Incident Report: 37,000 SOL in Losses — A Call for Investigation and Action

Dear Solana community — validators, stakers, developers, and ecosystem fund representatives.

I’m writing on behalf of the Shiroi project, a team actively building on Solana. After learning that certain validators had discovered and exploited a vulnerability in the Marinade auction system, we decided to run our own independent audit to assess the scale of the damage. The results were shocking:
Over the span of 126 epochs, Marinade has incurred at least 37,000 SOL in losses — that’s over $5 million USD at current prices.

We attempted to reach out to Marinade leadership (specifically Repe) via X (Twitter), Discord, and other core team members through Telegram — unfortunately, we received no response. The lack of reaction to such a major incident sets a dangerous precedent and seriously undermines trust in the Marinade protocol and its delegation model. It also raises broader concerns about the reliability of all public staking pools and whether their advertised APYs are actually real.

To be blunt — the silence from the Marinade team after we disclosed the losses makes us question whether this vulnerability was known internally and simply ignored… or worse — knowingly left in place as a revenue stream.

We’ve also analyzed the percentage of stake that went unpaid by malicious validators each epoch. The results ranged from 2% to 75%, with an average across 124 epochs of 28% unpaid stake. That’s disturbing:

  • Honest validators were effectively subsidizing “free stake” for exploiters.
  • And stakers — who trusted the system — may have missed out on 28% of Marinade’s advertised APY.

Who’s going to cover that gap?

Today, we’re releasing:

  • A Top 10 list of validators who caused the highest damage to Marinade,
  • The Top 10 most loss-heavy epochs,
  • And a list of epochs where over 50% of stake was unpaid.

We want to understand:
Does the community care? Or is everyone just going to pretend this didn’t happen?

If there’s no meaningful response, we’ll bring this issue directly to the Solana Foundation — which, to our knowledge, is one of Marinade’s major stakers. It’s also worth noting that 6 of the Top 10 exploit validators are currently receiving delegation from Solana Foundation, and one of them is also backed by Jito.

All methodology, calculations, and proofs will be published soon.

Top10 Epochs by losses:
773 - 886 SOL
772 - 875,8 SOL
748 - 808,8 SOL
760 - 786,6 SOL
746 - 760,8 SOL
759 - 759,9 SOL
775 - 718,2 SOL
770 - 715,3 SOL
771 - 696,2 SOL
776 - 685,4 SOL

Top10 validators by losses (identity):

  1. DB7DNWMVQASMFxcjkwdr4w4eg3NmfjWTk2rqFMMbrPLA (Active on MB) - 1081,16 SOL
  2. PAWsME7oYbjt5TRNc11mBa33JhKnQr9AYherdr9YAZ6 (Active on MB) - 952,43 SOL
  3. simpRo1FrQYGa1moicfgnPDp6KyE38d4gYrZzhjXYJb (Active on MB) 875,28
  4. FUURpC3LjVnxr21PmEfHtxT7Mfe4CVJXxESBjQPvmqTZ (Active on MB + jito stake) - 741,38 SOL
  5. mint13XHZSSxtgHuTSM9qPDEJSbWktpmpM4CZxeLB8f (Active on MB) - 696,429 SOL
  6. 3Kzdcmu6yWE4AEhFdxAoWncLijpwzNB95JThHRXzvf5k (Rejected) - 674,16 SOL
  7. AXX64w9VS82qbM6WP5FHSPK7qbnRtzxyAvjARsencqrZ (Rejected) - 664 SOL
  8. 3tm92VTxwyZ5MDhGoYR4tVTkwWYkzfam6hwBjauUACCk (Active on MB) - 638 SOL
  9. 71M936kzQRe7eWrABba6yKqPsmTMVhijQqDNQP9qM9pP (Rejected) - 611 SOL
  10. FLAT3fBhQxrSPyT1zvyf58uQGARiGtnoN3VW8R7i38kC (NOT SFDP) - 595,07 SOL

24 epochs with over 50% of stake unpaid by validators:
652, 653, 654, 655, 656, 657, 658, 755, 756, 757, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777

4 Likes

Damn, that’s some awesome work.

Questions like “why does someone with a much larger stake get paid significantly less?” have come up so many times before. And every time, we got the same tired responses: “we’re looking into it,” “we’re aware,” “it’s complicated…”

Finally, we have actual evidence.

Hanabi Staking would like to clarify that we have never attempted to meaningfully participate in buying stake directly from Marinade (or the “auction”). We would also like to stress that there’s a difference between inefficiencies in rebalancing and deliberate abuse. We recommend also correlating abuse with bond configuration history to gain more holistic insights into each individual validator’s behaviour.
We would also like to note that 28% of stake being unpaid doesn’t necessarily mean 28% of APY lost, as only the cost of buying was unpaid. Stakers’ share of inflation rewards and MEV tips, which are managed by Solana and Jito respectively, are unaffected, barring commission rugging which is out of scope.

1 Like

Marinade is a sandwich-driving pool. Their auction model is not designed for regular validators to win stake, because they have no way to bid for it. Anyone who pays bids to win Marinade stake is doing it because they make extra income from it. And the bids are very high. No arbitrage or other ethical strategy can yield more than the cost of those bids. So 99% of validators who win Marinade stake are running toxic sandwich strategies. If you stake with Marinade - you are supporting sandwich attacks on the Solana network.
Marinade is broken, their previous model, which supported decentralization in the network, was much healthier for the ecosystem and the overall growth of the network.

Now, it’s just a senseless race for additional profit.

3 Likes

First of all, I don’t want to defend anyone here, and I’m not getting any stake out of this myself. I agree with Ama above that the only way to be here is through sandwiching. Although, to be honest, I’ve always seen it as something where sandwiching existed before this auction, but the Marinade team saw how their stakes were used, and wanted part of that revenue stream to also go to their stakers. Meaning, I often see posts that seem to imply Marinade alone is to blame for sandwiching, which I don’t think is entirely fair.

Back to the current issue.

As I understand it, the auction program (contract) was supposed to lock funds on the validator’s account - an amount sufficient to cover their promised APY percentage (even with 0% uptime) for two epochs (? taking into account the deactivation time).

And as I understand, there was a bug in the program (contract) that prevented this from happening.

I think initially, each person who placed a bid and won discovered this issue by accident (maybe later it spread through some closed groups), even those who didn’t win but just participated and analyzed things.

But not the Marinade team.

Though it seems to me that this was their primary responsibility. At the end of the auction, they definitely knew how much SOL they’d receive for the auction epoch. And it should’ve been possible to notice that something was wrong within just 2 days after the first event of auction bid reduction.

Let me repeat - it seems that reducing the bid is, in itself, a valid action allowed by the program (contract). But for some reason, it applied even to the “closed” epochs.

I just want to say that, overall, it’s not so clear-cut for me…

P.S. Overall, I admit that I might have written complete nonsense above and don’t actually understand how the auction works (since I realized from the start that I wouldn’t be able to win and just didn’t participate). Feel free to tell me that.

2 Likes

FYI - I tried to post this several times but I get an error message that “new users can only post messages with 2 links.” Posting this as a code snippet which is a work around

Thanks for the putting together this report. I am the founder of Orangefin Ventures  (`DB7DNWMVQASMFxcjkwdr4w4eg3NmfjWTk2rqFMMbrPLA`) which is #1 in your list of validators "exploiting." While I appreciate you taking the time to put this together, your data is painting a story which is just not reality. I'll fill in the gaps.

---

**The "exploit"**

Before I get into the missing data, I want to actually talk about what the exploit was, which has recently come to light.

Marinade has a concept of an `unstakePriority`. This value represents a validators rank in terms of when they would get unstaked. A lower `unstakePriority` means a validator is more likely to get unstaked, and a higher `unstakePriority` means a validator is less likely to be unstaked.

In a rational world, a validator who is returning less to the stake pool would get unstaked first. What has recently come to light (and I didn't even know about until 2 weeks ago), is that the logic actually worked the opposite.

The logic for `unstakePriority` actually worked in a way where the **less** a validator paid back to the pool, the less likely they were to be unstaked. This is the exact opposite of the way the pool was intentionally designed. This is covered elegantly by this [GitHub issue](https://github.com/marinade-finance/ds-sam/issues/24).

So to summarize, **the less a validator bid, the less likely they would to be unstaked.** This means that the lowest possible bid of `1 lamport` was the optimal bid to keep stake.

---

**Missing Data Points about myself and potentially other validators in the list**

- Firstly, I contributed feedback to SAM's initial design [here](https://forum.marinade.finance/t/proposal-new-delegation-strategy/1315/2?u=maxkaplan). This is to show I was involved in SAM from the beginning, before it was even approved by the DAO as the delegation strategy and long before it was even implemented.
- I received stake in marinade's first ever SAM [auction](https://github.com/marinade-finance/ds-sam-pipeline/blob/main/auctions/652.230597/outputs/results.json#L3364). When I first initially received stake, it was actually profitable to bid. Bids continued to get higher, but I never lost stake. Instead of thinking about it like validators were exploiting it, it's best to start from a place that's more rational. Put yourself in my shoes for a second. You have stake which you bid for honestly (first bullet point proves that). Bids are continuing to rise. Naturally, you would think that you would get unstaked at a point in time. This never happened.
- I ended up keeping the stake I had for something like 6+ months. My bid was never even 1 lamport which is what the people actually knew the exploit were doing. To further back this up, this can be verified with data. I'll just post a few samples here with round numbers: 
  - [670](https://github.com/marinade-finance/ds-sam-pipeline/blob/main/auctions/670.33889/outputs/results.json#L2735), 
  - [680](https://github.com/marinade-finance/ds-sam-pipeline/blob/main/auctions/680.37255/outputs/results.json#L3919), 
  - [690](https://github.com/marinade-finance/ds-sam-pipeline/blob/main/auctions/690.30875/outputs/results.json#L5823), 
  - [700](https://github.com/marinade-finance/ds-sam-pipeline/blob/main/auctions/700.38124/outputs/results.json#L6649), 
  - [710](https://github.com/marinade-finance/ds-sam-pipeline/blob/main/auctions/710.156280/outputs/results.json#L4075), 
  - [720](https://github.com/marinade-finance/ds-sam-pipeline/blob/main/auctions/720.31364/outputs/results.json#L10815), 
  - [730](https://github.com/marinade-finance/ds-sam-pipeline/blob/main/auctions/730.33464/outputs/results.json#L11717). 
  -I could go on and on however that is 60 epochs worth of data where my bid was never 1 lamport and where I was staked. If I was trying to exploit this, I would have lowered my bid to 1 lamport from the beginning. This clearly shows I was not. I didn't know why I still had the stake and at times **actually lowered my bid thinking I would get unstaked, but that never happened.**
- To further the above, your post makes it seem like I didn't pay anything for the stake, but that is just completely false. Just search for `oRAnGeU5h8h2UkvbfnE5cjXnnAa4rBoaxmS4kbFymSe` in marinade's #psr-feed channel. You'll see claims going back to September. Linking one [here](https://discord.com/channels/823564092379627520/1223330302890348754/1281847611170492549).
- I haven't even had Marinade stake for nearly 1 month.

---

**What Actually Happened**

- I received stake in Marinade's first ever auction which I won by bidding. To think I knew about this vulnerability from Marinade's first ever auction is just plain false.
- I kept the stake while adjusting my bid. **I was also paying for it which I linked examples to.** I probably paid 100-200 SOL worth to the pool in this time frame.
- I've shown 60 epochs worth of data (~120 days / 4 months) and could go longer where my bid was above 1 lamport. I didn't even know about the exploit during this time. If I did, why wouldn't I have lowered my bid to 1 lamport to keep my unstake priority as high as it possibly could be?
- The reason I am number 1 in this list is because I had stake from Marinade's auction from the very beginning which I also proved.
- Being fully honest, it was clear to me I was underpaying. I didn't understand why which is proven by the fact i didn't even lower my bid to 1 lamport. However, it's not right to make it out like I was stealing from the pool. I was actively paying for stake, paying less than others, and didn't even know why. If you bought SOL at a discount, should you pay the seller back who sold it to you?

---

**The bottom line**

Marinade's program functions similarly to a matching engine. On exchanges, flash crashes happen and bad matches happen. When these happen, it's not the buyers fault, it's the exchange's fault which is just a bug. It's good it was caught so it can be prevented.

I've shown here:

- I received stake from Marinade's first ever auction which is why I am "#1."
- I wasn't even trying to actively exploit it (but did think I was underpaying) as I consistently paid for stake and never lowered my bid to 1 lamport while having the stake.
- This is a bug in Marinade's program.

I do not think it's right to blame myself or other validators in this. It's a logic bug which could have happened to anyone. in this case, I am the "top exploiter" simply because I had stake from Marinade's auction from the beginning.

I think your efforts are great, and I'm glad that this is resolved. But I also ask that you look at all sides of it as it paints a picture that is simply just not true.

EDIT: I wasn’t sure posting as a code snippet would actually work, but it did which is good. Each claim I make, I post verifiable proof on it. I encourage everyone to look at it as it clearly shows I received stake in the first ever Marinade auction, I simply never lost it, I didn’t know about it as I actually bid for the stake in Marinade’s first auction, I actually paid for stake (although less), and I’m simply #1 because I received stake in Marinade’s first auction and had the stake the longest (when I didn’t even know this existed).

1 Like

Hello, Hanabi Staking.

All the data we’ve used comes directly from Marinade’s public GitHub repository.
We don’t claim our research is bulletproof — there may be some inaccuracies in calculations — but the point is not to point fingers. This is a call to action for honest validators (especially those who paid extra in the auction while others got away with free stake), for the Marinade team, for stakers, and for the Solana Foundation.

Regarding your validator:

Epoch 652 (honest epoch):

  • marinadeActivatedStakeSol: 1,325,361.20795302 SOL
  • mndeVotesSolValue: 272,255.7120319564 SOL
  • bidCpmpe: 0.072
  • MIN_effective_BID (our synthetic benchmark): 0.032
  • Bond: 143.969835 SOL

Everything looks good here — above-board. Your bid was higher than the minimum effective bid. Respect.

Epoch 653 (honest epoch):

  • marinadeActivatedStakeSol: 1,289,942.373474436 SOL
  • mndeVotesSolValue: 269,861.9162648218 SOL
  • bidCpmpe: 0.072
  • MIN_effective_BID: 0.036
  • Bond: 144.0264425 SOL

Epoch 654 (honest epoch):

  • marinadeActivatedStakeSol: 1,279,233.062946955 SOL
  • mndeVotesSolValue: 260,437.97847842556 SOL
  • bidCpmpe: 0.072
  • MIN_effective_BID: 0.041
  • Bond: 138.7164095 SOL

Epoch 655 (honest epoch):

  • marinadeActivatedStakeSol: 1,285,522.254107788 SOL
  • mndeVotesSolValue: 258,296.44667693958 SOL
  • bidCpmpe: 0.072
  • MIN_effective_BID: 0.047
  • Bond: 137.0949374 SOL

And then things get… interesting.

Epoch 656 (first cheat epoch):

  • marinadeActivatedStakeSol: 1,269,974.495241598 SOL
  • mndeVotesSolValue: 257,386.63044062708 SOL
  • bidCpmpe: 0.000000001
  • MIN_effective_BID: 0.084
  • Bond: 144.1300651 SOL

Epoch 657:

You withdrew just over 100 SOL from your bond, leaving:

  • Bond: 38.949840178 SOL
  • bidCpmpe: 0.000000001
  • marinadeActivatedStakeSol: 1,086,812.941787907 SOL

And from that point onward — from epoch 657 through 698 — you continued to receive free Marinade stake for 46 epochs straight. After that, you operated with minimal or no stake from Marinade.

Now, if the intent was to stop receiving Marinade delegation, the logical move would’ve been to fully withdraw the bond. But instead, you left 39 SOL in and dropped your bid to 0.000000001.
Even if that wasn’t intentional — a simple mistake perhaps — don’t you think that, as an honest validator and community member, you had a responsibility to report to Marinade that your bid was nearly zero, and yet you were still receiving significant delegation?

It’s hard not to interpret that behavior as, at the very least, knowingly opportunistic — possibly even malicious.
But it’s not up to us to decide — it’s up to the community, the Marinade team, and the Solana Foundation, especially given that you’re also a validator under the SFDP program.

2 Likes

Hi maxkaplan,

Thanks a lot for acknowledging our research.

Let me reiterate that our intent is not to publish some kind of public blacklist.
The purpose of this research is to highlight a systemic issue — and prompt Marinade, the broader community, and the Solana Foundation to conduct their own investigation and hold the responsible parties accountable.

We’re still finalizing the presentation of our findings and writing up the methodology so that anyone in the community can independently verify the numbers we’ve surfaced.
We’re focused on data, not judgment. We’re not trying to assess intent or motivation — just the outcome.


Regarding your validator:

We’ve observed that in most epochs your bid was below the MIN_effective_BID (our synthetic benchmark).
If that bid had stayed consistently low across all epochs — as if you had completely forgotten about Marinade and weren’t monitoring your delegation — that would be one thing.

But here’s what actually happened:

  • In epoch 766, Marinade slashed most of your stake (from 108,687 SOL down to 1,585 SOL in epoch 767),
  • And right after that — you immediately increased your bid from 0.01 to 0.75.
  • This strongly suggests that you were actively monitoring both your delegation and your bid.

Then, after Marinade restored your stake to 125,352 SOL in epoch 771,
you lowered your bid right back down to 0.01.

Is this fair behavior? That’s not for us to decide.

But whether it’s appropriate for an SFDP validator to knowingly leverage a loophole in the auction mechanism
that’s a question for the Solana Foundation to answer.

3 Likes

One crucial piece of information that you’re missing is that we had stake from both mSOL and MNDE based direction. As an honest validator, my duty is to ensure the integrity and trustworthiness of Solana to the best of my ability, that includes only running mods with known, beneficial effects, not to assist Marinade in running their business. Marinade should’ve consulted the settlement reports and adjusted their rebalancing priority, but apparently they’ve failed to do so for 46 whole epochs. I’m not sure if I should’ve told Marinade “hey please unstake from my validator because I’m not buying stake” as I’m also responsible to my business. Whether we “cheated” or not will be left to the reader - but I’m confident that we’ve played by the rules.

1 Like

For proper presentation here’s a copy of the content in the code snippet as well as the edit present in the way it’s meant to be:

======

Thanks for the putting together this report. I am the founder of Orangefin Ventures (DB7DNWMVQASMFxcjkwdr4w4eg3NmfjWTk2rqFMMbrPLA) which is #1 in your list of validators “exploiting.” While I appreciate you taking the time to put this together, your data is painting a story which is just not reality. I’ll fill in the gaps.


The “exploit”

Before I get into the missing data, I want to actually talk about what the exploit was, which has recently come to light.

Marinade has a concept of an unstakePriority. This value represents a validators rank in terms of when they would get unstaked. A lower unstakePriority means a validator is more likely to get unstaked, and a higher unstakePriority means a validator is less likely to be unstaked.

In a rational world, a validator who is returning less to the stake pool would get unstaked first. What has recently come to light (and I didn’t even know about until 2 weeks ago), is that the logic actually worked the opposite.

The logic for unstakePriority actually worked in a way where the less a validator paid back to the pool, the less likely they were to be unstaked. This is the exact opposite of the way the pool was intentionally designed. This is covered elegantly by this GitHub issue.

So to summarize, the less a validator bid, the less likely they would to be unstaked. This means that the lowest possible bid of 1 lamport was the optimal bid to keep stake.


Missing Data Points about myself and potentially other validators in the list

  • Firstly, I contributed feedback to SAM’s initial design here. This is to show I was involved in SAM from the beginning, before it was even approved by the DAO as the delegation strategy and long before it was even implemented.
  • I received stake in marinade’s first ever SAM auction. When I first initially received stake, it was actually profitable to bid. Bids continued to get higher, but I never lost stake. Instead of thinking about it like validators were exploiting it, it’s best to start from a place that’s more rational. Put yourself in my shoes for a second. You have stake which you bid for honestly (first bullet point proves that). Bids are continuing to rise. Naturally, you would think that you would get unstaked at a point in time. This never happened.
  • I ended up keeping the stake I had for something like 6+ months. My bid was never even 1 lamport which is what the people actually knew the exploit were doing. To further back this up, this can be verified with data. I’ll just post a few samples here with round numbers:
    • 670,
    • 680,
    • 690,
    • 700,
    • 710,
    • 720,
    • 730.
      -I could go on and on however that is 60 epochs worth of data where my bid was never 1 lamport and where I was staked. If I was trying to exploit this, I would have lowered my bid to 1 lamport from the beginning. This clearly shows I was not. I didn’t know why I still had the stake and at times actually lowered my bid thinking I would get unstaked, but that never happened.
  • To further the above, your post makes it seem like I didn’t pay anything for the stake, but that is just completely false. Just search for oRAnGeU5h8h2UkvbfnE5cjXnnAa4rBoaxmS4kbFymSe in marinade’s #psr-feed channel. You’ll see claims going back to September. Linking one here.
  • I haven’t even had Marinade stake for nearly 1 month.

What Actually Happened

  • I received stake in Marinade’s first ever auction which I won by bidding. To think I knew about this vulnerability from Marinade’s first ever auction is just plain false.
  • I kept the stake while adjusting my bid. I was also paying for it which I linked examples to. I probably paid 100-200 SOL worth to the pool in this time frame.
  • I’ve shown 60 epochs worth of data (~120 days / 4 months) and could go longer where my bid was above 1 lamport. I didn’t even know about the exploit during this time. If I did, why wouldn’t I have lowered my bid to 1 lamport to keep my unstake priority as high as it possibly could be?
  • The reason I am number 1 in this list is because I had stake from Marinade’s auction from the very beginning which I also proved.
  • Being fully honest, it was clear to me I was underpaying. I didn’t understand why which is proven by the fact i didn’t even lower my bid to 1 lamport. However, it’s not right to make it out like I was stealing from the pool. I was actively paying for stake, paying less than others, and didn’t even know why. If you bought SOL at a discount, should you pay the seller back who sold it to you?

The bottom line

Marinade’s program functions similarly to a matching engine. On exchanges, flash crashes happen and bad matches happen. When these happen, it’s not the buyers fault, it’s the exchange’s fault which is just a bug. It’s good it was caught so it can be prevented.

I’ve shown here:

  • I received stake from Marinade’s first ever auction which is why I am “#1.”
  • I wasn’t even trying to actively exploit it (but did think I was underpaying) as I consistently paid for stake and never lowered my bid to 1 lamport while having the stake.
  • This is a bug in Marinade’s program.

I do not think it’s right to blame myself or other validators in this. It’s a logic bug which could have happened to anyone. in this case, I am the “top exploiter” simply because I had stake from Marinade’s auction from the beginning.

I think your efforts are great, and I’m glad that this is resolved. But I also ask that you look at all sides of it as it paints a picture that is simply just not true.

EDIT: I wasn’t sure posting as a code snippet would actually work, but it did which is good. Each claim I make, I post verifiable proof on it. I encourage everyone to look at it as it clearly shows I received stake in the first ever Marinade auction, I simply never lost it, I didn’t know about it as I actually bid for the stake in Marinade’s first auction, I actually paid for stake (although less), and I’m simply #1 because I received stake in Marinade’s first auction and had the stake the longest (when I didn’t even know this existed).

1 Like

Thanks for your response. While I greatly support your research, and I highly encourage you to keep going, you are starting with a conclusion and cherry picking data to fit that conclusion, which leads to confirmation bias. You should use data, but look at all of the data to led it lead you to a conclusion, not simply starting with a conclusion and cherry picking specific data points to fit that.


Regarding your points

You started this thread by insinuating that “certain validators had discovered and exploited a vulnerability in the Marinade auction system.” This is a conclusion that is only led to by the data points you are cherry picking. Additionally, that statement alone is an (accusatory) conclusion.

Please note, that I am not trying to call you out here. However, like you, I also think it is important to use data to point out what actually happened. I fully support an independent effort, but I do not support cherry picking specific pieces of data.

I will now address your points 1 by 1.

  • In epoch 766, Marinade slashed most of your stake (from 108,687 SOL down to 1,585 SOL in epoch 767),

As shown in my previous post (with data), I first got the stake in epoch 652. You did nothing to acknowledge the whopping 115 epochs I had the Marinade stake, starting from the very first epoch Marinade ever had an auction. Instead, you brought up the fact that I tried to get the stake back in epoch in epoch 767, where I had the stake for about 2-3 epochs. This is a case of extreme cherry picking, where you are focusing on 2-3 epochs, rather than 115, which I explained how it happened, again with data to back up the claims.

  • And right after that — you immediately increased your bid from 0.01 to 0.75.

Correct, I did. A few points on that:

  1. I had stake for 115 epochs where I was actively paying for it (although less).
  2. The stake didn’t even stick, and I had it for maybe 2-3 epochs.
  3. I didn’t even lower it to what would have helped me the most in this case, because I didn’t even know about the vulnerability. If I was trying to exploit it, as you are insinuating, what would have actually exploited it would have been for me to lower my bid to 1 lamport, not lowering it to 0.01 which you correctly pointed out.
  4. I increased my bid from 0.75 as you said where I paid for the stake. When I decreased my bid to 0.01, you did not even mention I lost the stake again after lowering the bid.
  5. When I did increase my bid to 0.75, the stake was paid. When I decreased my bid to 0.01, the stake was lost. This is actually how the auction is supposed to work.
  • This strongly suggests that you were actively monitoring both your delegation and your bid.

Yes, I am guilty of monitoring stake, along with every other validator in the world.

We’re focused on data , not judgment.

While I support you trying to use data, my constructive criticism for you right now is that you are not using all data available to you. I would like to offer some suggestions to you as I don’t want to pass judgement onto you either.

My suggestions are the following:

  • Start with just providing data instead of staring with a conclusion. This will lead you to avoid confirmation bias on a per validator basis.
  • Include the epoch that each validator got their stake and when they lost their stake
  • Include how much in total each validator paid to the pool.
  • Include the epoch Marinade first went live with SAM.
  • Include the actual exploit and what the ideal bid would be for each validator to pay as little to the pool as possible while maximizing their unstakePriority.

With the data points above, I think that will make your research report much more robust, and will also lead to more of an objective truth which is better for all.

2 Likes

Thank you for your reply.

Let me clarify the reasoning behind some of my responses:

  1. I deliberately selected these specific epochs as standout examples — not because they’re the only problematic ones, but because they clearly show that the situation isn’t as straightforward or “clean” as it might initially seem. The reason I focused on them is because you publicly stated that I acted fairly and did nothing wrong. I simply pointed out a scenario where that conclusion might not hold up under closer inspection.

  2. I’m not making accusations or jumping to conclusions — I’m just sharing raw numbers from my own research. If it feels like I’m calling you out, that’s not the intent. I’m only showing that some of the decisions made in these epochs could be interpreted as questionable. Whether they are or not — that’s for others to decide.

  3. I’ll clean up the dataset and format the findings properly soon, and I’ll share them with you.

  4. Just to be clear again — I’m not here to shame or accuse anyone. My goal is to provoke action — from Marinade, from the Solana Foundation, and from the broader community — action that has been missing for 126 epochs straight.

  5. Projects like Marinade have a responsibility to manage staker funds transparently and proactively. Ignoring a systemic issue for this long is not acceptable.

Some might say, “Hey, 37,000 SOL lost out of 9 million? That’s negligible.”
But I don’t see it that way.

This entire effort — this research, this messaging — is about one thing:
stop sweeping problems under the rug. Start fixing them.

Once again, thank you for actively engaging in the discussion.
I hope that together we can bring more attention to the issue — and actually get it resolved.

1 Like

Thank you for your response and continuing to engage as well. As mentioned, I support any research report meant to act in good faith, including yours.

As I hope you can understand, when certain words such as “certain validators had discovered and exploited a vulnerability in the Marinade auction system” were used, it felt a bit personal. I am glad it’s not.

I fully support the effort, and my only 2 asks which i think are fair are:

  1. Provide the data as is without phrases such as “discovered and exploited a vulnerability.”
  2. Provide the data points I mentioned above as well. I will even concede to you keeping #1 in if you do #2.

Thank you for pushing it forward!

1 Like

Good day, and thank you for participating in this thread.

I’ve read your message — and, to be honest, I was a bit shocked.
You’ve openly described the entire process by which you leveraged a vulnerability in Marinade’s auction system to consistently receive delegation essentially for free.

The situation as a whole looks incredibly concerning, and I can’t understand how Marinade was able to turn a blind eye to all of this.
They rejected pull requests, ignored validator feedback — and did nothing.

I’m not here to pass moral judgment on your actions or those of the Marinade team.
There are numbers, and numbers are emotionless.

So far, only 3 out of the Top 10 validators have responded — we’re still waiting to hear from the rest.

Later this evening, we’ll be publishing the full report along with the methodology used.

As promised, I’m sharing with the community all the data from our research.

I’m fully aware that, upon close inspection, you’ll likely find some flaws — both in the methodology and in the results. That’s perfectly fair. But let me be clear: correcting these issues will only increase the amount of estimated losses for Marinade and its stakers. Our goal was to present a straightforward and transparent way to estimate minimum losses. A more detailed and precise analysis, in my opinion, should be conducted by the Marinade team themselves.

Let me repeat — the purpose of this research is to draw attention from users, stakers, validators, the Marinade team, and the Solana Foundation to this issue, so that everyone can review the data and draw their own conclusions.

As you’ll see — and this may surprise some of you — one of the names in our Top 100 list of validators who caused the most damage to Marinade is Diman
(Diman2GphWLwECE3swjrAEAJniezpYLxK1edUydiDZau, ranked #76).

I trust this validator 100%. He has consistently operated with a bid of 0 since epoch 652 and never attempted to manipulate the system.
In his case, I strongly believe the fault lies with Marinade’s mechanism, not with the validator.

However, the methodology is blind to personal intentions — and we believe it would be unethical to remove entries from the list just because we “believe” they’re honest. The data speaks for itself.

And I’m fairly certain Diman isn’t the only one in this situation. There are likely more.
But identifying them properly and handling such edge cases should be the responsibility of Marinade or whoever is accountable for this system.

Someone has to take ownership of this situation.
This can’t just be swept under the rug.

I appreciate the effort you put into compiling and sharing this data.

We strongly recommend that the Marinade team and the Solana Foundation conduct their own investigation and understand which validators received stake without payment without malicious intent, and which ones, knowing this vulnerability, used it to enrich themselves, robbing stakers.

This statement in the spreadsheet also seems to reflect your own ethical judgment, which of course you’re free to make. That said, I’d like to offer my own perspective in response.

The responsibility we validators carry is quite straightforward: to deliver on our stated commission rate and to operate with near-100% uptime in order to provide the expected share of inflation rewards and MEV (and in some cases, block rewards if explicitly promised).

Even if Marinade has made promises to its users about the returns they can expect from SAM, we as validators are not accountable for fulfilling those promises. Designing a mechanism that properly collects and redistributes those returns is entirely Marinade’s responsibility.

If inefficiencies in that mechanism are preventing optimal returns—even though a better implementation could have captured more value—that still remains an issue between Marinade and its users.

In that light, framing the situation as “validators robbing stakers” is not only misplaced, but amounts to an unjustified attempt to shift blame.

Thanks for this. While I recognize that you mentioned that this is not personal in your above replies, because the first post in this thread is rather sensationalist, and reads “certain validators had discovered and exploited a vulnerability”, I’m going to respond to a few points you made as I vehemently deny the claim I exploited any vulnerability. I believe my data along with your data further backs this up.

I also want to respond to some of your points about Diman and use him as a comparison to myself, considering you think he did nothing wrong, which I also agree with.

  • You mentioned that Diman consistently kept his bid at 0 which is one of your reasons you believe he “did nothing wrong.” While I also agree that Diman did nothing wrong, for comparison purposes, you are omitting the most important detail there is. I was paying for the stake, and he was not. To assume that Diman did nothing wrong because he never lowered his bid which was already at 0, but consider my activity questionable because my bid was always above 0 but changed over time would be an outrageous claim, and a completely apples to oranges comparison. Your data clearly reflects that I was paying for stake and Diman was not. This alone explains why I lowered my bid several times, especially as network conditions changed, as well as how much I was willing to pay for the stake.
  • You mentioned that Diman got his stake in epoch 652 which was Marinade’s first auction. The same thing applies to me. I explain why this is important in my original post, which mint formatted for me.

Additionally, while I recognize that most of the data points I asked for are in the report, I ask that you also include them in the “top 100” tab, as I believe that tab currently lacks context and adding that data will only help readers understand more what actually happened.

While I understand that these comments might come across like I am coming after you, they are not. They are simply a response to the first message in the post that reads “certain validators had discovered and exploited a vulnerability” which I fully deny.

You and I both agree that we should let the data do most of the talking. Because of that, I believe all the data you posted, along with the data and points I made in this thread, fully prove everything I am saying. Thus, this will be my post on the matter unless a false claim is made against me.

Thank you again for putting it together, and I encourage you to keep pushing forward efforts across the entire community to make Solana a better place!

EDIT: Just making sure it’s fully clear I fully believe Diman did nothing wrong. I only brought him into it because OP mentioned he did nothing wrong and was simply using as a comparison for myself

Hmm… this is getting interesting

First, thank you for your feedback about me. I appreciate it.

Second, I think some clarification is needed.

Here’s the sequence of events from my side.

  1. I created a bond because at that time everyone was asked to create a bond due to the transition to a new system. I wrote a tool in Rust for this, because I didn’t want to install the whole js zoo, figure out how to isolate it, or why I should put my key in there. As far as I remember, activation was required afterwards, and when I looked into the activation transactions, I realized it was just regular stake delegation to a specific withdraw authority. I didn’t continue developing the tool and activated the bond using Solana CLI.

  2. I looked at the bids made in the first auction and immediately understood that I couldn’t compete with them - or just decided to wait and see who would win and participate later. In any case, I didn’t have a ready tool in Rust to place a bid.

  3. I no longer remember whether I made the decision after the first auction or later. But either way, I decided not to participate due to high bids I couldn’t compete with. And my Rust tool for Marinade never ended up having the functionality to place bids.

So, I never actually placed any bids.

Honestly, I even have a note in my to-do list to deactivate the bond. But since those 10 SOL were taken from my self-stake, and they are effectively staked on me, the task is low-priority and I’ve never gotten around to it.

  1. Today I was surprised to find out I’m being blamed for something.

My custom service monitors the following keys:
4bZ6o3eUUNXhKuqjdCnCoPAoLgWiuLYixKaxoa8PpiKk Marinade (staker)
9eG63CdHjsfhHmobHgLtESGC8GabbmRcaSpHAZrtmhco Marinade (withdrawer)

And I haven’t had any stake from these guys in a long time.

I haven’t seen any Marinade stake on https://validators.app or similar sites over the past year.

Now I think different keys might be used for the auction stakes. But I never looked in that direction because I was sure I didn’t have any Marinade stake (btw, which keys, guys?).

And I looked at the sheet.

7300 SOL? I don’t know what bids went through in the auctions, but even assuming they were twice the native APY, for that amount to accrue, I would’ve needed about 100K SOL staked from Marinade.

Which I highly doubt.

So I have some logical questions about the numbers in that sheet.


UPD. 7300 - I looked at the “Unpaid” column, assuming it shows the amount the validator underpaid to Marinade.

Overall, as someone who hasn’t been following all of this, it’s hard for me to understand what each column means. And in general, seeing these numbers without specific epochs, events, stakes, etc. is confusing.


UPD 2. I checked my bond (which is the stake one). It has never decreased. So if I actually had stake from Marinade, the difference between the native staking APY and the auction rate should have been deducted from the bond - which didn’t happen.

I also checked the #psr-feed channel in Marinade’s Discord, where, as I understand it, a bot posts how much is staked to whom. My validator addresses have never been mentioned there either.

So I still have the same question about whether I ever actually had any stake from them.

I believe those who needed to read it have already done so, and since disclosing the details of the inefficiency might not be in the best interest of Marinade or others, I’ve decided to delete my original comment.

Thanks.

All data is taken from Marinade’s GitHub, we also have a lot of questions about this data. One of them is why the amount of steaks received from Marinade does not match the amount that Marinade publishes in epochNumber/outputs/summary.md