Analysing the Security of Lending Platforms on Solana
0x76fC…5fc6
0x76fC
January 13th, 2022

Overview

Security has always been one of the utmost important aspects of all financial institutes. High yields are just empty promises if your assets can’t be secured and this is also true for Defi platforms. Looking at the past year, there has been some major security incidents involving different Defi platforms where users have suffered siginificant losses.

1. Venus Protocol large-sum liquidation incident

On May 18th 2021, Venus Protocol, the biggest lending platform on BSC, forced the liquidation of more than 2 million XVS tokens (the Venus native token) as a result of its volatile price swings, which directly caused a large number of users to suffer losses and liquidation and resulting in more than $100 million in bad debts. The incident occurred due to the XVS token price being manipulated on the Binance Exchange by large XVS holders. A large sum of XVS was collateralised at a high price to borrow BTC and ETH. XVS is a token with a relatively low liqudity and can be easily munipulated. Venus protocol was directly responsible for listing an asset with limited liquidity and their negligence of risk management resulted in the occurrence of this incident.

2. Cream Finance flash loan attack incident

On Oct 27th 2021, Cream Finance announced on Twitter that they have experienced yet another flash loan attack resulting in a sum of $130 million being stolen. This was the third security incident of the year for Cream Finance. The previous two attacks in February and August resulted in the loss of $37 million and $29 million, respectively. All three attacks were flash loan exploits, a common way through which most DeFi platforms have been hacked over the past two years.

Drawing from all these security incidents of the past year, it’s not hard to see that platform security depends mainly on aspects like, how well the team handles risk management and whether they constantly audit and test for possible security breaches.

This article will conduct an analysis from a couple different prospectives of how secure the major lending platforms are on Solana.

Major lending platforms on Solana

Table 1. The major lending platforms on Solana.
Table 1. The major lending platforms on Solana.

(1) Who is audited?

Audits are the first line of defence when it comes to smart contract security, a vital component to consider when assessing how secure a platform is initially.

Auditing acts as a regulatory third party, providing confidence to all stakeholders that platforms are operating transparently and adhering to expected industry standards. As the world of Defi continues to grow and mature, regulatory standards and compliance will become more robust, and auditors will continue to play a pivotal role.

Table 2 summarises how the aforementioned platforms have been audited.

Table 2. How major lending platforms on Solana are audited.
Table 2. How major lending platforms on Solana are audited.

Out of the six platforms, Jet Protocol is the only one currently operating on mainnet un-audited. Although the codebase has undergone a review from a team of external white-hat developers provided by the Solana Foundation, high levels of discretion is still advised.

Solend, Apricot, Larix and Soda have all been audited by reputable smart contract auditing firms.

Certik (audited Soda) is officially a partner company of Binance, and it is backed by prominent investors, including Binance Labs, Lightspeed, Matrix Partners, and DHVC.

Slowmist (audited Larix) is a leading blockchain security company, and security patterns of EOS, Cosmos, Vechain. Slowmist is known for its powerful firewall project devloped for EOS smart contracts, namely, FireWall.X.

(2) Risk management through listings

Considering Venus Protocol and the large-sum liquidation incident from May 2021, the risk of listing tokens with low liquidity is apparent. Prices of such tokens could be easily manipulated by individuals with ill faith. By borrowing using inflated tokens, the platform's assets will be drained and causing large sums of bad debts. Lending platforms should be risk averse when listing tokens. It should also be the platform’s responsibility to conduct risk managements prior to listings and ensure users don’t become victims of these vicious attacks. The Venus Protocol large-sum liquidation incident should’ve taught us all a lesson in this book.

Out of the 6 platforms this article is analyzing, Larix, Jet and Soda only listed maintream tokens which are less prone to be affected by market manipulation, hence significantly lowering risks of similar attacks. For the other three platforms, Solend listed SBR, MER, SLND (Solend’s native token), Apricot listed ORCA, and Port listed MER, FIDA and PORT (Port's native token). Which are all tokens with a relatively low liquidity resulting in a higher risk of inflation through market munipulation, adding a layer of uncertainty to the security of these platforms.

(3)Open source code

Open source code is another important criteria when assessing the security of a lending platform. Open source refers to the code being transparent with free and open access to be reviewed. There are three main reasons why open source code is more secure.

  • More eyes are looking to find and fix problems due to its transpraency
  • Platforms are more efficient in terms of fixing sercurity problems, high visibility creates urgency in resolving the issues.
  • Eliminating the possibility of developers embedding ill intended instructions in the code.

Out of all the platforms being analyzed today, only Larix and Solend have clearly stated on their official websites that their code is open source. It is unknown whether the rest of the platforms are partially open source.

(4)Oracle

The major risks pertaining to lending platforms mainly stem from two aspects, the first one is the divulgence of private keys, and the second one is the price quotation error. In addition to malicious manipulation of the price of listed assets, there is also great risks in oracle price feeds and price quotation errors. Solend once caused an erroneous liquidation of multiple accounts whereby users suffered asset losses due to the wrong price quotations for mSOL.

Apricot has recently removed the LP collateral lending functionality, and admitted that its LP pricing method was wrong but this still caused some users to be wrongly liquidated and lost their funds as a result. Currently, these platforms mainly use the Pyth oracle solution, and ChainLink has only recently began supporting asset price quotations on Solana. An noteworthy method would be to use a mutual verification through price feeding mechanisms of oracle machines from centralized and decentralized exchanges. 

(5) Bug bounty initiative

Bug bounties are a mechanism used to create an added layer of security. By offering substantial rewards to whoever discovers a bug and report it to the officials, the bug bounty initiative encourages the community and white-hat hackers to audit the contracts and security. Solend, Larix and port all have a bug bounty initiative in place. In November 2021, Solend and Larix teamed up to offer a bounty to Neodyme for disclosing a vulnerability in the SPL token-lending library.

Conclusion

In finance, there is a theory termed "Impossible Trinity", implying that high liquidity, low risk and high income can not be achieved simultaneously. This theory also applies to the field of crypto investments. So instead of chasing APYs, we should really take a minute and think about how secure our funds are. After all, lossing your assets over interests really is penny wise and pound foolish. Remember, mining second, safety first!

Subscribe to 0x76fC…5fc6
Receive the latest updates directly to your inbox.
Verification
This entry has been permanently stored onchain and signed by its creator.
Arweave Transaction
BAGBsOQgbndnTFv…FyZFEPxVWruEdQ4
Author Address
0x76fCf7878703911…a1F7bF2e45f5fc6
Content Digest
wkZBMQiVF82UA8S…9jGu7LFbnmxmhAg
More from 0x76fC…5fc6
View All

Skeleton

Skeleton

Skeleton