Solana confronts another security hurdle amid a history of outages

A Discord alert yesterday said core contributors had found a security issue warranting an “urgent response,” and a patch was being made imminently available

by Jack Kubinec&Jeff Albus /
article-image

Artwork by Crystal Le

share

Today, enjoy the Lightspeed newsletter on Blockworks.co. Tomorrow, get the news delivered directly to your inbox. Subscribe to the Lightspeed newsletter.

Howdy! 

It is Friday, there was no Solana downtime and I’m currently working from Nashville. 

Have a great weekend. Yee-haw.

Behind the scenes of Solana’s ‘urgent’ security issue

Things looked like they might get dicey for the Solana network yesterday when a Discord alert went out saying core contributors had found a security issue warranting an “urgent response,” and a patch was being made imminently available.

Given Solana’s history with outages, some in the network held their breath as the situation developed.

“[P]repare for pain boys,” Helius CEO Mert Mumtaz wrote on X, adding in a reply that “it’s Thursday night upgrade time.”

But just seven minutes after the alert went out, validators representing over 70% of Solana’s stake had already instituted the patch, Anza engineer @trent.sol said on X, adding that “liveness should be protected.”

That’s remarkably fast, and one of my sources ruminated that large validators were likely contacted about the vulnerability ahead of time. This proved to be correct, as the pseudonymous validator Laine wrote on X — a post that appeared to be validated by multiple key Solana players. A spokesperson for the Solana Foundation also said that Laine’s version of events is accurate.

Laine said that multiple members of the Solana Foundation contacted them on Wednesday across multiple platforms saying that Solana had a critical security issue, and Laine should be ready to apply a patch at 10 am ET on Thursday. Several other core members reached out with a similar message over the following 24 hours — Laine mentions Jito, Anza and Jump Crypto in various parts of their post.

At the agreed-upon time, Solana Foundation members passed along the patch, which was hosted on the GitHub of an engineer at Anza. Anza develops the original Solana Labs validator client (now named Agave).

Once 70% of Solana’s stake implemented the patch, Solana was “ostensibly safe” from an attack, Laine said. Solana’s blockchain works such that a 66.6% supermajority of stake can vote to let the network reach consensus despite any potential attack. I should note: It’s still unclear exactly what the security issue was, though a source told me a post-mortem is coming at some point.

This all raised some eyebrows, as an ostensibly decentralized blockchain worked with distributed validators behind the scenes to coordinate around implementing a patch. The response from Solana’s core seemed to be that this was a measure borne out of necessity.

“[Y]ou don’t patch shit like this in public,” the Anza engineer said to one naysayer, adding later that decentralization has “several dimensions.” In a separate post, Laine said the bug needed to be patched confidentially because the patch made the vulnerability clear, and making it public too soon could create room for a bad actor to try halting the network. 

In their longer post, Laine pointed out that while validators are globally distributed, many of them know each other through Discord, Telegram group chats and in-person conferences. In other words, if a security issue needs to be addressed, the Solana Foundation knows how to get in touch.

One X user said Solana’s ability to herald resources around patching a bug grew out of the network’s experience handling downtime in the past.

“[S]tudy outages,” trent.sol wrote in response, invoking a popular ironic crypto trope. “[S]ome lessons in there.”

The Solana Foundation did not return a request for comment by press time.

— Jack Kubinec

Zero In 

9

That’s the number of major or partial outages Solana has experienced during its four-year lifetime, according to Solana’s uptime tracker.

Five of these outages happened during what was a rough 2022 for the blockchain. There was one outage in 2023 and another in February of this year.

Solana’s outages are a common knock that the network’s detractors point out, and while downtime is simply a part of the modern internet-based world (hello CrowdStrike), its community will certainly be glad Solana didn’t make it to double-digit outages yesterday.

— Jack Kubinec

The Pulse

ICYMI this week in Solanaland:

  • A global first: The Comissão de Valores Mobiliários (CVM) approved the launch of the first-ever spot Solana ETF in Brazil. The ETF, offered by QR and managed by Vortx, will use the CME CF Solana Dollar Reference Rate for pricing to provide a standardized and precise valuation of Solana in USD.
  • Russian President Vladimir Putin signed a law legalizing cryptocurrency mining, making it a recognized component of digital currency turnover. Only Russian legal entities and registered entrepreneurs can participate. Though not specifically Solana-related, this development could open doors for SOL’s adoption in the Russian market as the regulatory landscape becomes more favorable toward all blockchain tech.
  • The launch of the RTR token, rumored to be an official Trump memecoin, caused a massive spike in its market cap to $155 million on Solana. However, the excitement was short-lived as the Trump family debunked the rumors, causing a 90% drop in RTR’s value.
  • DAWN announced an $18 million raise led by Dragonfly Capital to build the first DePIN protocol offering decentralized broadband using multi-gigabit wireless technology on Solana. The project aims to empower users to operate as network hosts, transforming the internet from a provider-owned model to a consumer-owned one.
  • Anchorage Digital Bank NA has expanded its custody support to include SPL tokens on Solana. As the only federally chartered crypto bank in the US, Anchorage Digital’s inclusion of Solana’s native tokens could further solidify Solana’s position within institutional finance.
  • Switchboard announced its partnership with Jito to support its (Re)staking platform. The move is a bid to enhance the security and flexibility of Switchboard’s Oracle network on Solana. The collaboration intends to boost liquidity and improve network performance, aligning incentives for node operators and paving the way for more efficient dapps on Solana.

— Jeffrey Albus

One Good DM

A message from Chris Hermida, co-founder of Switchboard:

Updated August 9, 2024 at 4:36 pm ET: Clarified that Laine, not Stakewiz, is the name of the validator who posted on X.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Digital Asset Summit 2025

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

recent research

Unlocked by Template.jpg

Research

Bitcoin Expressivity with BitcoinOS

The BitcoinOS team is the first to have developed and posted a ZK-compressed proof on the Bitcoin network. Other proof verification efforts have been limited to the Signet or testnet deployments. Their work has resulted in the development of BitSNARK, a software library for ZK-compressed fraud proofs on the Bitcoin network. The project aims to provide a horizontal scaling solution, offering a one-stop shop for teams interested in developing a rollup on Bitcoin. This approach shares similarities with the horizontal tech stack scaling in other ecosystems like Cosmos and Optimism, particularly in its focus on simplified verification, bridging standards, and lightweight interoperability.

by 0xMims

/

news

article-image

Analysis

Crypto monthly active addresses are hitting all-time highs: A16z

A16z’s State of Crypto report shows that DeFi has the largest number of daily active addresses, with stablecoins following closely behind

by Katherine Ross /
article-image

DeFi

Conduit sees path to gigagas throughput with new sequencer

G2 is delivering real-world performance breakthroughs at 50-100 Mgas/s, Conduit says

by Macauley Peterson /
article-image

Analysis

Memecoin conceived by AI trumps Trump-linked token sale

World Liberty Financial’s token sale debuted just as an absurd AI-fueled memecoin captured crypto’s attention

by David Canellis /
article-image

Empire Newsletter

World Liberty Financial’s presale overshadowed by memecoin-shilling AI

Plus, would crypto be better out of the limelight?

by Katherine Ross&David Canellis /
article-image

Policy

Coinbase continues with SEC lawsuit over denied FOIA request 

Coinbase hired History Associates in 2023 to assist in retrieving records from the SEC and FDIC

by Casey Wagner /
article-image

Forward Guidance Newsletter

VP Harris’s latest crypto comments fall short on details

Hours after pledging to support Black men’s rights to safely invest in crypto, VP Harris’s Monday night speech mentioned blockchain zero times

by Casey Wagner&Ben Strack /