The Serum token liquidity hub, created by FTX, is being forked by Solana developers after an FTX breach possibly compromised it.
A hacker made unauthorized withdrawals from FTX of more than $400 million on Friday. The scenario caused the exchange to file for Chapter 11 bankruptcy protection, which worsened its financial situation.
Several Solana developers believe Serum, a well-known protocol developed by FTX and used by many Solana blockchain apps, may have also been affected by the leak.
Solana Developers Need Another Serum Version
Anatoly Yakovenko, the developer of Solana, highlighted that developers are scrambling to fork Serum’s source today and continue the protocol without FTX’s involvement.
Developers require a new version of Serum because the original can only be upgraded using a private key belonging to someone at FTX, not the Serum DAO. That key may have been vulnerable as a result of the FTX breach.
According to Yakovenko, the upgrade key to the current program has been compromised. Thus, the developers who depend on Serum are forking the program.
The private key associated with FTX was in control of the serum program update key instead of the organization that created it. According to a pseudonymous developer named Mango Max, who added that he is in charge of the Serum fork operations, no one can now determine who holds this key and, as a result, has the authority to upgrade the serum program, potentially deploying harmful code.
The serum program update key was not controlled by the SRM DAO, but by a private key connected to FTX. At this moment no one can confirm, who controls this key and hence has the power to update the serum program, possibly deploying malicious code. (2)
— Mango Max 🅱️🧑🌾🥭🦀 (@m_schneider) November 13, 2022
Serum Begun Exposure Limiting
Many Solana apps that are known to use Serum have started to minimize their exposure. The biggest DEX aggregator exchange on Solana, Jupiter, informed customers that it was suspending usage of Serum’s liquidity because of security concerns.
According to Jupiter, “Confirming that we turned off Project Serum as a liquidity source a few hours ago due to security concerns about upgrade authorities, we also encouraged all our integrators to do the same.”
Confirming that we turned off @ProjectSerum as a liquidity source a few hours ago due to security concerns about upgrade authorities, and we also encouraged all our integrators to do the same.
The ecosystem is working on a fork right now, and we will supporting it asap 🔥
— Jupiter Aggregator 🪐 (@JupiterExchange) November 12, 2022
Due to security concerns, other projects like Magic Eden, Mango Markets, and Phantom indicated they would stop relying on Serum for liquidity and have suspended its use.