Solana confronts another security hurdle amid a history of outages

A Discord alert yesterday said core contributors had found a security issue warranting an “urgent response,” and a patch was being made imminently available

by Jack Kubinec&Jeff Albus /
article-image

Artwork by Crystal Le

share

Today, enjoy the Lightspeed newsletter on Blockworks.co. Tomorrow, get the news delivered directly to your inbox. Subscribe to the Lightspeed newsletter.

Howdy! 

It is Friday, there was no Solana downtime and I’m currently working from Nashville. 

Have a great weekend. Yee-haw.

Behind the scenes of Solana’s ‘urgent’ security issue

Things looked like they might get dicey for the Solana network yesterday when a Discord alert went out saying core contributors had found a security issue warranting an “urgent response,” and a patch was being made imminently available.

Given Solana’s history with outages, some in the network held their breath as the situation developed.

“[P]repare for pain boys,” Helius CEO Mert Mumtaz wrote on X, adding in a reply that “it’s Thursday night upgrade time.”

But just seven minutes after the alert went out, validators representing over 70% of Solana’s stake had already instituted the patch, Anza engineer @trent.sol said on X, adding that “liveness should be protected.”

That’s remarkably fast, and one of my sources ruminated that large validators were likely contacted about the vulnerability ahead of time. This proved to be correct, as the pseudonymous validator Laine wrote on X — a post that appeared to be validated by multiple key Solana players. A spokesperson for the Solana Foundation also said that Laine’s version of events is accurate.

Newsletter

Subscribe to Lightspeed Newsletter

Laine said that multiple members of the Solana Foundation contacted them on Wednesday across multiple platforms saying that Solana had a critical security issue, and Laine should be ready to apply a patch at 10 am ET on Thursday. Several other core members reached out with a similar message over the following 24 hours — Laine mentions Jito, Anza and Jump Crypto in various parts of their post.

At the agreed-upon time, Solana Foundation members passed along the patch, which was hosted on the GitHub of an engineer at Anza. Anza develops the original Solana Labs validator client (now named Agave).

Once 70% of Solana’s stake implemented the patch, Solana was “ostensibly safe” from an attack, Laine said. Solana’s blockchain works such that a 66.6% supermajority of stake can vote to let the network reach consensus despite any potential attack. I should note: It’s still unclear exactly what the security issue was, though a source told me a post-mortem is coming at some point.

This all raised some eyebrows, as an ostensibly decentralized blockchain worked with distributed validators behind the scenes to coordinate around implementing a patch. The response from Solana’s core seemed to be that this was a measure borne out of necessity.

“[Y]ou don’t patch shit like this in public,” the Anza engineer said to one naysayer, adding later that decentralization has “several dimensions.” In a separate post, Laine said the bug needed to be patched confidentially because the patch made the vulnerability clear, and making it public too soon could create room for a bad actor to try halting the network. 

In their longer post, Laine pointed out that while validators are globally distributed, many of them know each other through Discord, Telegram group chats and in-person conferences. In other words, if a security issue needs to be addressed, the Solana Foundation knows how to get in touch.

One X user said Solana’s ability to herald resources around patching a bug grew out of the network’s experience handling downtime in the past.

“[S]tudy outages,” trent.sol wrote in response, invoking a popular ironic crypto trope. “[S]ome lessons in there.”

The Solana Foundation did not return a request for comment by press time.

— Jack Kubinec

Zero In 

9

That’s the number of major or partial outages Solana has experienced during its four-year lifetime, according to Solana’s uptime tracker.

Five of these outages happened during what was a rough 2022 for the blockchain. There was one outage in 2023 and another in February of this year.

Solana’s outages are a common knock that the network’s detractors point out, and while downtime is simply a part of the modern internet-based world (hello CrowdStrike), its community will certainly be glad Solana didn’t make it to double-digit outages yesterday.

— Jack Kubinec

The Pulse

ICYMI this week in Solanaland:

  • A global first: The Comissão de Valores Mobiliários (CVM) approved the launch of the first-ever spot Solana ETF in Brazil. The ETF, offered by QR and managed by Vortx, will use the CME CF Solana Dollar Reference Rate for pricing to provide a standardized and precise valuation of Solana in USD.
  • Russian President Vladimir Putin signed a law legalizing cryptocurrency mining, making it a recognized component of digital currency turnover. Only Russian legal entities and registered entrepreneurs can participate. Though not specifically Solana-related, this development could open doors for SOL’s adoption in the Russian market as the regulatory landscape becomes more favorable toward all blockchain tech.
  • The launch of the RTR token, rumored to be an official Trump memecoin, caused a massive spike in its market cap to $155 million on Solana. However, the excitement was short-lived as the Trump family debunked the rumors, causing a 90% drop in RTR’s value.
  • DAWN announced an $18 million raise led by Dragonfly Capital to build the first DePIN protocol offering decentralized broadband using multi-gigabit wireless technology on Solana. The project aims to empower users to operate as network hosts, transforming the internet from a provider-owned model to a consumer-owned one.
  • Anchorage Digital Bank NA has expanded its custody support to include SPL tokens on Solana. As the only federally chartered crypto bank in the US, Anchorage Digital’s inclusion of Solana’s native tokens could further solidify Solana’s position within institutional finance.
  • Switchboard announced its partnership with Jito to support its (Re)staking platform. The move is a bid to enhance the security and flexibility of Switchboard’s Oracle network on Solana. The collaboration intends to boost liquidity and improve network performance, aligning incentives for node operators and paving the way for more efficient dapps on Solana.

— Jeffrey Albus

One Good DM

A message from Chris Hermida, co-founder of Switchboard:

Updated August 9, 2024 at 4:36 pm ET: Clarified that Laine, not Stakewiz, is the name of the validator who posted on X.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the On the Margin newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Permissionless III Hackathon

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2024

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

learn more

Permissionless III

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Permissionless is a conference for founders, application developers, and users. Come meet the next generation of people building and using crypto.

learn more

recent research

Blinks Report Image.png

Research

Blink or You'll Miss It

Blinks enable the ability to vampire attack user monetization of existing networks by inserting onchain and financialized functionalities directly within the popular social feeds and digital experiences of today.

by Danny K

/

news

article-image

Empire Newsletter

Election burnout has come for political memecoins

Plus, how the FTX collapse played out in Asian countries

by Katherine Ross&David Canellis /
article-image

Policy

Kalshi launches election markets as CFTC turns to appellate court

Kalshi founder Tarek Mansour said Thursday marked the “the first trade on regulated election markets in nearly a century”

by Katherine Ross /
article-image

On The Margin Newsletter

Our industry is in limbo. What’s going on?

I was excited about being on the precipice of realigning societal incentives and solving many issues plaguing our modern financial world

by Felix Jauvin&Casey Wagner&Ben Strack /
article-image

Lightspeed Newsletter

A publicly-traded holding company is all-in on Solana

Cypherpunk Holdings has rebranded to Sol Strategies in a pivot to a Solana-first investment approach

by Jack Kubinec /
article-image

DeFi

Coinbase introduces wrapped bitcoin competitor ‘cbBTC’

BitGo’s wrapped bitcoin (wBTC) has a new custodial challenger

by Donovan Choy /
article-image

Analysis

Is Tether really more profitable than BlackRock?

Make no mistake: Tether makes a ton of money. But exactly how much depends a lot on the price of bitcoin.

by David Canellis /