Critical $160M Flash Loan Flaw in MarginFi on Solana—Swiftly Fixed Before Exploit

Source: Threat Contained: marginfi Flash Loan Vulnerability

A subtle flaw in marginfi’s flash loan logic threatened user funds worth $160 million but was swiftly patched without losses. Here’s what happened, how the bug worked, and why it matters.

What Is MarginFi?

marginfi is a Solana-based borrowing and lending DeFi platform allowing users to supply assets, take loans, and execute flash loans - loans borrowed and repaid within a single transaction.

Flash Loans on Solana: How They Work

Unlike Ethereum, Solana limits cross-program calls and disallows reentrancy. To enforce flash loan repayment, Solana programs inspect the entire transaction’s instructions:

• Step 1: Initiate flash loan - funds are lent to the borrower.
• Step 2: Borrower performs actions (trades, etc.) within the transaction.
• Step 3: Repayment instruction ensures full payback at transaction’s end.

If repayment isn’t verified, the transaction reverts atomically, protecting funds.

MarginFi’s Flash Loan Design

MarginFi manages user positions with a MarginfiAccount that must stay “healthy” (assets > liabilities), except during flash loans. To relax constraints temporarily:

• MarginFi sets an ACCOUNT_IN_FLASHLOAN flag to skip health checks during the loan.
• At the loan’s end, the flag clears, and MarginFi verifies the account is healthy again.
• The protocol doesn’t track precise repayment sequences, only state at loan start/end.

The Vulnerability

A recent update added a transfer_to_new_account instruction allowing the migration of a MarginfiAccount to a new account and authority. However:

• No check ensured this transfer couldn’t happen during an active flash loan.
• The old account’s balances were zeroed and disabled post-transfer, effectively erasing liabilities.
• This let attackers:
  • Start a flash loan on Account A.
  • Withdraw maximum funds.
  • Transfer Account A’s liabilities to a new Account B.
  • End the flash loan on Account A (which now shows no liabilities).
  • Keep the borrowed funds without repayment.

This exploit could have drained millions in a single transaction.

How MarginFi Fixed It

The team quickly patched the bug by:

• Blocking account transfers while a flash loan is active.
• Preventing disabled accounts from repaying flash loans.

No funds were lost, thanks to timely disclosure and an active bug bounty program.

Key Takeaways

• Even well-reviewed smart contract systems can hide subtle, dangerous bugs.
• Flash loan mechanisms on Solana rely heavily on correct transaction instruction checks.
• Migrating or closing accounts during sensitive operations like flash loans requires strict safeguards.
• Rapid collaboration between security researchers and project teams is vital to protect DeFi users.

Closing Thoughts

This incident underlines the continued importance of smart contract auditing and cautious upgrades in DeFi. MarginFi’s fast response mitigated what could have been a major exploit.

Stay vigilant, follow best practices around flash loans, and always monitor for unexpected new instructions that might alter core logic.