What now for Solana following ‘Candy Machine’ spam attack?
The Solana blockchain went offline for seven hours on Saturday evening following a bot attack that flooded the network.
Bots sent millions of transactions per second via the ‘Candy Machine’ NFT minting protocol. The resulting congestion knocked out consensus and crashed nodes, as validators failed to cope with traffic volume.
“Solana Mainnet Beta lost consensus after an enormous amount of inbound transactions (4m per second) flooded the network, surpassing 100gbps. Engineers are still investigating why the network was unable to recover, and validator operators prepare for a restart.“
An update, sent early Sunday morning via Twitter, states network operators had begun the process of restoring client services. The solscan.io block explorer currently shows expected transaction activity.
This latest incident is the third time Solana has suffered a significant network shutdown. The last such incident occurred following a suspected DDoS attack in December 2021.
According to Solana’s uptime tracker, there have been 11 outages since the start of this year, most of which they classify as partial outages.
Metaplex steps in with bot penalties
Candy Machine is a developer tool created by Metaplex that enables “on-chain generative NFT distribution.” In other words, through Candy Machine, users can launch a whole NFT project and benefit from integrations such as custom storefronts and airdrop functionality.
The Metaplex website sells its ‘NFT Standard’ by highlighting various benefits, including security. However, the Candy Machine attack indicates inadequacies in the protocol’s security.
“Prevent bots from interfering with NFT sales with decentralized architecture, Certified Collections, and CAPTCHAS.”
Metaplex said it will soon “deploy a botting penalty” as a response to the attack. This involves identifying invalid transactions and applying a 0.01 SOL penalty to those transactions.
A validation process that proves eligibility to mint NFTs will prevent genuine users from triggering the penalty.
“To combat this, we have merged and will soon deploy a botting penalty to the program as part of a broader effort to stabilize the network.“
Solano under fire
At the start of 2021, Solana was ranked 112th with a market cap of $100.7 million. Its rapid rise into the top ten caught many by surprise. But advocates maintain the project’s scalable Proof-of-History consensus mechanism to answer the DeFi needs of small traders and institutions.
This latest attack rehashes previous criticisms to do with protocol robustness. And, considering the Solana Foundation can restart the network, critics accuse the project of being centralized.
Stacy Herbert, co-host of the Orange Pill Podcast alongside Max Keiser, pointed out that if a country’s financial infrastructure was built on Solana, the consequences don’t bear thinking about.
“Imagine if a nation had built any of its financial infrastructure upon this blockchain…“
Previous issues were pinned on “growing pains,” but, having launched in March 2020, the protocol is over two years old at this point.
Commenting on the recovery response, Solana Labs co-founder Anatoly Yakovenko praised validators for stepping up and taking ownership of the situation.