Asymmetric Research discloses Marginfi flash loan bug that risked $160M

MarginFi fixed a flaw that could have let attackers borrow funds without repayment

by Blockworks /
article-image

Igor Kyrlytsya/Shutterstock and Adobe modified by Blockworks

share

Marginfi, a Solana-based lending and borrowing protocol, has patched a critical vulnerability in its flash loan mechanism that briefly placed more than $160 million in user deposits at risk.

The bug, disclosed by security researcher Felix Wilhelm through Marginfi’s bug bounty program, would have allowed an attacker to borrow funds without repaying them. The issue was resolved before any exploit occurred, and no funds were lost, according to Asymmetric Research’s report.

Flash loans, a common DeFi feature, allow users to borrow nearly all available liquidity on the condition that the funds are repaid within the same blockchain transaction. Solana protocols typically enforce this by introspecting instructions in a transaction to ensure a repayment step is included.

Newsletter

Subscribe to The Breakdown

According to Asymmetric, Marginfi followed this approach but introduced a new instruction, transfer_to_new_account, that unintentionally bypassed repayment checks. This meant liabilities could be shifted to a new account mid-loan, enabling funds to be drained without triggering safeguards.

The report indicates that the Marginfi team swiftly deployed a patch to block account transfers during flash loans and prevent disabled accounts from being used for repayment. While Solana’s architecture limits some common Ethereum-style exploits, the vulnerability underscores that logic errors remain a critical threat.

The swift resolution demonstrates the role of bug bounty programs in preventing systemic losses. Similar past incidents, including attacks on Mango Markets and other Solana-based protocols, have shown how flash loan vulnerabilities can lead to multimillion-dollar losses.

Marginfi representatives did not respond to Blockworks’ request for comment before publication.

This is a developing story.

This article was generated with the assistance of AI and reviewed by editor Jeffrey Albus before publication.

Get the news in your inbox. Explore Blockworks newsletters:

Tags

Newsletter

The Breakdown

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Digital Asset Summit 2026

Hilton Park Lane

Tues - Wed, November 10 - 11, 2026

DAS London is a two-day summit at the Hilton Park Lane in London featuring conversations between the builders, allocators, and policy makers who are shaping the trajectory of the digital asset ecosystem in the UK, Europe, and North America.

buy ticketslearn more

Digital Asset Summit 2026

Marina Bay Sands Singapore

Wednesday, October 07, 2026

DAS Asia is a a single-day summit at Marina Bay Sands Singapore featuring conversations between the builders, investors, and global leaders are shaping the trajectory of the digital asset ecosystem in Asia & North America.

buy ticketslearn more

recent research

EthenaNextAct.jpg

Research

Ethena's Next Act

The basis trade built Ethena, but it is unlikely to power the next phase of growth on its own. As yields compress and TVL declines, Ethena is evolving from a single strategy product into a diversified yield curator. In this report, I evaluate the protocol's proposed reserve changes, the implications for USDe yields, and why Coinbase may become Ethena's most important growth catalyst.

by Kunal Doshi

/

news

Newsletter

The Breakdown

Decoding crypto and the markets. Daily, with Byron Gilliam.

Blockworks Research

Unlock crypto's most powerful research platform.

Our research packs a punch and gives you actionable takeaways for each topic.

SubscribeGet in touch

Blockworks Inc.

133 W 19th St., New York, NY 10011

Blockworks Network

NewsPodcastsNewslettersEventsRoundtablesAnalytics

Company

AboutAdvertiseCareersContactBrand Kit

Resources & Legal

Trust & EthicsPrivacyTerms of ServiceGlossary