DeFiTuna Hack 2026 — $570K Exploit Analysis

An attacker exploited a rounding bug in DeFiTuna's is_healthy() solvency check on Solana by creating an illiquid TUNA/USDC pool, allowing them to extract ~$570K USDC from a position treated as healthy when its total rounded to zero.

Details

Full Description

On July 16, 2026, DeFiTuna, a Solana-based lending and AMM protocol, was exploited for approximately $570K USDC through a rounding bug in the protocol's is_healthy() solvency check. The attacker first created a new, intentionally illiquid TUNA/USDC liquidity pool on DeFiTuna's AMM with prices set far from any legitimate market value. This illiquid pool allowed the attacker to control the reported valuation of TUNA tokens within the protocol's accounting.\n\nThe is_healthy() function was responsible for determining whether a lending position remained solvent — that is, whether the position's collateral value exceeded its debt. The function computed the position's net value by subtracting liabilities from assets and then rounding the result. The bug was in the rounding direction and threshold: when the computed total was small enough, the rounding logic produced zero, and the function interpreted a zero (rather than negative) result as a healthy position. By carefully sizing the position so that its true net value was deeply negative but its rounded total evaluated to exactly zero, the attacker could open and operate a position that was in reality insolvent while passing every solvency check.\n\nThe attacker used this false-healthy position to borrow USDC against the manipulated TUNA collateral, extracting approximately $570K USDC from the protocol's lending reserves. Because the position was treated as healthy, the protocol's liquidation machinery never triggered, and the attacker was able to withdraw the borrowed USDC cleanly. The exploit highlighted a classic class of bug — arithmetic rounding interacting with solvency checks — that is particularly dangerous in lending protocols where small precision errors can be amplified through carefully constructed positions.

Laundering Analysis

The stolen USDC remains on Solana and is traceable to the attacker's withdrawal wallets at the time of writing. No confirmed mixer routing or cross-chain bridge movement has been reported, and no recovery has been announced.

Sources

Transaction Hashes

Related Hacks

Back to Browse