” and a patch was being made imminently available
Artwork by Crystal Le
Today, enjoy the Lightspeed newsletter on Blockworks.co. Tomorrow, get the news delivered directly to your inbox. Subscribe to the Lightspeed newsletter.
Howdy!
It is Friday, there was no Solana downtime and I’m currently working from Nashville.
Have a great weekend. Yee-haw.
Behind the scenes of Solana’s ‘urgent’ security issue
Things looked like they might get dicey for the Solana network yesterday when a Discord alert went out saying core contributors had found a security issue warranting an “urgent response,” and a patch was being made imminently available.
Given Solana’s history with outages, some in the network held their breath as the situation developed.
“[P]repare for pain boys,” Helius CEO Mert Mumtaz wrote on X, adding in a reply that “it’s Thursday night upgrade time.”
But just seven minutes after the alert went out, validators representing over 70% of Solana’s stake had already instituted the patch, Anza engineer @trent.sol said on X, adding that “liveness should be protected.”
That’s remarkably fast, and one of my sources ruminated that large validators were likely contacted about the vulnerability ahead of time. This proved to be correct, as the pseudonymous validator Laine wrote on X — a post that appeared to be validated by multiple key Solana players. A spokesperson for the Solana Foundation also said that Laine’s version of events is accurate.
Laine said that multiple members of the Solana Foundation contacted them on Wednesday across multiple platforms saying that Solana had a critical security issue, and Laine should be ready to apply a patch at 10 am ET on Thursday. Several other core members reached out with a similar message over the following 24 hours — Laine mentions Jito, Anza and Jump Crypto in various parts of their post.
At the agreed-upon time, Solana Foundation members passed along the patch, which was hosted on the GitHub of an engineer at Anza. Anza develops the original Solana Labs validator client (now named Agave).
Once 70% of Solana’s stake implemented the patch, Solana was “ostensibly safe” from an attack, Laine said. Solana’s blockchain works such that a 66.6% supermajority of stake can vote to let the network reach consensus despite any potential attack. I should note: It’s still unclear exactly what the security issue was, though a source told me a post-mortem is coming at some point.
This all raised some eyebrows, as an ostensibly decentralized blockchain worked with distributed validators behind the scenes to coordinate around implementing a patch. The response from Solana’s core seemed to be that this was a measure borne out of necessity.
“[Y]ou don’t patch shit like this in public,” the Anza engineer said to one naysayer, adding later that decentralization has “several dimensions.” In a separate post, Laine said the bug needed to be patched confidentially because the patch made the vulnerability clear, and making it public too soon could create room for a bad actor to try halting the network.
In their longer post, Laine pointed out that while validators are globally distributed, many of them know each other through Discord, Telegram group chats and in-person conferences. In other words, if a security issue needs to be addressed, the Solana Foundation knows how to get in touch.
One X user said Solana’s ability to herald resources around patching a bug grew out of the network’s experience handling downtime in the past.
“[S]tudy outages,” trent.sol wrote in response, invoking a popular ironic crypto trope. “[S]ome lessons in there.”
The Solana Foundation did not return a request for comment by press time.
— Jack Kubinec
Zero In
9
That’s the number of major or partial outages Solana has experienced during its four-year lifetime, according to Solana’s uptime tracker.
Five of these outages happened during what was a rough 2022 for the blockchain. There was one outage in 2023 and another in February of this year.
Solana’s outages are a common knock that the network’s detractors point out, and while downtime is simply a part of the modern internet-based world (hello CrowdStrike), its community will certainly be glad Solana didn’t make it to double-digit outages yesterday.
— Jack Kubinec
The Pulse
ICYMI this week in Solanaland:
- A global first: The Comissão de Valores Mobiliários (CVM) approved the launch of the first-ever spot Solana ETF in Brazil. The ETF, offered by QR and managed by Vortx, will use the CME CF Solana Dollar Reference Rate for pricing to provide a standardized and precise valuation of Solana in USD.
- Russian President Vladimir Putin signed a law legalizing cryptocurrency mining, making it a recognized component of digital currency turnover. Only Russian legal entities and registered entrepreneurs can participate. Though not specifically Solana-related, this development could open doors for SOL’s adoption in the Russian market as the regulatory landscape becomes more favorable toward all blockchain tech.
- The launch of the RTR token, rumored to be an official Trump memecoin, caused a massive spike in its market cap to $155 million on Solana. However, the excitement was short-lived as the Trump family debunked the rumors, causing a 90% drop in RTR’s value.
- DAWN announced an $18 million raise led by Dragonfly Capital to build the first DePIN protocol offering decentralized broadband using multi-gigabit wireless technology on Solana. The project aims to empower users to operate as network hosts, transforming the internet from a provider-owned model to a consumer-owned one.
- Anchorage Digital Bank NA has expanded its custody support to include SPL tokens on Solana. As the only federally chartered crypto bank in the US, Anchorage Digital’s inclusion of Solana’s native tokens could further solidify Solana’s position within institutional finance.
- Switchboard announced its partnership with Jito to support its (Re)staking platform. The move is a bid to enhance the security and flexibility of Switchboard’s Oracle network on Solana. The collaboration intends to boost liquidity and improve network performance, aligning incentives for node operators and paving the way for more efficient dapps on Solana.
— Jeffrey Albus
One Good DM
A message from Chris Hermida, co-founder of Switchboard:
Updated August 9, 2024 at 4:36 pm ET: Clarified that Laine, not Stakewiz, is the name of the validator who posted on X.
Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.
Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.
Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.
The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.
