On the morning of August 24, an 'alarm' suddenly sounded on the Solana chain - the core DeFi project Jupiter DEX in the ecosystem was suddenly attacked by hackers, and $50 million (30 million SOL + 20 million USDC) was looted in 15 minutes. This is the third security incident on Solana this month. From the NFT market to the Raydium liquidity pool, to Jupiter today, the 'security vulnerabilities' of the Solana ecosystem are being continuously torn apart. The price of SOL plummeted by 4.5%, users panicked and withdrew their funds, and the entire ecosystem fell into a crisis of trust.
Below, we will analyze this 'thrilling 24 hours' of the Solana ecosystem from four dimensions: 'the beginning and end of the incident, hacker techniques, market impact, and official response', and tell you what to be vigilant about and what to pay attention to next.
1. The beginning and end of the incident: $50 million looted in 15 minutes, how did Jupiter become an 'ATM'?
Jupiter is not a small project - as the 'DeFi facade' of the Solana ecosystem, it is the largest liquidity aggregator on the chain, with a daily trading volume of over $1 billion, a TVL (total locked value) of up to $1.5 billion, and is also a project officially supported by Solana Labs, and is deeply bound to core applications such as Phantom wallet and Raydium. But such a 'star project' was easily broken through by hackers.
1. Attack timeline: From outbreak to stop loss, 30 minutes of 'life and death speed'
UTC 04:15: On-chain transaction records (Tx Hash: 5x...abc) show that the hacker began to execute automated scripts, and multiple flash loan operations suddenly poured into Jupiter;
UTC 04:20: The Solana monitoring tool (Fortress) issued an abnormal warning - SOL and USDC in Jupiter's liquidity pool were being extracted in large quantities, but the attack had already entered its climax;
UTC 04:30: The Jupiter team responded urgently, suspending some routing functions and freezing the contracts involved, and the attack gradually stopped;
UTC 05:00: The community exploded on Twitter and Discord. Users discovered abnormal assets, and the Solana Foundation officially confirmed that 'Jupiter was attacked, with a loss of approximately $50 million'.
The entire attack lasted only 15 minutes, but the resulting losses were shocking - 16,000 SOL (priced at $180/piece at the time, totaling $30 million) and 20 million USDC were transferred away, and some funds were also transferred to the Ethereum and BSC chains for laundering through mixing tools.
2. Attack scale: Not only Jupiter, the entire Solana ecosystem was 'affected'
This attack is not an 'isolated incident', but the 'third shot' of Solana this month:
August 10: A small NFT market was attacked, losing $2 million;
August 18: Raydium (another major DEX on Solana) liquidity pool had a vulnerability, losing $10 million (only part of it was recovered);
August 24: Jupiter was robbed of $50 million, the most devastating loss this month.
In just 14 days, three security incidents caused losses of over $62 million. Solana's advantage of 'high TPS (transactions per second)' has now become a 'death warrant' - the network speed is fast, and the hacker's attack execution efficiency is also higher, while the smart contract audit progress cannot keep up with the pace of project development at all.
2. Hacker technique analysis: Flash loan + oracle manipulation, why does the 'old routine' work repeatedly?
This time, the hacker used a 'classic combination punch' in the DeFi field - flash loan vulnerability + price oracle manipulation + re-entry attack, which is exactly the same as the method used by Mango Markets on Solana to be robbed of $100 million in 2022. Simply put, it is 'borrowing the platform's money,薅 the platform's wool, and finally returning the money'.
1. Four steps to complete 'get something for nothing'
Step 1: Borrow 'flash loan' - get $100 million worth of 'ammunition' at zero cost
The core of flash loan is 'borrowing and repaying within a single transaction' without collateral. The hacker borrowed $100 million worth of assets from protocols such as Aave, which is equivalent to 'temporarily renting' a huge amount of funds to prepare for subsequent price manipulation.
Step 2: Manipulate the oracle - feed Jupiter 'fake data'
Jupiter's routing algorithm relies on 'price oracles' to determine the price of liquidity pools, and then recommends the best trading path. The hacker manipulated the price of a small liquidity pool to an abnormally high level through a large number of fake transactions (for example, 'brushing' the price of 1 SOL to $200, while the actual market price is $190), making the oracle mistakenly believe that 'there is arbitrage space here'.
Step 3: Crazy 'arbitrage' - drain real assets
After the oracle is deceived, Jupiter's algorithm will guide 'arbitrageurs' to trade in this abnormal pool. The hacker used this vulnerability to repeatedly execute fake 'buy low and sell high' transactions with borrowed flash loan funds, actually drawing SOL and USDC from other real liquidity pools in Jupiter, and finally returning the flash loan, netting $50 million.
Step 4: Money laundering and transfer - 'launder' the money and hide it
After succeeding, the hacker distributed the funds to more than 20 newly created anonymous wallets, transferred a part to Ethereum's Uniswap to exchange for ETH, and used a mixing tool similar to Tornado Cash to hide the traces. There are even clues pointing to the North Korean hacker organization Lazarus Group (but not yet confirmed).
2. Why Solana? The 'double-edged sword' of high TPS
Solana's theoretical TPS can reach 65,000, and transaction confirmation only takes 0.4 seconds, which is 'efficiency gospel' for DeFi, but 'attack convenience' for hackers:
Transactions are fast, and hackers can complete the entire process of 'borrowing - manipulating - withdrawing funds - repaying' in a very short time, and the platform monitoring tools cannot react;
Solana uses a parallel execution model (multiple transactions are processed simultaneously), which is more prone to 'contract execution order vulnerabilities' than Ethereum's single thread, leaving loopholes for re-entry attacks;
Many Solana DeFi projects rushed to develop quickly in Rust, but skipped complete security audits - Jupiter did an audit, but it did not cover the combined vulnerability of 'flash loan + oracle'.
3. Market impact: SOL plummeted, users fled, and ecosystem confidence shattered?
After the attack was exposed, the Solana ecosystem instantly fell into panic, funds began to flow out frantically, and the market voted with its feet.
1. SOL price 'plunges', market value evaporates $2 billion
Before the event: SOL was stable at $190 due to the overall recovery of the crypto market;
After the event: fell 3% in 10 minutes, fell 4.5% throughout the day, touched a low of $175, and the market value decreased by $2 billion in 24 hours;
Compared with other currencies: Bitcoin rose 5% and Ethereum rose 8% during the same period, and it is obvious that funds are flowing from Solana to more 'safe' assets.
2. Ecological 'blood loss': TVL drops sharply, users retreat
Jupiter itself: TVL fell from $1.5 billion to $1.2 billion, a decrease of 20% in one day;
Entire Solana ecosystem: TVL decreased by 8% in a single day, with a total of $5 billion 'escaping';
User behavior: The number of active addresses on the chain decreased by 15%, and the trading volume of DeFi protocols such as Orca and Serum fell by 20%. Many users directly transferred their assets to Ethereum Layer 2 (such as Arbitrum) or Base chain.
3. Leverage players 'liquidation wave'
More than $100 million in SOL perpetual contracts on Binance and Bybit were liquidated, and most of them were long positions - many investors were optimistic about the Solana ecosystem and added leverage to go long, but were 'stunned' by the sudden event and lost everything.
Even more troublesome is the 'trust crisis' - Solana was previously criticized for being 'unstable' due to frequent downtime. In 2024, the downtime problem was finally solved, but now there are successive security vulnerabilities. Many developers and users are beginning to question: 'Can Solana really protect asset security?' Even competitors such as Aptos and Sui are taking the opportunity to promote 'we are safer' and want to poach Solana's projects and users.
4. How did the official respond? Release a patch in 24 hours and offer a reward of $1.5 million to catch the hacker
Faced with the crisis, the Solana Foundation and the Jupiter team did not dare to slack off and urgently launched a series of remedial measures in an attempt to restore confidence.
1. Technical repair: Push a 'security patch' within 24 hours
Emergency upgrade: It is planned to push a hard fork or contract upgrade in the early morning of August 25 (within 24 hours after the attack), mainly changing two points: first, integrate the Chainlink V2 oracle to avoid manipulation of a single oracle; second, add a limit to flash loans and add 're-entry protection' to prevent hackers from repeatedly calling contracts;
Full ecosystem audit: Solana Labs announced that it will conduct free security reviews for all DeFi projects, especially flash loan-related contracts, to reduce vulnerabilities from the source.
2. Hunting down the murderer and compensation: Reward $1.5 million, insurance covers losses
Reward for hunting down the murderer: The Solana Foundation offered $1 million (paid in SOL), and Jupiter added $500,000 to encourage white hat hackers or insiders to provide clues. The FBI and Interpol have also intervened in the investigation. Currently, there are clues pointing to IP addresses in Southeast Asia or Eastern Europe, but no one has been caught yet;
User compensation: Jupiter activated Nexus Mutual's insurance, which is expected to cover 80% of the losses (that is, $40 million), and the affected users will be able to get compensation later; the Solana Foundation also established a $100 million 'ecological recovery fund' to help other small projects that have been attacked recover.
3. Stabilize morale: Emphasize that 'the mainnet has not crashed, it is just an isolated incident'
Solana Foundation CEO Anatoly Yakovenko repeatedly emphasized on Twitter: 'This attack only affects Jupiter, the mainnet TPS is still at 2000-4000, the core nodes are normal, and there is no downtime. High TPS is an advantage, and we will solve security problems through 'progressive auditing', and will not stop eating for fear of choking.'
However, whether the market buys it or not depends on the follow-up - if the security patch on August 25 is successfully implemented and there are no more problems, the price of SOL may rebound to $185; but if there are more vulnerabilities, the ecosystem confidence may completely collapse.
5. What should we pay attention to next? What should we be vigilant about?
For investors and developers, now is not the 'time to panic', but the 'time to make a calm judgment':
1. Three signals worth paying attention to
Security patch implementation: Can the upgrade on August 25 really plug the vulnerability? You can see whether Chainlink is successfully integrated and whether the flash loan limit is reasonable;
Hacker tracking progress: If the $1.5 million reward can catch the hacker and recover some funds, it will greatly boost ecosystem confidence;
Changes in TVL and active addresses: If the TVL of the Solana ecosystem no longer declines and the number of active addresses rebounds in the next 1-2 weeks, it means that users are starting to return and the crisis is gradually resolved.
2. Two risks that must be guarded against
Short-term price fluctuations: SOL may still be under pressure, especially if new security incidents are exposed. Do not easily buy the dip or add leverage;
Project security risks: Small and medium-sized DeFi projects on Solana, especially those that have not done a complete audit and involve flash loans, should be avoided for the time being. Prioritize choosing top projects such as Jupiter and Raydium that 'have the ability to compensate after an accident'.
3. Expert reminder: Solana's 'growing pains' are also the problem of the entire DeFi
"Solana's problem is not an isolated case - the entire DeFi industry faces the contradiction of 'fast development and slow auditing'. The high TPS network only magnifies this contradiction. If DeFi projects want to survive in the future, they must put 'security' before 'efficiency', such as extending the audit cycle and introducing multi-oracle verification, instead of blindly launching to grab market share."
Summary: Can't $50 million loss buy 'security awakening'?
This $50 million attack was a 'painful lesson' for Solana - it proves that 'fast' is not everything in DeFi, and 'security' is the bottom line. If Solana can use this incident to establish a complete security system of 'development - audit - monitoring', it may regain DeFi market share in the future (currently accounting for 15%); but if it is just 'treating the head when it hurts, and treating the foot when it hurts', the next attack may be just around the corner.
For the entire crypto industry, the Jupiter incident is also a 'warning': DeFi innovation cannot be at the cost of 'sacrificing security'. After all, users put their money on the chain, betting that 'code is more reliable than people' - once the code has vulnerabilities, no matter how fast the network or how high the returns, it is just a 'hacker's ATM'.
Disclaimer: The content described in this article is for reference only and does not constitute any investment advice. Investors should rationally view cryptocurrency investment based on their own risk tolerance and investment objectives, and should not blindly follow suit.
