Asymmetric Research discloses Marginfi flash loan bug that risked $160M

MarginFi fixed a flaw that could have let attackers borrow funds without repayment

by Blockworks /
article-image

Igor Kyrlytsya/Shutterstock and Adobe modified by Blockworks

share

Marginfi, a Solana-based lending and borrowing protocol, has patched a critical vulnerability in its flash loan mechanism that briefly placed more than $160 million in user deposits at risk.

The bug, disclosed by security researcher Felix Wilhelm through Marginfi’s bug bounty program, would have allowed an attacker to borrow funds without repaying them. The issue was resolved before any exploit occurred, and no funds were lost, according to Asymmetric Research’s report.

Flash loans, a common DeFi feature, allow users to borrow nearly all available liquidity on the condition that the funds are repaid within the same blockchain transaction. Solana protocols typically enforce this by introspecting instructions in a transaction to ensure a repayment step is included.

According to Asymmetric, Marginfi followed this approach but introduced a new instruction, transfer_to_new_account, that unintentionally bypassed repayment checks. This meant liabilities could be shifted to a new account mid-loan, enabling funds to be drained without triggering safeguards.

The report indicates that the Marginfi team swiftly deployed a patch to block account transfers during flash loans and prevent disabled accounts from being used for repayment. While Solana’s architecture limits some common Ethereum-style exploits, the vulnerability underscores that logic errors remain a critical threat.

The swift resolution demonstrates the role of bug bounty programs in preventing systemic losses. Similar past incidents, including attacks on Mango Markets and other Solana-based protocols, have shown how flash loan vulnerabilities can lead to multimillion-dollar losses.

Marginfi representatives did not respond to Blockworks’ request for comment before publication.

This is a developing story.


This article was generated with the assistance of AI and reviewed by editor Jeffrey Albus before publication.


Get the news in your inbox. Explore Blockworks newsletters:

Tags

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Javits Center North | 445 11th Ave

Tues - Thurs, March 24 - 26, 2026

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

recent research

Unlocked by Template (1).jpg

Research

As AI supercharges surveillance, privacy becomes a prerequisite and the winning stack will combine confidentiality with selective disclosure. Zcash’s Tachyon, composable standards on Ethereum/Solana, and compliance-aware pools aim to make private rails the new norm.

article-image

Pineapple begins deploying its $100 million Injective Digital Asset Treasury, staking INJ to earn yield and fund onchain mortgage ambitions

by Blockworks /
article-image

Staking levels in the ether funds will depend on protocol unstaking queue times and anticipated redemption activity, firm says

article-image

ETF inflows, miner strength, and tightening supply drive Bitcoin past its prior peak amid renewed demand for scarce assets

by Blockworks /
article-image

The Guidestar team, led by Alex Nezlobin, will join Uniswap Labs to enhance automated market maker design and smart order routing

by Blockworks /
article-image

Zac Prince spearheads Galaxy’s push into consumer banking with high-yield cash, crypto, and stock trading features

by Blockworks /