Blockchain networks depend on carefully designed transaction pricing systems to balance performance, fairness, and protection against abuse. On February 27, 2026, security experts at CertiK revealed how their analysis helped eliminate a serious flaw in Solana’s architecture that could have let attackers overwhelm validators with minimal effort.
The vulnerability resided in the big_mod_exp syscall—a built-in function for handling large-number modular exponentiation, similar to Ethereum’s EIP-198.
This operation supports inputs up to 4,096 bits and is crucial for advanced cryptographic applications. Solana charges transactions using compute units (CU), where each unit roughly equals 33 nanoseconds of execution time.
While bytecode instructions receive exact metering, syscalls rely on pre-calculated estimates.
CertiK’s audit exposed a fundamental error in the cost formula. Developers had based the CU charge on input lengths measured in bytes, rather than the correct bits.
For a full-size 4,096-bit operation (512 bytes), the system budgeted only about 8,043 CU. In reality, the computation demanded roughly 508,400 CU—more than 60 times higher.
A single call could therefore consume nearly 890 milliseconds, easily crossing slot boundaries and triggering Solana’s retry mechanism up to 150 times.
The attack scenario was straightforward yet devastating.
An attacker deploys a program that repeatedly invokes the oversized big_mod_exp with maximum inputs.
Each failing transaction hits the MAX_PROCESSING_AGE limit, gets requeued, and blocks leader-node resources.
Because Solana processes transactions in parallel across multiple threads, even a handful of malicious accounts could saturate CPU cores and delay honest traffic for over two minutes.
On a private four-node test cluster, researchers reproduced the denial-of-service effect: normal user transactions stalled while attacker calls consumed the entire processing queue.
This flaw echoed earlier blockchain incidents. Ethereum once suffered from underpriced opcodes like EXT CODESIZE and SELFDESTRUCT that enabled state bloat and network slowdowns, later corrected through targeted gas increases.
Solana itself experienced multi-hour outages in 2022 caused by NFT bot spam and duplicate transaction floods.
Its ultra-low fees—often fractions of a cent—and theoretical throughput exceeding 700,000 transactions per second make such pricing mistakes especially dangerous.
Following responsible disclosure, the Solana Foundation acted swiftly.
Engineers re-benchmarked the operation and updated the CU formula to a more precise N²/2 + 190 model (commit eb37b21). The patch went beyond simply converting bytes to bits; it incorporated real-world timing data to ensure future accuracy.
The incident underscores a broader imperative: in high-performance chains like Solana, every syscall estimate must be rigorously validated.
CertiK’s proactive research prevented what could have become a widespread exploit, demonstrating the value of independent audits in rapidly evolving ecosystems. As decentralized finance and Web3 applications expand, precise resource accounting remains the first line of defense against denial-of-service threats and network instability.