Skip to main content
Security

SwissBorg Solana Earn Program Suffers $41m Third-Party API Exploit

A compromised third-party API allowed unauthorized withdrawal authority, exposing on-chain controls and draining $41 million in SOL from a DeFi staking program.
September 22, 20253 min

A prominent circular metallic button is centrally positioned within a sleek, translucent blue device, revealing intricate internal components. The device's polished surface reflects ambient light, highlighting its modern, high-tech aesthetic
Two futuristic, modular white components are shown in close connection, revealing glowing blue internal mechanisms against a dark blue background with blurred, ethereal shapes. This visual emphasizes the complex protocol integration essential for robust blockchain interoperability and scalable network architecture

Briefing

The SwissBorg SOL Earn staking program experienced a significant security incident, resulting in the loss of approximately $41 million in Solana (SOL) due to a compromised third-party API. This exploit, which began with hidden authorization instructions embedded in an unstaking transaction, allowed attackers to gain unauthorized withdrawal authority over Kiln-managed stake accounts. While less than 1% of users were affected, the incident underscores the critical systemic risk posed by external dependencies within the DeFi ecosystem. The platform has pledged to reimburse all affected users from its treasury reserves.

A prominent blue Bitcoin emblem with a white 'B' symbol is centrally displayed, surrounded by an intricate network of metallic and blue mechanical components. Blurred elements of this complex machinery fill the foreground and background, creating depth and focusing on the central cryptocurrency icon

Context

Prior to this incident, the decentralized finance (DeFi) landscape had increasingly recognized the expanding attack surface beyond core smart contract logic, encompassing off-chain integrations, oracle dependencies, and third-party service providers. The prevailing security posture often focused heavily on smart contract audits, sometimes overlooking the cascading risks introduced by external APIs and partner infrastructure. This created a known class of vulnerability where a seemingly robust protocol could be exposed through a weak link in its operational supply chain.

The image displays a detailed blue metallic mechanism with a cluster of blue foam resting on its surface. This visual composition can be interpreted as representing the intricate architecture of blockchain protocols, where the foam symbolizes data or digital assets that are either being processed, secured, or potentially compromised within the network

Analysis

The incident’s technical mechanics involved an attacker exploiting a vulnerability within the API of Kiln, SwissBorg’s third-party staking infrastructure provider. The attack chain commenced on August 31st, 2025, when the exploiter embedded hidden authorization instructions into an unstaking transaction, effectively transferring withdrawal authority for several SwissBorg/Kiln stake accounts to an attacker-controlled wallet. This “skeleton key” setup went undetected due to a lack of adequate anomaly detection or multi-signature confirmations on Kiln’s side, which allowed the manipulation of the Staker role’s authority while preserving the Withdrawer role.

On September 8th, the attacker leveraged this pre-secured authority to initiate unstaking and drain approximately 192,600 SOL from the SOL Earn program through the compromised Kiln API. This was an off-chain API breach that directly impacted on-chain control mechanisms, demonstrating how external infrastructure vulnerabilities can bypass internal protocol safeguards.

A polished metallic circular component, resembling a secure element, rests centrally on a textured, light-grey substrate, likely a flexible circuit or data ribbon. This assembly is set within a vibrant, translucent blue environment, exhibiting dynamic, reflective contours

Parameters

  • Protocol TargetedSwissBorg SOL Earn Program
  • Attack Vector ∞ Third-party API Compromise (Kiln)
  • Financial Impact ∞ $41 Million (192,600 SOL)
  • Blockchain AffectedSolana
  • Exploit Start Date ∞ August 31, 2025
  • Exploit Execution Date ∞ September 8, 2025
  • Users Impacted ∞ Less than 1%
  • Assets Impacted ∞ 2% of total platform assets

Blue faceted crystals, resembling intricate ice formations, are partially covered in white, powdery frost. The intricate blockchain architecture is visually represented by these crystalline structures, each facet symbolizing a validated block within a distributed ledger technology

Outlook

Immediate mitigation for users involves verifying the security posture of all third-party integrations and staking providers, understanding that even audited smart contracts can be vulnerable through external dependencies. This incident will likely establish new security best practices emphasizing rigorous vetting, continuous real-time monitoring, and comprehensive penetration testing of all integrated APIs and off-chain systems. Protocols must now implement defense-in-depth strategies, including advanced anomaly detection and simulation checks, to identify and neutralize threats that leverage preparation windows and subtle authority manipulations.

A futuristic mechanical apparatus, composed of polished silver and deep blue elements, is depicted in motion, intricately intertwined with a vibrant, translucent blue liquid. The liquid appears to flow around and through the device's central components, suggesting an active and integral interaction

Verdict

The SwissBorg exploit serves as a critical reminder that the security perimeter of DeFi protocols extends far beyond core smart contracts, demanding an equally rigorous focus on third-party API integrity and comprehensive supply chain risk management.

Signal Acquired from ∞ QuillAudits Team

Micro Crypto News Feeds

external dependencies

Definition ∞ External dependencies refer to the reliance of a system, protocol, or application on components, services, or data sources outside of its immediate control.

security posture

Definition ∞ A security posture describes the overall state of an organization's cybersecurity defenses and its readiness to counter threats.

anomaly detection

Definition ∞ Anomaly detection is the process of identifying unusual patterns or outliers in data.

infrastructure

Definition ∞ Infrastructure refers to the fundamental technological architecture and systems that support the operation and growth of blockchain networks and digital asset services.

swissborg

Definition ∞ SwissBorg is a digital asset wealth management platform that offers users a streamlined way to invest in and manage cryptocurrencies.

api compromise

Definition ∞ An API compromise occurs when an unauthorized party gains access to an Application Programming Interface.

solana

Definition ∞ Solana is a high-performance blockchain platform designed to support decentralized applications and cryptocurrencies with exceptional speed and low transaction costs.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

users

Definition ∞ Users are individuals or entities that interact with digital assets, blockchain networks, or decentralized applications.

third-party

Definition ∞ A 'third-party' in the cryptocurrency ecosystem is an entity or individual that is not directly involved in a specific transaction or protocol interaction but plays a role in facilitating or verifying it.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

Tags:

Tags: