Solend is a decentralized lending and borrowing protocol on Solana. On November 2, 2022, an attacker drained assets from Solend’s Stable, Coin98, and Kamino isolated pools resulting in $1.26M of bad debt.
Exploit Details
Based on the report from Solend’s team, the attacker previously attempted to exploit the platform on October 28, when he pumped up the price of USDH token on Saber by spending 200k USDC. However, the pumped price got arbitraged in the same slot and reversed back to $1. The oracles could, therefore, never report the increased price.
So, the attacker leant from his mistakes. On November 2, the he performed the same attack with minor differences. First, he spent 100k USDC to pump USDH price on Saber, and then he started spamming the Saber account so that no arbitrage could occur in the same slot as during the first attempt. The attacker then arbitraged himself in the next slot.
This time the Switchboard oracle picked up the high price. By repeating the same procedure, the attacker was able to pump up the price of USDH, and by depositing, he borrowed assets worth $1.26M, effectively draining all pools. It was a sophisticated exploit as the attacker prevented the arbitrages in the same slot by write-locking the Saber account and predicting when the oracle would update the price. Solend’s vulnerability in this exploit was that it was looking for price updates only using the Switchboard oracle from Saber pool, making the price feed prone to manipulation.
Later on, the Solend’s DAO proposals SLND6 and SLND5 passed, making users whole from all the bad debts.
In simple words, it was a combination of a hack and a market manipulation: the hacker pumped the tokens price and spammed the oracle to make sure it picks the price which would be the most profitable for him. One can say that is was a more sophisticated version of the Mango Markets exploit which didn’t involve any hacking.
Reference
