Asymmetric Research discloses Marginfi flash loan bug that risked $160M

MarginFi fixed a flaw that could have let attackers borrow funds without repayment

by Blockworks /
article-image

Igor Kyrlytsya/Shutterstock and Adobe modified by Blockworks

share

Marginfi, a Solana-based lending and borrowing protocol, has patched a critical vulnerability in its flash loan mechanism that briefly placed more than $160 million in user deposits at risk.

The bug, disclosed by security researcher Felix Wilhelm through Marginfi’s bug bounty program, would have allowed an attacker to borrow funds without repaying them. The issue was resolved before any exploit occurred, and no funds were lost, according to Asymmetric Research’s report.

Flash loans, a common DeFi feature, allow users to borrow nearly all available liquidity on the condition that the funds are repaid within the same blockchain transaction. Solana protocols typically enforce this by introspecting instructions in a transaction to ensure a repayment step is included.

According to Asymmetric, Marginfi followed this approach but introduced a new instruction, transfer_to_new_account, that unintentionally bypassed repayment checks. This meant liabilities could be shifted to a new account mid-loan, enabling funds to be drained without triggering safeguards.

The report indicates that the Marginfi team swiftly deployed a patch to block account transfers during flash loans and prevent disabled accounts from being used for repayment. While Solana’s architecture limits some common Ethereum-style exploits, the vulnerability underscores that logic errors remain a critical threat.

The swift resolution demonstrates the role of bug bounty programs in preventing systemic losses. Similar past incidents, including attacks on Mango Markets and other Solana-based protocols, have shown how flash loan vulnerabilities can lead to multimillion-dollar losses.

Marginfi representatives did not respond to Blockworks’ request for comment before publication.

This is a developing story.


This article was generated with the assistance of AI and reviewed by editor Jeffrey Albus before publication.


Get the news in your inbox. Explore Blockworks newsletters:

Tags

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Javits Center North | 445 11th Ave

Tues - Thurs, March 24 - 26, 2026

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

recent research

Monad SR Report Graphic.png

Research

Monad is a new Layer 1 blockchain designed as a high performance, EVM-compatible platform.

article-image

Engineers from MetaMask, Coinbase, Google, and the Ethereum Foundation make the case for onchain AI agents via ERC-8004

article-image

Legacy payments firm partners with Anchorage Digital to issue a dollar-pegged token under new US stablecoin law

by Blockworks /
article-image

As Solana ETFs launch but network REV trends lower, Jito sits at the intersection of new capital inflows and microstructure improvements

article-image

The Truth Social parent will integrate Crypto.com Derivatives North America, allowing users to trade prediction contracts under federal oversight

by Blockworks /
article-image

Partnership surpasses $2 billion in staked assets and adds support for new Proof-of-Stake networks

by Blockworks /
article-image

The tokenization leader will merge with Cantor Equity Partners II, becoming the first public firm focused on securities tokenization

by Blockworks /